From unknown Sat Aug 16 19:17:57 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#57363] [PATCH 0/1] Set #o640 permissions for log file of shepherd service in container. Resent-From: Arun Isaac Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 23 Aug 2022 17:32:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 57363 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 57363@debbugs.gnu.org Cc: Arun Isaac , Ludovic =?UTF-8?Q?Court=C3=A8s?= X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.166127588512677 (code B ref -1); Tue, 23 Aug 2022 17:32:02 +0000 Received: (at submit) by debbugs.gnu.org; 23 Aug 2022 17:31:25 +0000 Received: from localhost ([127.0.0.1]:44989 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oQXkK-0003IP-VR for submit@debbugs.gnu.org; Tue, 23 Aug 2022 13:31:25 -0400 Received: from lists.gnu.org ([209.51.188.17]:43984) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oQXkI-0003IH-Gn for submit@debbugs.gnu.org; Tue, 23 Aug 2022 13:31:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45106) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oQXkH-0004UD-Ms for guix-patches@gnu.org; Tue, 23 Aug 2022 13:31:22 -0400 Received: from mugam.systemreboot.net ([139.59.75.54]:48058) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oQXkD-0004EQ-TJ; Tue, 23 Aug 2022 13:31:21 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Transfer-Encoding:MIME-Version: Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=i0+ErrlphU7Q3VcKHistCQddIrbpJn+RSIZ+wQ6nt+U=; b=P/BNkxBhH82sjBtuWD8gFDZefl S5HTEd8OJu1R8Zv5bd0TSWwKT7oGmQG1bhe65B51LwBuknX9iNpAnZmJ3Im6U/qmszSinBFBbTf76 NnW9wSanbL5u99SuDstmu0323DWGaCT2C1pm1dKMgDW20lxohoS9RbSEL6zZHv+BXo6t/NM5NSzYS OBws/Gvdkuv12jg4YXIfk4zwPGN2UN28vRYsugxFnGn148D/Ux4vhVEvMvVwdBNMt7D85aTXk0glZ aZkzjnP95vizTMvXbDgv1YEMRj2wg5sL4K7rEC8K9N5bDtd8DGHW25/u+yb/A5HV93pdKxcA4Vg3l 9pA0pCPg==; Received: from [192.168.2.1] (port=53704 helo=localhost.localdomain) by systemreboot.net with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1oQXk0-0009F5-2k; Tue, 23 Aug 2022 23:01:04 +0530 From: Arun Isaac Date: Tue, 23 Aug 2022 23:01:02 +0530 Message-Id: <20220823173102.30242-1-arunisaac@systemreboot.net> X-Mailer: git-send-email 2.37.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=139.59.75.54; envelope-from=arunisaac@systemreboot.net; helo=mugam.systemreboot.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) When a shepherd service is run using make-forkexec-constructor, the log file has #o640 permissions. This is set in the shepherd source code. => https://git.savannah.gnu.org/cgit/shepherd.git/tree/modules/shepherd/service.scm?h=v0.9.1#n987 However, when a shepherd service is run using make-forkexec-constructor/container, the log file has #o644 permissions. This patch corrects that. CCing Ludo since they wrote the code adjacent to this patch. Thanks! Arun Isaac (1): shepherd: Set #o640 permissions for log file of service in container. gnu/build/shepherd.scm | 2 ++ 1 file changed, 2 insertions(+) -- 2.37.1 From unknown Sat Aug 16 19:17:57 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#57363] [PATCH] shepherd: Set #o640 permissions for log file of service in container. References: <20220823173102.30242-1-arunisaac@systemreboot.net> In-Reply-To: <20220823173102.30242-1-arunisaac@systemreboot.net> Resent-From: Arun Isaac Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 23 Aug 2022 17:34:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 57363 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 57363@debbugs.gnu.org Cc: Arun Isaac , Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 57363-submit@debbugs.gnu.org id=B57363.166127601312894 (code B ref 57363); Tue, 23 Aug 2022 17:34:02 +0000 Received: (at 57363) by debbugs.gnu.org; 23 Aug 2022 17:33:33 +0000 Received: from localhost ([127.0.0.1]:44994 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oQXmP-0003Lt-Ct for submit@debbugs.gnu.org; Tue, 23 Aug 2022 13:33:33 -0400 Received: from mugam.systemreboot.net ([139.59.75.54]:34302) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oQXmM-0003Lk-FT for 57363@debbugs.gnu.org; Tue, 23 Aug 2022 13:33:31 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Transfer-Encoding:Content-Type: MIME-Version:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=E5yR3q4rby8/ivwzz4+t/jPv/8wFHiVUUtEIt1fvluA=; b=mqkIwbfc48YCyBGlCboTe0TNcO xY1cqKoUzXRlpOSNabRfga2GnBy2NZby5XJRNk6WRt0Wt2JihHwqzr5ay3ihUdeCaMF/aBhM/rgMp KwVWpbG+RrJmV7MWD3TaNLX4w/VWAFfD+nXf/la0zFh5/3MeBrMHVn18KhWvsIddc81pCtbZbI4Ts MSdfOtQbK3eBrcusXGumWkpfucndRVZhCoeptoHQ0M5VG1+ivfAn+aySXS/3lp/h1cnJ9lepX+eEL lUF+xnDAaaXSO38L0eCv3fLuD8ORTq6cBB3y07KLL+VeYNbZHA850XBY8cT6VSinaYz6RoZXZnCeh tiU12ldg==; Received: from [192.168.2.1] (port=53898 helo=localhost.localdomain) by systemreboot.net with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1oQXmJ-0009FM-11; Tue, 23 Aug 2022 23:03:27 +0530 From: Arun Isaac Date: Tue, 23 Aug 2022 23:03:25 +0530 Message-Id: <20220823173325.30877-1-arunisaac@systemreboot.net> X-Mailer: git-send-email 2.37.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/build/shepherd.scm (make-forkexec-constructor/container): Set #o640 permissions for log file. --- gnu/build/shepherd.scm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/gnu/build/shepherd.scm b/gnu/build/shepherd.scm index f4caefce3c..c7ba73967f 100644 --- a/gnu/build/shepherd.scm +++ b/gnu/build/shepherd.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2017, 2018, 2019, 2020, 2022 Ludovic Courtès ;;; Copyright © 2020 Mathieu Othacehe ;;; Copyright © 2022 Leo Nikkilä +;;; Copyright © 2022 Arun Isaac ;;; ;;; This file is part of GNU Guix. ;;; @@ -187,6 +188,7 @@ (define mounts ;; Create LOG-FILE so we can map it in the container. (unless (file-exists? log-file) (call-with-output-file log-file (const #t)) + (chmod log-file #o640) (when user (let ((pw (getpwnam user))) (chown log-file (passwd:uid pw) (passwd:gid pw)))))) -- 2.37.1 From unknown Sat Aug 16 19:17:57 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#57363] [PATCH 0/1] Set #o640 permissions for log file of shepherd service in container. Resent-From: Maxime Devos Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 26 Aug 2022 14:49:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 57363 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Arun Isaac , 57363@debbugs.gnu.