From unknown Sun Aug 17 04:17:46 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#63562] [PATCH 2/2] services: rsync: Use least authority wrapper. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 18 May 2023 01:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 63562 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 63562@debbugs.gnu.org Cc: Maxim Cournoyer X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.1684375005641 (code B ref -1); Thu, 18 May 2023 01:57:02 +0000 Received: (at submit) by debbugs.gnu.org; 18 May 2023 01:56:45 +0000 Received: from localhost ([127.0.0.1]:51545 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzSsm-0000AC-Ia for submit@debbugs.gnu.org; Wed, 17 May 2023 21:56:45 -0400 Received: from lists.gnu.org ([209.51.188.17]:43276) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzSsi-00009y-Kc for submit@debbugs.gnu.org; Wed, 17 May 2023 21:56:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pzSsi-0004B9-D0 for guix-patches@gnu.org; Wed, 17 May 2023 21:56:40 -0400 Received: from mail-qt1-x834.google.com ([2607:f8b0:4864:20::834]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pzSsg-0007DR-IK for guix-patches@gnu.org; Wed, 17 May 2023 21:56:40 -0400 Received: by mail-qt1-x834.google.com with SMTP id d75a77b69052e-3f38a7c5d45so3700611cf.0 for ; Wed, 17 May 2023 18:56:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684374997; x=1686966997; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=T8kLQ0JawpOqBVrtrIcrFDG8Fmd+mkEpr10o75CfZsM=; b=G+9JkqwMeDWAVOBYeH1bbI41AAK9v8EQaspMNXoG8vq6kYpmmB2b/2/mmjBRA9t0lH 2r70wLBz3KVr+Pmv4uZp1oXYR10Bi10bxPcRayDlt9qwVWDgN41uVWk7o7n7prZh1Tjr 4cnmegvZK804inllTTe3D7rLod1+kfS7r/gdFccIcEja7Z9JggCRVLODMmpAFUw+HTpp 3UcQVVpDEvUS2M8tVJjorQI19Ny6StKsYL2OnpyRijctBeJitJziKfcm6gkqnyE6saVZ 3g3iNwGtvuHDCZSsR2zvKDtAXOt9eh57m6MTpJ1+lOPtTUsH5/edoaMsBkyZ0jmcG4jo e9Kw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684374997; x=1686966997; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=T8kLQ0JawpOqBVrtrIcrFDG8Fmd+mkEpr10o75CfZsM=; b=mBSiWkNzfwEIaQd4JibSdkCiMf9QE6QmEQH7rzBqzSQlG3AF6GGnxBRbCXmzk6GPZy cD8A6wmIhuScbPJPUNI4aR/5UFFFHWvtj+jV+vX3hE3FEXHRSPa+EGZOdb5j2aTUfsYF ZMSgkFTk6CBbE3cQHe0VPUKTm3dbzdhxevdV6pNrZZ2EbrsW1VV2CHrtIiETXHRjTApp BwQgTbsHGZ0ch07Xza1g1ge1X6powQROL0n6nfwJKfbbgbvhjMVWFnN5jEjXc1WLQoe1 +Td+j9YAhMHO1MEiDbVCN3b+4cn1CUGPXRyuDgTr0smGBWJoVUMoNDi0oNF/9S0xsh3z lUmw== X-Gm-Message-State: AC+VfDzRYtDk0CVZ/hItXacqD3AxTNUZuNGUHVVXEvzFJwuybIQdEYf4 J/ZsMw2fVSYqlahvyxlf6U/P1kSerZgaQw== X-Google-Smtp-Source: ACHHUZ5YYqCJ6CHVTqj1OsY61vdeDmYmNbM/ZdyZQtKmeQNjJ3yCwP/zqebFLY8g7yKXnnYC0pE4YA== X-Received: by 2002:a05:622a:12:b0:3ef:33da:e25 with SMTP id x18-20020a05622a001200b003ef33da0e25mr2613909qtw.22.1684374997139; Wed, 17 May 2023 18:56:37 -0700 (PDT) Received: from localhost.localdomain (dsl-150-33.b2b2c.ca. [66.158.150.33]) by smtp.gmail.com with ESMTPSA id gc11-20020a05622a59cb00b003f38b4167e5sm138672qtb.2.2023.05.17.18.56.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 May 2023 18:56:36 -0700 (PDT) From: Maxim Cournoyer Date: Wed, 17 May 2023 21:56:18 -0400 Message-Id: <8f60f8bfcbf58ab39308f799319f25b9851871a7.1684374978.git.maxim.cournoyer@gmail.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::834; envelope-from=maxim.cournoyer@gmail.com; helo=mail-qt1-x834.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) * gnu/services/rsync.scm (rsync-shepherd-service) Wrap rsync command in a least-authority-wrapper. --- gnu/services/rsync.scm | 97 ++++++++++++++++++++++++++++-------------- 1 file changed, 65 insertions(+), 32 deletions(-) diff --git a/gnu/services/rsync.scm b/gnu/services/rsync.scm index 826b757b1c..42e4d0247e 100644 --- a/gnu/services/rsync.scm +++ b/gnu/services/rsync.scm @@ -19,16 +19,20 @@ ;;; along with GNU Guix. If not, see . (define-module (gnu services rsync) + #:use-module ((gnu build linux-container) #:select (%namespaces)) #:use-module (gnu services) #:use-module (gnu services base) #:use-module (gnu services shepherd) + #:autoload (gnu system file-systems) (file-system-mapping) #:use-module (gnu system shadow) - #:use-module (gnu packages rsync) #:use-module (gnu packages admin) + #:use-module (gnu packages linux) + #:use-module (gnu packages rsync) #:use-module (guix records) #:use-module (guix gexp) #:use-module (guix diagnostics) #:use-module (guix i18n) + #:use-module (guix least-authority) #:use-module (srfi srfi-1) #:use-module (srfi srfi-26) #:use-module (ice-9 match) @@ -236,37 +240,66 @@ (define (rsync-shepherd-service config) #t)) (const #f))) - (let* ((rsync (rsync-configuration-package