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 57363-submit@debbugs.gnu.org id=B57363.166152532931048 (code B ref 57363); Fri, 26 Aug 2022 14:49:01 +0000 Received: (at 57363) by debbugs.gnu.org; 26 Aug 2022 14:48:49 +0000 Received: from localhost ([127.0.0.1]:54318 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oRadc-00084i-O1 for submit@debbugs.gnu.org; Fri, 26 Aug 2022 10:48:48 -0400 Received: from baptiste.telenet-ops.be ([195.130.132.51]:54936) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oRadZ-00084W-G6 for 57363@debbugs.gnu.org; Fri, 26 Aug 2022 10:48:47 -0400 Received: from [IPV6:2a02:1811:8c09:9d00:5dba:d409:33f7:a16] ([IPv6:2a02:1811:8c09:9d00:5dba:d409:33f7:a16]) by baptiste.telenet-ops.be with bizsmtp id CEoh2800920ykKC01EoheY; Fri, 26 Aug 2022 16:48:43 +0200 Message-ID: Date: Fri, 26 Aug 2022 16:48:40 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0 Content-Language: en-US References: <20220823173102.30242-1-arunisaac@systemreboot.net> From: Maxime Devos In-Reply-To: <20220823173102.30242-1-arunisaac@systemreboot.net> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------jnvAg1viVkQsZoBZWZgyCX4P" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22; t=1661525323; bh=qUEC2ChLMs+6Zf0nW1j5c3y+3N7kT/ye/gY1NudgdVY=; h=Date:To:Cc:References:From:Subject:In-Reply-To; b=Ef2lQ7zvIXQAIW7W7HG/p4lx81XrB4F4BINO4tFeXlUO31/ZHFS8nRit5WnQDmWKr ItfAOD2zJPddo6W/d0YwDiuEQkBuMPH4Wc76wtDvCKOjTnRfGt9vF3O1ORdTZzeAyf hCzHlvI7ku4/qYm1B3Rf0OeoaXWG8QoDHjjr51DmKP8F8LtIjspxGf5FMN7i18gB6P KvJ8aqbET++Ylzc2DnyKzWPm5QIW02p6Bwd28Tr4KfoYTU4AgUc1Eg8w8Th/bxP1aM J77dHltZud9inNzXhqImzbV60YeJMn67fyMU6soYKpZDfStA7UzWZxOAk6OPNAK52S KExEIz2bmFF7g== X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------jnvAg1viVkQsZoBZWZgyCX4P Content-Type: multipart/mixed; boundary="------------kJTD6DMjbhGR0iPrgDVlJTN0"; protected-headers="v1" From: Maxime Devos To: Arun Isaac , 57363@debbugs.gnu.org Cc: =?UTF-8?Q?Ludovic_Court=c3=a8s?= Message-ID: Subject: Re: [bug#57363] [PATCH 0/1] Set #o640 permissions for log file of shepherd service in container. References: <20220823173102.30242-1-arunisaac@systemreboot.net> In-Reply-To: <20220823173102.30242-1-arunisaac@systemreboot.net> --------------kJTD6DMjbhGR0iPrgDVlJTN0 Content-Type: multipart/mixed; boundary="------------u9rnc20waCto8vISq4061nvu" --------------u9rnc20waCto8vISq4061nvu Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64 T24gMjMtMDgtMjAyMiAxOTozMSwgQXJ1biBJc2FhYyB3cm90ZToNCg0KPiBIb3dldmVyLCB3 aGVuIGEgc2hlcGhlcmQgc2VydmljZSBpcyBydW4gdXNpbmcNCj4gbWFrZS1mb3JrZXhlYy1j b25zdHJ1Y3Rvci9jb250YWluZXIsIHRoZSBsb2cgZmlsZSBoYXMgI282NDQgcGVybWlzc2lv bnMuIFRoaXMNCj4gcGF0Y2ggY29ycmVjdHMgdGhhdC4NCg0KVGhlcmUgaXMgYSBzbWFsbCB3 aW5kb3cgZHVyaW5nIHdoaWNoIHRoZSBsb2cgZmlsZSBoYXMgb3Zlcmx5LXdpZGUgDQpwZXJt aXNzaW9ucywgd2hpY2ggSUlVQyBtYWtlcyB0aGUgbG9nIG9wZW5hYmxlIHdoZW4gaXQgc2hv dWxkbid0LCB3aGljaCANCmNvdWxkIGxhdGVyIGJlIGV4cGxvaXRlZCAoYWZ0ZXIgdGhlIGRh ZW1vbiBoYXMgYmVlbiBydW5uaW5nIGZvciBhIHdoaWxlKSANCnRvIGV4dHJhY3QgYW55dGhp bmcgc2VjcmV0IHdyaXR0ZW4gdG8gdGhlIGxvZyBieSB0aGUgc2VydmljZS4NCg0KVHJ5IHVz aW5nIChjbG9zZSAob3BlbiBsb2ctZmlsZSAobG9naW9yIE9fQ1JFQVQgT19BUFBFTkQgT19D TE9FWEVDKSANCiNvNjAwKSkgaW5zdGVhZCwgdGhhdCBzaG91bGQgbWFrZSB0aGluZ3MgYXRv bWljLg0KDQpJIGRvIG5vdCBrbm93IGlmIGNsZWFyaW5nIHRoZSBsb2cgZmlsZSBpcyBkZXNp cmVkIC0tIGlmIHNvLCByZW1vdmUgDQpPX0FQUEVORCwgaWYgbm90LCBrZWVwIE9fQVBQRU5E Lg0KDQpNYXliZSBPX1JET05MWSBvciBPX1dST05MWSBvciBPX1JEV1IgbmVlZHMgdG8gYmUg YWRkZWQgdG8gbWFrZSB0aGUgY2FsbCANCnRvICdvcGVuJyBzdWNjZWVkLg0KDQpHcmVldGlu Z3MsDQpNYXhpbWUNCg0K --------------u9rnc20waCto8vISq4061nvu Content-Type: application/pgp-keys; name="OpenPGP_0x49E3EE22191725EE.asc" Content-Disposition: attachment; filename="OpenPGP_0x49E3EE22191725EE.asc" Content-Description: OpenPGP public key Content-Transfer-Encoding: quoted-printable -----BEGIN PGP PUBLIC KEY BLOCK----- xjMEX4ch6BYJKwYBBAHaRw8BAQdANPb/d6MrGnGi5HyvODCkBUJPRjiFQcRU5V+m xvMaAa/NL01heGltZSBEZXZvcyA8bWF4aW1lLmRldm9zQHN0dWRlbnQua3VsZXV2 ZW4uYmU+wpAEExYIADgWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCX4ch6AIbAwUL CQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBJ4+4iGRcl7japAQC3opZ2KGWzWmRc /gIWSu0AAcfMwyinFEEPa/QhUt2CogD/e2RdF4CYAgaRHJJmZ9WU7piKbLZ7llB4 LzgezVDHggzNJU1heGltZSBEZXZvcyA8bWF4aW1lZGV2b3NAdGVsZW5ldC5iZT7C kAQTFggAOBYhBMHzPuIMUo/bfdcBH0nj7iIZFyXuBQJf56ycAhsDBQsJCAcDBRUK CQgLBRYCAwEAAh4BAheAAAoJEEnj7iIZFyXujpQBAKV1SwDDl4f24rXciDlB9L8W ycZt30CgbewMSRQk4mvbAP9dFMbVVixYBd6C8cfhR+NsOBGiOJnQABlUmgNuqGFJ Dc44BF+HIegSCisGAQQBl1UBBQEBB0BOlzIWiJzgobMF6/cqwLaLk7jIcFSZ++c0 k9cCNT6YXwMBCAfCeAQYFggAIBYhBMHzPuIMUo/bfdcBH0nj7iIZFyXuBQJfhyHo AhsMAAoJEEnj7iIZFyXuMr0BAJc8cl5PGvVmVuSQVKjleNl4DK1/XAaPAYPe34AE fZJPAP9IqLCQhH/FeJanHqBP8gNdGNI2qn8RnnLVfRJgUjZ1BA=3D=3D =3DOVqp -----END PGP PUBLIC KEY BLOCK----- --------------u9rnc20waCto8vISq4061nvu-- --------------kJTD6DMjbhGR0iPrgDVlJTN0-- --------------jnvAg1viVkQsZoBZWZgyCX4P Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wnsEABYIACMWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYwjdSAUDAAAAAAAKCRBJ4+4iGRcl7r4O AP9gHjmcX7qrzhbaS40H6sS9qqnW3NvOjROi7dAsizXdJAD/aizCLTTbX0YEBtzjtyrWL59+GW6U ZjCYHZqybmVLjgI= =6nQO -----END PGP SIGNATURE----- --------------jnvAg1viVkQsZoBZWZgyCX4P-- From unknown Sat Aug 16 19:17:57 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#57363] [PATCH 0/1] Set #o640 permissions for log file of shepherd service in container. Resent-From: Arun Isaac Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 29 Aug 2022 19:16:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 57363 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Maxime Devos , 57363@debbugs.gnu.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 57363-submit@debbugs.gnu.org id=B57363.166180054113637 (code B ref 57363); Mon, 29 Aug 2022 19:16:02 +0000 Received: (at 57363) by debbugs.gnu.org; 29 Aug 2022 19:15:41 +0000 Received: from localhost ([127.0.0.1]:33851 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oSkEW-0003Xt-OV for submit@debbugs.gnu.org; Mon, 29 Aug 2022 15:15:41 -0400 Received: from mugam.systemreboot.net ([139.59.75.54]:55464) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oSkET-0003Xh-Nu for 57363@debbugs.gnu.org; Mon, 29 Aug 2022 15:15:39 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=ntH8DCvkNhG6bgglbRAZZOC/YMMag6WQIGqMDnhK3o0=; b=qcA6L/7CIICZ0aOWZjeyL1Gpb/ 0eZ06DQRG05JJs2PakX/8vfG8PJvDAsjBuYR10Utz68L01Nh8xiqeF0FZu8ErqnKCt/02AjlYRVN+ cUOBK0+DQYblKh1nfsZCMmj5IYm1xxOL7KuNac0UPcXDjgi7Su536BYmbSYl4IO/Vizu7JMJH9kR5 2KFTXz2tRNX7E19sTvPjDLQrVRCpoLp24rCQxLTKGAmGvhWfyPc1gaj4WFkQDaEArsjUv6ppy3t4D aGClypAjeJnGKcQ4Il8uDzZ/mZZTmUQhJGIwf1mUKTi6eC3rEVQ1Yf8v/p4n0q/CVOFo0TRbMze0K 7V46Lnmg==; Received: from [192.168.2.1] (port=1676 helo=steel) by systemreboot.net with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1oSkEQ-0005H8-0a; Tue, 30 Aug 2022 00:45:34 +0530 From: Arun Isaac In-Reply-To: References: <20220823173102.30242-1-arunisaac@systemreboot.net> Date: Tue, 30 Aug 2022 00:45:33 +0530 Message-ID: <874jxuzwru.fsf@systemreboot.net> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Maxime, > There is a small window during which the log file has overly-wide > permissions, which IIUC makes the log openable when it shouldn't, which > could later be exploited (after the daemon has been running for a while) > to extract anything secret written to the log by the service. True, thanks for catching that! > Try using (close (open log-file (logior O_CREAT O_APPEND O_CLOEXEC) > #o600)) instead, that should make things atomic. Done. An updated patch follows. > I do not know if clearing the log file is desired -- if so, remove > O_APPEND, if not, keep O_APPEND. I don't think clearing the log file is desired. Append is good, I think. Users wouldn't want their log files overwritten everytime their system is restarted. Regards, Arun From unknown Sat Aug 16 19:17:57 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#57363] [PATCH v2] shepherd: Set #o640 permissions for log file of service in container. Resent-From: Arun Isaac Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 29 Aug 2022 19:16:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 57363 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Maxime Devos , Arun Isaac , 57363@debbugs.gnu.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 57363-submit@debbugs.gnu.org id=B57363.166180055313662 (code B ref 57363); Mon, 29 Aug 2022 19:16:02 +0000 Received: (at 57363) by debbugs.gnu.org; 29 Aug 2022 19:15:53 +0000 Received: from localhost ([127.0.0.1]:33854 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oSkEj-0003YI-4A for submit@debbugs.gnu.org; Mon, 29 Aug 2022 15:15:53 -0400 Received: from mugam.systemreboot.net ([139.59.75.54]:52128) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oSkEh-0003YA-Ca for 57363@debbugs.gnu.org; Mon, 29 Aug 2022 15:15:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Transfer-Encoding:Content-Type: MIME-Version:References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=NMchVp3FuILhXSH+U690nax7QLXfkbdRw955bDNSnYU=; b=HBO0jbs6ElSP1oonZkKbI6HyAA YNXbPHgWxpmhs5pCdOnEcp9o/LSQnX7YeggzP1VWzpEJwHqxjXQPCTpkxDDhkj5JVPPPeNOp8E3ff 8fV/P8+UCqjIiHm8ks1yC4oy+85roGXDoFt9R8UqazuQhgMy+YYyNBiD3ysTst+Mpy8ktxDk4xxMr Fs4uR24+IyezRCjfjEvZnK9lyUYytm8OG+2i7gtWj0cdqdRrLCzIz0aV//OSkhMm4FRXF6lD4l7Jc +kG1vhf8eYIzWtszIHLK/vKJBMVMo4gjTDqCMgunZYrpOqCrTPCH53kR4O92+ggeqSD8TWATcrjkl JOhl9bfg==; Received: from [192.168.2.1] (port=2844 helo=localhost.localdomain) by systemreboot.net with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1oSkEf-0005HF-0l; Tue, 30 Aug 2022 00:45:49 +0530 From: Arun Isaac Date: Tue, 30 Aug 2022 00:45:47 +0530 Message-Id: <20220829191547.2685-1-arunisaac@systemreboot.net> X-Mailer: git-send-email 2.37.1 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/build/shepherd.scm (make-forkexec-constructor/container): Set #o640 permissions for log file. --- gnu/build/shepherd.scm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/gnu/build/shepherd.scm b/gnu/build/shepherd.scm index f4caefce3c..9d9bfcfbc0 100644 --- a/gnu/build/shepherd.scm +++ b/gnu/build/shepherd.