config)) - (pid-file (rsync-configuration-pid-file config)) - (port-number (rsync-configuration-port-number config)) - (user (rsync-configuration-user config)) - (group (rsync-configuration-group config)) - (config-file (rsync-config-file config)) - (rsync-command #~(list (string-append #$rsync "/bin/rsync") - "--config" #$config-file "--daemon"))) - (list (shepherd-service - (provision '(rsync)) - (documentation "Run rsync daemon.") - (actions (list (shepherd-configuration-action config-file))) - (start #~(if #$inetd-style? - (make-inetd-constructor - #$rsync-command - (cons (endpoint - (make-socket-address AF_INET INADDR_ANY - #$port-number)) - (if #$ipv6-support? - (list - (endpoint - (make-socket-address AF_INET6 IN6ADDR_ANY - #$port-number))) - '())) - #:user #$user - #:group #$group) - (make-forkexec-constructor #$rsync-command - #:pid-file #$pid-file - #:user #$user - #:group #$group))) - (stop #~(make-kill-destructor)))))) + (define (module->file-system-mapping module) + "Return the record corresponding to MODULE, an + object." + (match-record module + (file-name read-only?) + (file-system-mapping + (source file-name) + (target source) + (writable? (not read-only?))))) + + (match-record config + (package log-file modules pid-file port-number user group) + ;; Run the rsync daemon in its own 'mnt' namespace, to guard against + ;; change to mount points it may be serving. + (let* ((config-file (rsync-config-file config)) + (rsync-command #~(list #$(least-authority-wrapper + (file-append rsync "/bin/rsync") + #:name "rsync" + #:namespaces (fold delq %namespaces + '(net user)) + #:mappings + (append (list (file-system-mapping + (source "/var/run/rsyncd") + (target source) + (writable? #t)) + (file-system-mapping + (source (dirname log-file)) + (target source) + (writable? #t)) + (file-system-mapping + (source config-file) + (target source))) + (map module->file-system-mapping + modules))) + "--config" #$config-file "--daemon"))) + (list (shepherd-service + (provision '(rsync)) + (documentation "Run rsync daemon.") + (actions (list (shepherd-configuration-action config-file))) + (start #~(if #$inetd-style? + (make-inetd-constructor + #$rsync-command + (cons (endpoint + (make-socket-address AF_INET INADDR_ANY + #$port-number)) + (if #$ipv6-support? + (list + (endpoint + (make-socket-address AF_INET6 IN6ADDR_ANY + #$port-number))) + '())) + #:user #$user + #:group #$group) + (make-forkexec-constructor #$rsync-command + #:pid-file #$pid-file + #:user #$user + #:group #$group))) + (stop #~(if #$inetd-style? + (make-inetd-destructor) + (make-kill-destructor)))))))) (define rsync-service-type (service-type -- 2.39.2 From debbugs-submit-bounces@debbugs.gnu.org Wed May 17 22:01:48 2023 Received: (at control) by debbugs.gnu.org; 18 May 2023 02:01:48 +0000 Received: from localhost ([127.0.0.1]:51552 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzSxg-0000Jh-HF for submit@debbugs.gnu.org; Wed, 17 May 2023 22:01:48 -0400 Received: from mail-qv1-f49.google.com ([209.85.219.49]:50277) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzSxf-0000JV-1n for control@debbugs.gnu.org; Wed, 17 May 2023 22:01:47 -0400 Received: by mail-qv1-f49.google.com with SMTP id 6a1803df08f44-61b58779b93so13763976d6.0 for ; Wed, 17 May 2023 19:01:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684375301; x=1686967301; h=subject:from:to:message-id:date:from:to:cc:subject:date:message-id :reply-to; bh=+PlhS/LZ4DJhfHTDhiQHLITfD0oPtj83SKBsxdKIlnU=; b=a7+4QcnI6lLQZiPwl0BCRWB/k6jDz3OkyvRZdaZfQuxP2UcMvbRuDnr2XKxIdKmnQb nNcMyMfvxrDA2yUyDHW3ZBLBLjEhMXkG8MEV8b3mDvZBBwJ+lYyRBpoW9rf5URw00d87 BLLIoCSrDVFxOMPenz++S1uWsETxtARtEwqchoBgjWT6d5biJ/KQGHK+8RyVOa5OMELF 3ISXonsVg3VWlgpZA+9Gbnd/o05Xh342hPOP3rK0bp8f4r2EOWKcHoUUwcS1VV/tXGCa ksuxE1WgImMgEjt80RVOP3oYNVq2G47G/NJ1IfUPxZxYUS4rKWjsJfVNBvQ/u0QKKMH5 vLew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684375301; x=1686967301; h=subject:from:to:message-id:date:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+PlhS/LZ4DJhfHTDhiQHLITfD0oPtj83SKBsxdKIlnU=; b=if4chK6tCyqH/Fw/db0qdfbR7d860dAHia0UmP7PTsSeMQox8N3thPp86P/xVyktYp h4vUB8UqhFdgvD4jNOInuZvqtv5a+WllBUL1oL7Y1bmay6Nr2F+7FU69cE03A+Wu/Dhu o3uACyJUfcfZaxLietkotQxqu6nDHvNAGyu3H2H6wjPwcTc6YPzsS1S+1TCe/dFUqf+L I/AqcGUCkHmM6z0VUQDdzkL5J6bVUzELmGW6Mbxovm8hHLdFkSv1kGWfjCYIKGE40I9v csY3PLhDgrOFAFH6FKIRrFPZ3Nsd8vrBhr7hlssbAvCldR/aYGr0r3CQxYA0f9tJqR2A ZHfA== X-Gm-Message-State: AC+VfDwBJe9p0tL4GEteSRbFyiArG17FihhSyPOU9h+DIapVsnI9ArY9 qpAZ6psoUl0//NdkR4c0bzGzhBM6rm1ysA== X-Google-Smtp-Source: ACHHUZ6R/DW8oMkpGUJf/qjSCcmimbE2+lKS7HzklTwfaxoyd10wEjWjYo5Z8CVVZMXZzt7gAQAqDg== X-Received: by 2002:ad4:4ee7:0:b0:621:363c:ea99 with SMTP id dv7-20020ad44ee7000000b00621363cea99mr3366054qvb.30.1684375300865; Wed, 17 May 2023 19:01:40 -0700 (PDT) Received: from hurd (dsl-150-33.b2b2c.ca. [66.158.150.33]) by smtp.gmail.com with ESMTPSA id cx3-20020a056214188300b006238f82cde4sm173104qvb.108.2023.05.17.19.01.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 May 2023 19:01:40 -0700 (PDT) Date: Wed, 17 May 2023 22:01:33 -0400 Message-Id: <87y1lmmm82.fsf@gmail.com> To: control@debbugs.gnu.org From: Maxim Cournoyer Subject: control message for bug #63562 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) forcemerge 63562 63561 quit From unknown Sun Aug 17 04:17:46 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#63562] [PATCH 2/2] services: rsync: Use least authority wrapper. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 18 May 2023 16:59:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 63562 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Maxim Cournoyer Cc: 63562@debbugs.gnu.org, 63561@debbugs.gnu.org Received: via spool by 63562-submit@debbugs.gnu.org id=B63562.16844291381018 (code B ref 63562); Thu, 18 May 2023 16:59:02 +0000 Received: (at 63562) by debbugs.gnu.org; 18 May 2023 16:58:58 +0000 Received: from localhost ([127.0.0.1]:54288 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzgxt-0000GL-QA for submit@debbugs.gnu.org; Thu, 18 May 2023 12:58:57 -0400 Received: from eggs.gnu.org ([209.51.188.92]:38396) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzgxp-0000G1-Rf; Thu, 18 May 2023 12:58:56 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pzgxk-0005kW-CA; Thu, 18 May 2023 12:58:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=Fpx3+nLl0yAOOtBxRIeX2GatqWheXq/dq1AZvoz1MdM=; b=JQ1lN24fVGgeRb+80wGV oB86fYU46Q4Si9o+6enVNi0wvZg8JkPsK9uThFg0zGgqRixY4TMACqqDasXa8AglI1UGGBS6lQlns 3geQXnMZ5M8SG3Le0uJONOCfWIhLrogb6cTa8sLKkg+0mn3ZYy9lKfcTmCRJvy+Tj6NGM1GTdZn8s nxJpDkPHu7ESBIQkP0xASdpHdnO49uR9EmlCyIdO5CiI57wqVnbk0FEZj4BUbXHk6i3Z1kIXYM51q z74RC5Dv4IGqdxRLsF8XsfFCPSb2QcfUSUT2rBbi7ysUXzyYyXVR5jc23W+KU+XYiQDMyRaF//15l j+x1GAn4qlA6Lw==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201] helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pzgxj-0000oP-MF; Thu, 18 May 2023 12:58:47 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: Date: Thu, 18 May 2023 18:58:45 +0200 In-Reply-To: (Maxim Cournoyer's message of "Wed, 17 May 2023 21:56:17 -0400") Message-ID: <87jzx54lve.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, Maxim Cournoyer skribis: > + (make-inetd-constructor > + #$rsync-command > + (cons (endpoint > + (make-socket-address AF_INET INADDR_ANY > + #$port-number)) > + (if #$ipv6-support? > + (list > + (endpoint > + (make-socket-address AF_INET6 IN6AD= DR_ANY > + #$port-number)= )) > + '())) > + #:user #$user > + #:group #$group) > + (make-forkexec-constructor #$rsync-command I found it fishy that the same command could be used both in inetd mode and in =E2=80=9Cregular=E2=80=9D daemon mode. Turns out that rsync does so= mething=E2=80=A6 surprising, as noted in rsync(1): If standard input is a socket then rsync will assume that it is being run via inetd, otherwise it will detach from the current terminal and become a background daemon. So I guess this is fine, and a welcome change! Ludo=E2=80=99. From unknown Sun Aug 17 04:17:46 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#63562] [PATCH 2/2] services: rsync: Use least authority wrapper. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 18 May 2023 17:01:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 63562 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Maxim Cournoyer Cc: 63562@debbugs.gnu.org Received: via spool by 63562-submit@debbugs.gnu.org id=B63562.16844292571360 (code B ref 63562); Thu, 18 May 2023 17:01:02 +0000 Received: (at 63562) by debbugs.gnu.org; 18 May 2023 17:00:57 +0000 Received: from localhost ([127.0.0.1]:54301 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzgzo-0000Ls-Vb for submit@debbugs.gnu.org; Thu, 18 May 2023 13:00:57 -0400 Received: from eggs.gnu.org ([209.51.188.92]:45702) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzgzn-0000Ld-2i for 63562@debbugs.gnu.org; Thu, 18 May 2023 13:00:55 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pzgzh-0006Mo-SL; Thu, 18 May 2023 13:00:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=vS00lTeAucRJ+hgphlZ62CUsZPm8XZqbW+UKnzYpVYA=; b=bDnmU/4DdwSDgmFgZq+Z SiJEiQy4PZq2DUdRl0owiXGXV5SzBGiqrdp/Z12soeia9YzkVkuI1/ihEXN/KkjaX+EDUwjkc7nvl