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2017, 2018, 2019, 2020, 2022 Ludovic Courtès ;;; Copyright © 2020 Mathieu Othacehe ;;; Copyright © 2022 Leo Nikkilä +;;; Copyright © 2022 Arun Isaac ;;; ;;; This file is part of GNU Guix. ;;; @@ -186,7 +187,7 @@ (define mounts (when log-file ;; Create LOG-FILE so we can map it in the container. (unless (file-exists? log-file) - (call-with-output-file log-file (const #t)) + (close (open log-file (logior O_CREAT O_APPEND O_CLOEXEC) #o640)) (when user (let ((pw (getpwnam user))) (chown log-file (passwd:uid pw) (passwd:gid pw)))))) -- 2.37.1 From unknown Sat Aug 16 19:17:57 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#57363] [PATCH v2] shepherd: Set #o640 permissions for log file of service in container. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 02 Sep 2022 09:22:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 57363 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Arun Isaac Cc: 57363@debbugs.gnu.org, Maxime Devos Received: via spool by 57363-submit@debbugs.gnu.org id=B57363.166211050214290 (code B ref 57363); Fri, 02 Sep 2022 09:22:01 +0000 Received: (at 57363) by debbugs.gnu.org; 2 Sep 2022 09:21:42 +0000 Received: from localhost ([127.0.0.1]:44880 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oU2ru-0003iP-5i for submit@debbugs.gnu.org; Fri, 02 Sep 2022 05:21:42 -0400 Received: from eggs.gnu.org ([209.51.188.92]:40410) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oU2rs-0003iD-Jg for 57363@debbugs.gnu.org; Fri, 02 Sep 2022 05:21:41 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:57786) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oU2rl-0008G5-Ii; Fri, 02 Sep 2022 05:21:33 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=5UQn7tRoyOD49SUYa8Yb8MTjPjGAaGw/qin3rl3DVpI=; b=j7kdgwSQeMdRnpuGiB3t /3EVFxWdKCCRYMgurS/+277tv36tGUTY0SUbTH/L8elxMAoEvwglFuMJ+LOU7EMaJ99WgaBb7QEYN 5OVd2N69jkpOZrauJcqYNuTf6s4Eo4+rwiOQr5Uc4t9+HQLZ+kZkJraRggfBP7/23UgaZTFOShKfz hkmvcDSY/2YeXeKxYlS6ZrJ6FUYAM/IvQti3C3obIhpT0eIjucjEv49XI4YgXXEqESypNCyQnuo0C Wj2MOso1S6CPK7CYhC/rywOvZ/MT5kiKJSmOBW9C9So4NRw+fS3z5+bs9YSmsU5LdTbPiadVe3ZRv OEtG7xmqyNf7dQ==; Received: from [193.50.110.177] (port=55612 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oU2rl-0003Bn-5k; Fri, 02 Sep 2022 05:21:33 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <20220829191547.2685-1-arunisaac@systemreboot.net> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Sextidi 16 Fructidor an 230 de la =?UTF-8?Q?R=C3=A9volution,?= jour du Citron X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Fri, 02 Sep 2022 11:21:31 +0200 In-Reply-To: <20220829191547.2685-1-arunisaac@systemreboot.net> (Arun Isaac's message of "Tue, 30 Aug 2022 00:45:47 +0530") Message-ID: <87ilm6xhb8.