nBvbT4h1FRh0Zx1eOL9JcxMqp6duqy0BXQQQ39Wz2bcsvpEDM9OsmHWexA54a3fFUgPim5sOpHgQO itdOd6uSxfqsGVT9ERSV1CJAfYfNSSKc3Mwtgn4usqYRArj7YdrbrSYJUQMB5G5apgB6bIziv4Nlm kNvPz2gkXcqOjt3qOZZ/eumTIbEzCw8yK2FcCQogm2OqIMMNidIdwbfLrUAHFT60JmTge7OkbAyyI eXmTmZLiTuNM4A==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201] helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pzgzg-0005fK-1g; Thu, 18 May 2023 13:00:49 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <8f60f8bfcbf58ab39308f799319f25b9851871a7.1684374978.git.maxim.cournoyer@gmail.com> Date: Thu, 18 May 2023 19:00:46 +0200 In-Reply-To: <8f60f8bfcbf58ab39308f799319f25b9851871a7.1684374978.git.maxim.cournoyer@gmail.com> (Maxim Cournoyer's message of "Wed, 17 May 2023 21:56:18 -0400") Message-ID: <87fs7t4ls1.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Maxim Cournoyer skribis: > * gnu/services/rsync.scm (rsync-shepherd-service) Wrap rsync command in a > least-authority-wrapper. Nice, LGTM! Since berlin relies on it for backups, we=E2=80=99ll have to double-check t= hat it all goes well, in case we overlooked something. Ludo=E2=80=99. From unknown Sun Aug 17 04:17:46 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Maxim Cournoyer Subject: bug#63562: closed (Re: bug#63562: [PATCH 2/2] services: rsync: Use least authority wrapper.) Message-ID: References: <87ttw9knwm.fsf@gmail.com> <8f60f8bfcbf58ab39308f799319f25b9851871a7.1684374978.git.maxim.cournoyer@gmail.com> X-Gnu-PR-Message: they-closed 63562 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 63562@debbugs.gnu.org Date: Fri, 19 May 2023 03:21:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1684466462-2869-1" This is a multi-part message in MIME format... ------------=_1684466462-2869-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #63562: [PATCH 2/2] services: rsync: Use least authority wrapper. which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 63562@debbugs.gnu.org. --=20 63562: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D63562 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1684466462-2869-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 63562-done) by debbugs.gnu.org; 19 May 2023 03:20:37 +0000 Received: from localhost ([127.0.0.1]:55003 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzqfU-0000jY-Qh for submit@debbugs.gnu.org; Thu, 18 May 2023 23:20:37 -0400 Received: from mail-qv1-f52.google.com ([209.85.219.52]:50567) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzqfR-0000jJ-AA for 63562-done@debbugs.gnu.org; Thu, 18 May 2023 23:20:35 -0400 Received: by mail-qv1-f52.google.com with SMTP id 6a1803df08f44-6235aac00edso25184696d6.1 for <63562-done@debbugs.gnu.org>; Thu, 18 May 2023 20:20:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684466427; x=1687058427; h=content-transfer-encoding:mime-version:user-agent:message-id :in-reply-to:date:references:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=b94B5bOvYgkIz8ImHc9u2wb7XAwNR457qMtSLDELR+o=; b=GEbHG69ZBQhMCl8aw12dZh8tF9fwTvIDs4lkdMUOgfbCvwTXKsXeTDAl2Siwi0ioM1 vMT/zkYE+McHH1NWjF1xHff22tJUHelYMXVqt99BnFyQmIvQIzJdUL2rypQUr+/LG0bv csE1OrhbF+B85ah9hVLBiB/uK/6oWTTsu85ma38Fsqf1JiyGykllXZxEOLUoc9ogpBAc 0fECrsUxV/Rob8enu/GPUXXo5WGW1zOVm48B400q9N18/u2CETDaFmZTb+gcv01NpfOr VlJjITYWgg4cuAbevPVSC3I/i0l7NP3fnVMkvIy6QJxBiopR+/YUWaavuYxUhDh6+PAE +SXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684466427; x=1687058427; h=content-transfer-encoding:mime-version:user-agent:message-id :in-reply-to:date:references:subject:cc:to:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=b94B5bOvYgkIz8ImHc9u2wb7XAwNR457qMtSLDELR+o=; b=kZntWKPLb9eTpKopw4JsTV7huoacwj63Gmrc/X9zVjhZn65k+SgOl4TvGr25J6rnZf gozpfzkR0PsecMmU0CZDC+ehaU//IuDDQmwSBcxBCjx6EvgZAZlW6SDXNAbvdUeYvB7b 5p7IPrODXSSSfBdlrKUhFjRaQLXhy3lAMroqvdOiM4x5Twqqmd7tmfofTn6q50rB2RZM CX1a9GekTihcL2q6QsVr7UcyP/MvkuB32vGNlMwQc2K7J4U+MIXKhLfkqonc7yfBemaF Op4KfwdCWKO16qdD8SiaQmS3U/H111ltHCCiN9CreIOcIJT/JSL2UOLpe7KCzm6PmNgN i33g== X-Gm-Message-State: AC+VfDzE1APsHINwu8p5tZjsqiVXho/iUCtQ1yicxPk9Nwl1FMdYEnyH 6Sme1fu2o9q5r5b9uWIybsb6xhy5Etc7WA== X-Google-Smtp-Source: ACHHUZ47le1L4bhqFg7UWzvWOL0xH5RAQFX4FALwRLSpTssVF38nlzFxKveJMa12xN6WbEu3+vTfkg== X-Received: by 2002:a05:6214:2aa5:b0:621:363c:ea99 with SMTP id js5-20020a0562142aa500b00621363cea99mr1834705qvb.30.1684466427423; Thu, 18 May 2023 20:20:27 -0700 (PDT) Received: from hurd (dsl-150-33.b2b2c.ca. [66.158.150.33]) by smtp.gmail.com with ESMTPSA id x18-20020a05620a01f200b0074df3f7e14esm837210qkn.67.2023.05.18.20.20.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 May 2023 20:20:26 -0700 (PDT) From: Maxim Cournoyer To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#63562: [PATCH 2/2] services: rsync: Use least authority wrapper. References: <8f60f8bfcbf58ab39308f799319f25b9851871a7.1684374978.git.maxim.cournoyer@gmail.com> <87fs7t4ls1.fsf_-_@gnu.org> Date: Thu, 18 May 2023 23:20:25 -0400 In-Reply-To: <87fs7t4ls1.fsf_-_@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s?= =?utf-8?Q?=22's?= message of "Thu, 18 May 2023 19:00:46 +0200") Message-ID: <87ttw9knwm.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 63562-done Cc: 63562-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Ludo, Ludovic Court=C3=A8s writes: > Maxim Cournoyer skribis: > >> * gnu/services/rsync.scm (rsync-shepherd-service) Wrap rsync command in a >> least-authority-wrapper. > > Nice, LGTM! > > Since berlin relies on it for backups, we=E2=80=99ll have to double-check= that > it all goes well, in case we overlooked something. Thanks for the review! I've installed the change. --=20 Thanks, Maxim ------------=_1684466462-2869-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 18 May 2023 01:56:45 +0000 Received: from localhost ([127.0.0.1]:51545 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzSsm-0000AC-Ia for submit@debbugs.gnu.org; Wed, 17 May 2023 21:56:45 -0400 Received: from lists.gnu.org ([209.51.188.17]:43276) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzSsi-00009y-Kc for submit@debbugs.gnu.org; Wed, 17 May 2023 21:56:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pzSsi-0004B9-D0 for guix-patches@gnu.org; Wed, 17 May 2023 21:56:40 -0400 Received: from mail-qt1-x834.google.com ([2607:f8b0:4864:20::834]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pzSsg-0007DR-IK for guix-patches@gnu.org; Wed, 17 May 2023 21:56:40 -0400 Received: by mail-qt1-x834.google.com with SMTP id d75a77b69052e-3f38a7c5d45so3700611cf.0 for ; Wed, 17 May 2023 18:56:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684374997; x=1686966997; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=T8kLQ0JawpOqBVrtrIcrFDG8Fmd+mkEpr10o75CfZsM=; b=G+9JkqwMeDWAVOBYeH1bbI41AAK9v8EQaspMNXoG8vq6kYpmmB2b/2/mmjBRA9t0lH 2r70wLBz3KVr+Pmv4uZp1oXYR10Bi10bxPcRayDlt9qwVWDgN41uVWk7o7n7prZh1Tjr 4cnmegvZK804inllTTe3D7rLod1+kfS7r/gdFccIcEja7Z9JggCRVLODMmpAFUw+HTpp 3UcQVVpDEvUS2M8tVJjorQI19Ny6StKsYL2OnpyRijctBeJitJziKfcm6gkqnyE6saVZ 3g3iNwGtvuHDCZSsR2zvKDtAXOt9eh57m6MTpJ1+lOPtTUsH5/edoaMsBkyZ0jmcG4jo e9Kw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684374997; x=1686966997; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=T8kLQ0JawpOqBVrtrIcrFDG8Fmd+mkEpr10o75CfZsM=; b=mBSiWkNzfwEIaQd4JibSdkCiMf9QE6QmEQH7rzBqzSQlG3AF6GGnxBRbCXmzk6GPZy cD8A6wmIhuScbPJPUNI4aR/5UFFFHWvtj+jV+vX3hE3FEXHRSPa+EGZOdb5j2aTUfsYF ZMSgkFTk6CBbE3cQHe0VPUKTm3dbzdhxevdV6pNrZZ2EbrsW1VV2CHrtIiETXHRjTApp BwQgTbsHGZ0ch07Xza1g1ge1X6powQROL0n6nfwJKfbbgbvhjMVWFnN5jEjXc1WLQoe1 +Td+j9YAhMHO1MEiDbVCN3b+4cn1CUGPXRyuDgTr0smGBWJoVUMoNDi0oNF/9S0xsh3z lUmw== X-Gm-Message-State: AC+VfDzRYtDk0CVZ/hItXacqD3AxTNUZuNGUHVVXEvzFJwuybIQdEYf4 J/ZsMw2fVSYqlahvyxlf6U/P1kSerZgaQw== X-Google-Smtp-Source: ACHHUZ5YYqCJ6CHVTqj1OsY61vdeDmYmNbM/ZdyZQtKmeQNjJ3yCwP/zqebFLY8g7yKXnnYC0pE4YA== X-Received: by 2002:a05:622a:12:b0:3ef:33da:e25 with SMTP id x18-20020a05622a001200b003ef33da0e25mr2613909qtw.22.1684374997139; Wed, 17 May 2023 18:56:37 -0700 (PDT) Received: from localhost.localdomain (dsl-150-33.b2b2c.ca. [66.158.150.33]) by smtp.gmail.com with ESMTPSA id gc11-20020a05622a59cb00b003f38b4167e5sm138672qtb.2.2023.05.17.18.56.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 May 2023 18:56:36 -0700 (PDT) From: Maxim Cournoyer To: guix-patches@gnu.org Subject: [PATCH 2/2] services: rsync: Use least authority wrapper. Date: Wed, 17 May 2023 21:56:18 -0400 Message-Id: <8f60f8bfcbf58ab39308f799319f25b9851871a7.1684374978.git.maxim.cournoyer@gmail.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::834; envelope-from=maxim.cournoyer@gmail.com; helo=mail-qt1-x834.