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, Arun Isaac skribis: > * gnu/build/shepherd.scm (make-forkexec-constructor/container): Set #o640 > permissions for log file. LGTM! However, note that =E2=80=98make-forkexec-constructor/container=E2=80=99 is= now deprecated in favor of (guix least-authority); apparently PageKite and Jami are the only real users left. Thanks, Ludo=E2=80=99. From unknown Sat Aug 16 19:17:57 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Arun Isaac Subject: bug#57363: closed (Re: [PATCH v2] shepherd: Set #o640 permissions for log file of service in container.) Message-ID: References: <87czceuino.fsf@systemreboot.net> <20220823173102.30242-1-arunisaac@systemreboot.net> X-Gnu-PR-Message: they-closed 57363 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 57363@debbugs.gnu.org Date: Fri, 02 Sep 2022 11:21:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1662117662-27484-1" This is a multi-part message in MIME format... ------------=_1662117662-27484-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #57363: [PATCH 0/1] Set #o640 permissions for log file of shepherd service = in container. which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 57363@debbugs.gnu.org. --=20 57363: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D57363 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1662117662-27484-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 57363-done) by debbugs.gnu.org; 2 Sep 2022 11:20:51 +0000 Received: from localhost ([127.0.0.1]:45069 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oU4jC-00078g-Oc for submit@debbugs.gnu.org; Fri, 02 Sep 2022 07:20:50 -0400 Received: from mugam.systemreboot.net ([139.59.75.54]:39180) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oU4j9-00078W-Ik for 57363-done@debbugs.gnu.org; Fri, 02 Sep 2022 07:20:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Transfer-Encoding:Content-Type: MIME-Version:Message-ID:Date:References:In-Reply-To:Subject:Cc:To:From:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=x1+QWAd/9LfdrqUA7lY/ZjU+XudnUWx3RClX6DWPAjg=; b=FMAH1ilHJ4NrRrWRMPXY5HEVBe r4m+EMmbxQx4pnmQpL5IEanlnqSk2DW/a/4RFJhkEZaKrJh3K4HnlMHIdvBOr3Dbk/nTQqgUiMUmn wzBsjv0Gyu0p+WsWzEB4szAIivi5Ra94j2KmuZXAjvIgKMEG9odqIrW22c9OK2DMqCQ22s4cXCQvm ufWfVLGQTp1DdTaIq5dLSKf2bBtAdFCsF5grIJ3pa5i00Nwmck0GQOBN6U2yHdDlwNrwgb1+qcMag GWVvE50JynqE06BjEIqfDlRivvLZYfVE1AF0ZZ/YUdqFlLYz6UU9PDewLWO+D/jHvSjZ+61SoJAzl kFTGEahQ==; Received: from [192.168.2.1] (port=7038 helo=steel) by systemreboot.net with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1oU4j5-000Fdj-2I; Fri, 02 Sep 2022 16:50:43 +0530 From: Arun Isaac To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [PATCH v2] shepherd: Set #o640 permissions for log file of service in container. In-Reply-To: <87ilm6xhb8.fsf@gnu.org> References: <20220829191547.2685-1-arunisaac@systemreboot.net> <87ilm6xhb8.fsf@gnu.org> Date: Fri, 02 Sep 2022 16:50:43 +0530 Message-ID: <87czceuino.fsf@systemreboot.