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit Cc: Maxim Cournoyer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) * gnu/services/rsync.scm (rsync-shepherd-service) Wrap rsync command in a least-authority-wrapper. --- gnu/services/rsync.scm | 97 ++++++++++++++++++++++++++++-------------- 1 file changed, 65 insertions(+), 32 deletions(-) diff --git a/gnu/services/rsync.scm b/gnu/services/rsync.scm index 826b757b1c..42e4d0247e 100644 --- a/gnu/services/rsync.scm +++ b/gnu/services/rsync.scm @@ -19,16 +19,20 @@ ;;; along with GNU Guix. If not, see . (define-module (gnu services rsync) + #:use-module ((gnu build linux-container) #:select (%namespaces)) #:use-module (gnu services) #:use-module (gnu services base) #:use-module (gnu services shepherd) + #:autoload (gnu system file-systems) (file-system-mapping) #:use-module (gnu system shadow) - #:use-module (gnu packages rsync) #:use-module (gnu packages admin) + #:use-module (gnu packages linux) + #:use-module (gnu packages rsync) #:use-module (guix records) #:use-module (guix gexp) #:use-module (guix diagnostics) #:use-module (guix i18n) + #:use-module (guix least-authority) #:use-module (srfi srfi-1) #:use-module (srfi srfi-26) #:use-module (ice-9 match) @@ -236,37 +240,66 @@ (define (rsync-shepherd-service config) #t)) (const #f))) - (let* ((rsync (rsync-configuration-package config)) - (pid-file (rsync-configuration-pid-file config)) - (port-number (rsync-configuration-port-number config)) - (user (rsync-configuration-user config)) - (group (rsync-configuration-group config)) - (config-file (rsync-config-file config)) - (rsync-command #~(list (string-append #$rsync "/bin/rsync") - "--config" #$config-file "--daemon"))) - (list (shepherd-service - (provision '(rsync)) - (documentation "Run rsync daemon.") - (actions (list (shepherd-configuration-action config-file))) - (start #~(if #$inetd-style? - (make-inetd-constructor - #$rsync-command - (cons (endpoint - (make-socket-address AF_INET INADDR_ANY - #$port-number)) - (if #$ipv6-support? - (list - (endpoint - (make-socket-address AF_INET6 IN6ADDR_ANY - #$port-number))) - '())) - #:user #$user - #:group #$group) - (make-forkexec-constructor #$rsync-command - #:pid-file #$pid-file - #:user #$user - #:group #$group))) - (stop #~(make-kill-destructor)))))) + (define (module->file-system-mapping module) + "Return the record corresponding to MODULE, an + object." + (match-record module + (file-name read-only?) + (file-system-mapping + (source file-name) + (target source) + (writable? (not read-only?))))) + + (match-record config + (package log-file modules pid-file port-number user group) + ;; Run the rsync daemon in its own 'mnt' namespace, to guard against + ;; change to mount points it may be serving. + (let* ((config-file (rsync-config-file config)) + (rsync-command #~(list #$(least-authority-wrapper + (file-append rsync "/bin/rsync") + #:name "rsync" + #:namespaces (fold delq %namespaces + '(net user)) + #:mappings + (append (list (file-system-mapping + (source "/var/run/rsyncd") + (target source) + (writable? #t)) + (file-system-mapping + (source (dirname log-file)) + (target source) + (writable? #t)) + (file-system-mapping + (source config-file) + (target source))) + (map module->file-system-mapping + modules))) + "--config" #$config-file "--daemon"))) + (list (shepherd-service + (provision '(rsync)) + (documentation "Run rsync daemon.") + (actions (list (shepherd-configuration-action config-file))) + (start #~(if #$inetd-style? + (make-inetd-constructor + #$rsync-command + (cons (endpoint + (make-socket-address AF_INET INADDR_ANY + #$port-number)) + (if #$ipv6-support? + (list + (endpoint + (make-socket-address AF_INET6 IN6ADDR_ANY + #$port-number))) + '())) + #:user #$user + #:group #$group) + (make-forkexec-constructor #$rsync-command + #:pid-file #$pid-file + #:user #$user + #:group #$group))) + (stop #~(if #$inetd-style? + (make-inetd-destructor) + (make-kill-destructor)))))))) (define rsync-service-type (service-type -- 2.39.2 ------------=_1684466462-2869-1-- From unknown Sun Aug 17 04:17:46 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Maxim Cournoyer Subject: bug#63561: closed (Re: bug#63562: [PATCH 2/2] services: rsync: Use least authority wrapper.) Message-ID: References: <87ttw9knwm.fsf@gmail.com> X-Gnu-PR-Message: they-closed 63561 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 63561@debbugs.gnu.org Date: Fri, 19 May 2023 03:21:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1684466462-2869-3" This is a multi-part message in MIME format... ------------=_1684466462-2869-3 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #63562: [PATCH 1/2] services: rsync: Use make-inetd-constructor. which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 63561@debbugs.gnu.org. --=20 63562: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D63562 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1684466462-2869-3 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 63562-done) by debbugs.gnu.org; 19 May 2023 03:20:37 +0000 Received: from localhost ([127.0.0.1]:55003 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzqfU-0000jY-Qh for submit@debbugs.gnu.org; Thu, 18 May 2023 23:20:37 -0400 Received: from mail-qv1-f52.google.com ([209.85.219.52]:50567) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzqfR-0000jJ-AA for 63562-done@debbugs.gnu.org; Thu, 18 May 2023 23:20:35 -0400 Received: by mail-qv1-f52.google.com with SMTP id 6a1803df08f44-6235aac00edso25184696d6.1 for <63562-done@debbugs.gnu.org>; Thu, 18 May 2023 20:20:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684466427; x=1687058427; h=content-transfer-encoding:mime-version:user-agent:message-id :in-reply-to:date:references:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=b94B5bOvYgkIz8ImHc9u2wb7XAwNR457qMtSLDELR+o=; b=GEbHG69ZBQhMCl8aw12dZh8tF9fwTvIDs4lkdMUOgfbCvwTXKsXeTDAl2Siwi0ioM1 vMT/zkYE+McHH1NWjF1xHff22tJUHelYMXVqt99BnFyQmIvQIzJdUL2rypQUr+/LG0bv csE1OrhbF+B85ah9hVLBiB/uK/6oWTTsu85ma38Fsqf1JiyGykllXZxEOLUoc9ogpBAc 0fECrsUxV/Rob8enu/GPUXXo5WGW1zOVm48B400q9N18/u2CETDaFmZTb+gcv01NpfOr VlJjITYWgg4cuAbevPVSC3I/i0l7NP3fnVMkvIy6QJxBiopR+/YUWaavuYxUhDh6+PAE +SXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684466427; x=1687058427; h=content-transfer-encoding:mime-version:user-agent:message-id :in-reply-to:date:references:subject:cc:to:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=b94B5bOvYgkIz8ImHc9u2wb7XAwNR457qMtSLDELR+o=; b=kZntWKPLb9eTpKopw4JsTV7huoacwj63Gmrc/X9zVjhZn65k+SgOl4TvGr25J6rnZf gozpfzkR0PsecMmU0CZDC+ehaU//IuDDQmwSBcxBCjx6EvgZAZlW6SDXNAbvdUeYvB7b 5p7IPrODXSSSfBdlrKUhFjRaQLXhy3lAMroqvdOiM4x5Twqqmd7tmfofTn6q50rB2RZM CX1a9GekTihcL2q6QsVr7UcyP/MvkuB32vGNlMwQc2K7J4U+MIXKhLfkqonc7yfBemaF Op4KfwdCWKO16qdD8SiaQmS3U/H111ltHCCiN9CreIOcIJT/JSL2UOLpe7KCzm6PmNgN i33g== X-Gm-Message-State: AC+VfDzE1APsHINwu8p5tZjsqiVXho/iUCtQ1yicxPk9Nwl1FMdYEnyH 6Sme1fu2o9q5r5b9uWIybsb6xhy5Etc7WA== X-Google-Smtp-Source: ACHHUZ47le1L4bhqFg7UWzvWOL0xH5RAQFX4FALwRLSpTssVF38nlzFxKveJMa12xN6WbEu3+vTfkg== X-Received: by 2002:a05:6214:2aa5:b0:621:363c:ea99 with SMTP id js5-20020a0562142aa500b00621363cea99mr1834705qvb.30.1684466427423; Thu, 18 May 2023 20:20:27 -0700 (PDT) Received: from hurd (dsl-150-33.b2b2c.ca. [66.158.150.33]) by smtp.gmail.com with ESMTPSA id x18-20020a05620a01f200b0074df3f7e14esm837210qkn.67.2023.05.18.20.20.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 May 2023 20:20:26 -0700 (PDT) From: Maxim Cournoyer To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#63562: [PATCH 2/2] services: rsync: Use least authority wrapper. References: <8f60f8bfcbf58ab39308f799319f25b9851871a7.1684374978.git.maxim.cournoyer@gmail.com> <87fs7t4ls1.fsf_-_@gnu.org> Date: Thu, 18 May 2023 23:20:25 -0400 In-Reply-To: <87fs7t4ls1.fsf_-_@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s?= =?utf-8?Q?=22's?= message of "Thu, 18 May 2023 19:00:46 +0200") Message-ID: <87ttw9knwm.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 63562-done Cc: 63562-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Ludo, Ludovic Court=C3=A8s writes: > Maxim Cournoyer skribis: > >> * gnu/services/rsync.scm (rsync-shepherd-service) Wrap rsync command in a >> least-authority-wrapper. > > Nice, LGTM! > > Since berlin relies on it for backups, we=E2=80=99ll have to double-check= that > it all goes well, in case we overlooked something. Thanks for the review! I've installed the change. --=20 Thanks, Maxim ------------=_1684466462-2869-3 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 18 May 2023 01:56:44 +0000 Received: from localhost ([127.0.0.1]:51543 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzSsi-0000A0-RG for submit@debbugs.gnu.org; Wed, 17 May 2023 21:56:44 -0400 Received: from lists.gnu.org ([209.51.188.17]:43272) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzSsh-00009r-Fi for submit@debbugs.gnu.org; Wed, 17 May 2023 21:56:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pzSsh-0004B1-7o for guix-patches@gnu.org; Wed, 17 May 2023 21:56:39 -0400 Received: from mail-qk1-x733.google.com ([2607:f8b0:4864:20::733]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pzSsf-0007DB-AN for guix-patches@gnu.org; Wed, 17 May 2023 21:56:39 -0400 Received: by mail-qk1-x733.google.com with SMTP id af79cd13be357-757741ca000so167221785a.2 for ; Wed, 17 May 2023 18:56:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684374996; x=1686966996; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=spwB68lZPmrnWw/mMtQAPlC3piN7aW+NpIqurj0ZnBE=; b=KYGPD6yxh45forOMddmQKysgB11HJYlaL9F7cKOKd/15uFLWpm71ETy5ByJNW/M7HQ g2lifQ9532JOQ5Z+e6+ym8YGYAPbjKLUzGLbwMbdfUHod6YTDbXQTi1uLw+lwFpW/aUz MyA6ByCbYeCnMAwo+rfInx5dXU/wUN8TPatr9uqB+JRPDhFlS44bXQ0Q93Ofl6q++SW8 7DL2qttRwJC8hx0/b0DSriC/1P11aZ/QVlo/v0WyEmBoCGNYp5B8FDxa7xiCAuiealzY