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 57363-done Cc: 57363-done@debbugs.gnu.org, Maxime Devos X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) >> * gnu/build/shepherd.scm (make-forkexec-constructor/container): Set #o640 >> permissions for log file. > > LGTM! Thanks, pushed! > However, note that =E2=80=98make-forkexec-constructor/container=E2=80=99 = is now > deprecated in favor of (guix least-authority); apparently PageKite and > Jami are the only real users left. Ah, I didn't know. I've been making extensive use of make-forkexec-constructor/container in guix-forge and all my services. Time to switch! ------------=_1662117662-27484-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 23 Aug 2022 17:31:25 +0000 Received: from localhost ([127.0.0.1]:44989 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oQXkK-0003IP-VR for submit@debbugs.gnu.org; Tue, 23 Aug 2022 13:31:25 -0400 Received: from lists.gnu.org ([209.51.188.17]:43984) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oQXkI-0003IH-Gn for submit@debbugs.gnu.org; Tue, 23 Aug 2022 13:31:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45106) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oQXkH-0004UD-Ms for guix-patches@gnu.org; Tue, 23 Aug 2022 13:31:22 -0400 Received: from mugam.systemreboot.net ([139.59.75.54]:48058) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oQXkD-0004EQ-TJ; Tue, 23 Aug 2022 13:31:21 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Transfer-Encoding:MIME-Version: Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=i0+ErrlphU7Q3VcKHistCQddIrbpJn+RSIZ+wQ6nt+U=; b=P/BNkxBhH82sjBtuWD8gFDZefl S5HTEd8OJu1R8Zv5bd0TSWwKT7oGmQG1bhe65B51LwBuknX9iNpAnZmJ3Im6U/qmszSinBFBbTf76 NnW9wSanbL5u99SuDstmu0323DWGaCT2C1pm1dKMgDW20lxohoS9RbSEL6zZHv+BXo6t/NM5NSzYS OBws/Gvdkuv12jg4YXIfk4zwPGN2UN28vRYsugxFnGn148D/Ux4vhVEvMvVwdBNMt7D85aTXk0glZ aZkzjnP95vizTMvXbDgv1YEMRj2wg5sL4K7rEC8K9N5bDtd8DGHW25/u+yb/A5HV93pdKxcA4Vg3l 9pA0pCPg==; Received: from [192.168.2.1] (port=53704 helo=localhost.localdomain) by systemreboot.net with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1oQXk0-0009F5-2k; Tue, 23 Aug 2022 23:01:04 +0530 From: Arun Isaac To: guix-patches@gnu.org Subject: [PATCH 0/1] Set #o640 permissions for log file of shepherd service in container. Date: Tue, 23 Aug 2022 23:01:02 +0530 Message-Id: <20220823173102.30242-1-arunisaac@systemreboot.net> X-Mailer: git-send-email 2.37.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=139.59.75.54; envelope-from=arunisaac@systemreboot.net; helo=mugam.systemreboot.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit Cc: Arun Isaac , =?UTF-8?q?Ludovic=20Court=C3=A8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) When a shepherd service is run using make-forkexec-constructor, the log file has #o640 permissions. This is set in the shepherd source code. => https://git.savannah.gnu.org/cgit/shepherd.git/tree/modules/shepherd/service.scm?h=v0.9.1#n987 However, when a shepherd service is run using make-forkexec-constructor/container, the log file has #o644 permissions. This patch corrects that. CCing Ludo since they wrote the code adjacent to this patch. Thanks! Arun Isaac (1): shepherd: Set #o640 permissions for log file of service in container. gnu/build/shepherd.scm | 2 ++ 1 file changed, 2 insertions(+) -- 2.37.1 ------------=_1662117662-27484-1--