vz4K+FpdNJ4ZHmd8kL8pgfKvcJvGlv2Vqv8yxnL4a1kU/jCdiqu8IL+f802obLBSG+ff olZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684374996; x=1686966996; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=spwB68lZPmrnWw/mMtQAPlC3piN7aW+NpIqurj0ZnBE=; b=eqaJQSDTUNd9JxU3p/Nzlri22RDQs7nvZFF4219UTL6GCdWS9T/IfjCdTn376jo/Ig bj4mUif0364mmWc92u90Sp/CkdcZZGliYgboXMMUkH2WBZtSFRxdNH7NSfVfJImJcrW1 8jI/PrCdYzj30ydMVjBfTvF45pbze7V1kQlKf6nOR72K4fX27XxVosJw+M4fcn9NTqF8 nPwBeHgVabKyeYy+kag5mEs2xo03ZOVAwch6QmqFC9Qqtxx0r2Owqi5u8IUcEpSQCsAU 6GQVkcY5um6J455jlo/w/hcbxli31k1tZ+/t4w2YK+tM31bCQZnN9qnnFuVXkVzt1L4K P/ew== X-Gm-Message-State: AC+VfDyfRLL2Va04tYYL4BMQwOn89GXnDFHkz+Ia+f03s5fD5xfFHpG3 haAPSB+h6rfBnhaqWQs0DoTt0HYAvyrKrA== X-Google-Smtp-Source: ACHHUZ4wlWDnbpjLfnbsmzG/UCcMfPAqpEXbRdFfG9u78ec4+ogjQutRBltTLNp0dVAIzlwyHOgpAA== X-Received: by 2002:ac8:5b0d:0:b0:3f3:9526:42fe with SMTP id m13-20020ac85b0d000000b003f3952642femr3339613qtw.28.1684374995937; Wed, 17 May 2023 18:56:35 -0700 (PDT) Received: from localhost.localdomain (dsl-150-33.b2b2c.ca. [66.158.150.33]) by smtp.gmail.com with ESMTPSA id gc11-20020a05622a59cb00b003f38b4167e5sm138672qtb.2.2023.05.17.18.56.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 May 2023 18:56:35 -0700 (PDT) From: Maxim Cournoyer To: guix-patches@gnu.org Subject: [PATCH 1/2] services: rsync: Use make-inetd-constructor. Date: Wed, 17 May 2023 21:56:17 -0400 Message-Id: X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::733; envelope-from=maxim.cournoyer@gmail.com; helo=mail-qk1-x733.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit Cc: Maxim Cournoyer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) * gnu/services/rsync.scm (rsync-shepherd-service): Use make-inetd-constructor if available in start slot. * gnu/tests/rsync.scm (run-rsync-test): Delete "PID file" test. --- gnu/services/rsync.scm | 44 ++++++++++++++++++++++++++++++++++-------- gnu/tests/rsync.scm | 6 ------ 2 files changed, 36 insertions(+), 14 deletions(-) diff --git a/gnu/services/rsync.scm b/gnu/services/rsync.scm index aeb4275031..826b757b1c 100644 --- a/gnu/services/rsync.scm +++ b/gnu/services/rsync.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2017 Oleg Pykhalov ;;; Copyright © 2021, 2023 Ludovic Courtès +;;; Copyright © 2023 Maxim Cournoyer ;;; ;;; This file is part of GNU Guix. ;;; @@ -221,23 +222,50 @@ (define (rsync-config-file config) (define (rsync-shepherd-service config) "Return a for rsync with CONFIG." + + ;; XXX: Predicates copied from (gnu services ssh). + (define inetd-style? + #~(and (defined? 'make-inetd-constructor) + (not (string=? (@ (shepherd config) Version) "0.9.0")))) + + (define ipv6-support? + #~(catch 'system-error + (lambda () + (let ((sock (socket AF_INET6 SOCK_STREAM 0))) + (close-port sock) + #t)) + (const #f))) + (let* ((rsync (rsync-configuration-package config)) (pid-file (rsync-configuration-pid-file config)) (port-number (rsync-configuration-port-number config)) (user (rsync-configuration-user config)) (group (rsync-configuration-group config)) - (config-file (rsync-config-file config))) + (config-file (rsync-config-file config)) + (rsync-command #~(list (string-append #$rsync "/bin/rsync") + "--config" #$config-file "--daemon"))) (list (shepherd-service (provision '(rsync)) (documentation "Run rsync daemon.") (actions (list (shepherd-configuration-action config-file))) - (start #~(make-forkexec-constructor - (list (string-append #$rsync "/bin/rsync") - "--config" #$config-file - "--daemon") - #:pid-file #$pid-file - #:user #$user - #:group #$group)) + (start #~(if #$inetd-style? + (make-inetd-constructor + #$rsync-command + (cons (endpoint + (make-socket-address AF_INET INADDR_ANY + #$port-number)) + (if #$ipv6-support? + (list + (endpoint + (make-socket-address AF_INET6 IN6ADDR_ANY + #$port-number))) + '())) + #:user #$user + #:group #$group) + (make-forkexec-constructor #$rsync-command + #:pid-file #$pid-file + #:user #$user + #:group #$group))) (stop #~(make-kill-destructor)))))) (define rsync-service-type diff --git a/gnu/tests/rsync.scm b/gnu/tests/rsync.scm index ea53a157bb..182e5f76ff 100644 --- a/gnu/tests/rsync.scm +++ b/gnu/tests/rsync.scm @@ -70,12 +70,6 @@ (define* (run-rsync-test rsync-os #:optional (rsync-port 873)) (start-service 'rsync)) marionette)) - ;; Make sure the PID file is created. - (test-assert "PID file" - (marionette-eval - '(file-exists? "/var/run/rsyncd/rsyncd.pid") - marionette)) - (test-assert "Test file copied to share" (marionette-eval '(begin base-commit: 9c161c1f0def13676002ce34625ba023857b9ab2 -- 2.39.2 ------------=_1684466462-2869-3--