From unknown Fri Aug 15 12:49:29 2025
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
From: bug#63562 <63562@debbugs.gnu.org>
To: bug#63562 <63562@debbugs.gnu.org>
Subject: Status: [PATCH 2/2] services: rsync: Use least authority wrapper.
Reply-To: bug#63562 <63562@debbugs.gnu.org>
Date: Fri, 15 Aug 2025 19:49:29 +0000

retitle 63562 [PATCH 2/2] services: rsync: Use least authority wrapper.
reassign 63562 guix-patches
submitter 63562 Maxim Cournoyer <maxim.cournoyer@gmail.com>
severity 63562 normal
tag 63562 patch

thanks


From debbugs-submit-bounces@debbugs.gnu.org Wed May 17 21:56:45 2023
Received: (at submit) by debbugs.gnu.org; 18 May 2023 01:56:45 +0000
Received: from localhost ([127.0.0.1]:51545 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pzSsm-0000AC-Ia
	for submit@debbugs.gnu.org; Wed, 17 May 2023 21:56:45 -0400
Received: from lists.gnu.org ([209.51.188.17]:43276)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@gmail.com>) id 1pzSsi-00009y-Kc
 for submit@debbugs.gnu.org; Wed, 17 May 2023 21:56:41 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <maxim.cournoyer@gmail.com>)
 id 1pzSsi-0004B9-D0
 for guix-patches@gnu.org; Wed, 17 May 2023 21:56:40 -0400
Received: from mail-qt1-x834.google.com ([2607:f8b0:4864:20::834])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <maxim.cournoyer@gmail.com>)
 id 1pzSsg-0007DR-IK
 for guix-patches@gnu.org; Wed, 17 May 2023 21:56:40 -0400
Received: by mail-qt1-x834.google.com with SMTP id
 d75a77b69052e-3f38a7c5d45so3700611cf.0
 for <guix-patches@gnu.org>; Wed, 17 May 2023 18:56:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1684374997; x=1686966997;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=T8kLQ0JawpOqBVrtrIcrFDG8Fmd+mkEpr10o75CfZsM=;
 b=G+9JkqwMeDWAVOBYeH1bbI41AAK9v8EQaspMNXoG8vq6kYpmmB2b/2/mmjBRA9t0lH
 2r70wLBz3KVr+Pmv4uZp1oXYR10Bi10bxPcRayDlt9qwVWDgN41uVWk7o7n7prZh1Tjr
 4cnmegvZK804inllTTe3D7rLod1+kfS7r/gdFccIcEja7Z9JggCRVLODMmpAFUw+HTpp
 3UcQVVpDEvUS2M8tVJjorQI19Ny6StKsYL2OnpyRijctBeJitJziKfcm6gkqnyE6saVZ
 3g3iNwGtvuHDCZSsR2zvKDtAXOt9eh57m6MTpJ1+lOPtTUsH5/edoaMsBkyZ0jmcG4jo
 e9Kw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1684374997; x=1686966997;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=T8kLQ0JawpOqBVrtrIcrFDG8Fmd+mkEpr10o75CfZsM=;
 b=mBSiWkNzfwEIaQd4JibSdkCiMf9QE6QmEQH7rzBqzSQlG3AF6GGnxBRbCXmzk6GPZy
 cD8A6wmIhuScbPJPUNI4aR/5UFFFHWvtj+jV+vX3hE3FEXHRSPa+EGZOdb5j2aTUfsYF
 ZMSgkFTk6CBbE3cQHe0VPUKTm3dbzdhxevdV6pNrZZ2EbrsW1VV2CHrtIiETXHRjTApp
 BwQgTbsHGZ0ch07Xza1g1ge1X6powQROL0n6nfwJKfbbgbvhjMVWFnN5jEjXc1WLQoe1
 +Td+j9YAhMHO1MEiDbVCN3b+4cn1CUGPXRyuDgTr0smGBWJoVUMoNDi0oNF/9S0xsh3z
 lUmw==
X-Gm-Message-State: AC+VfDzRYtDk0CVZ/hItXacqD3AxTNUZuNGUHVVXEvzFJwuybIQdEYf4
 J/ZsMw2fVSYqlahvyxlf6U/P1kSerZgaQw==
X-Google-Smtp-Source: ACHHUZ5YYqCJ6CHVTqj1OsY61vdeDmYmNbM/ZdyZQtKmeQNjJ3yCwP/zqebFLY8g7yKXnnYC0pE4YA==
X-Received: by 2002:a05:622a:12:b0:3ef:33da:e25 with SMTP id
 x18-20020a05622a001200b003ef33da0e25mr2613909qtw.22.1684374997139; 
 Wed, 17 May 2023 18:56:37 -0700 (PDT)
Received: from localhost.localdomain (dsl-150-33.b2b2c.ca. [66.158.150.33])
 by smtp.gmail.com with ESMTPSA id
 gc11-20020a05622a59cb00b003f38b4167e5sm138672qtb.2.2023.05.17.18.56.36
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 17 May 2023 18:56:36 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: guix-patches@gnu.org
Subject: [PATCH 2/2] services: rsync: Use least authority wrapper.
Date: Wed, 17 May 2023 21:56:18 -0400
Message-Id: <8f60f8bfcbf58ab39308f799319f25b9851871a7.1684374978.git.maxim.cournoyer@gmail.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <c7931b5dab466a77bc58fdf355dd53658e468ca0.1684374978.git.maxim.cournoyer@gmail.com>
References: <c7931b5dab466a77bc58fdf355dd53658e468ca0.1684374978.git.maxim.cournoyer@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2607:f8b0:4864:20::834;
 envelope-from=maxim.cournoyer@gmail.com; helo=mail-qt1-x834.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
Cc: Maxim Cournoyer <maxim.cournoyer@gmail.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

* gnu/services/rsync.scm (rsync-shepherd-service) Wrap rsync command in a
least-authority-wrapper.
---
 gnu/services/rsync.scm | 97 ++++++++++++++++++++++++++++--------------
 1 file changed, 65 insertions(+), 32 deletions(-)

diff --git a/gnu/services/rsync.scm b/gnu/services/rsync.scm
index 826b757b1c..42e4d0247e 100644
--- a/gnu/services/rsync.scm
+++ b/gnu/services/rsync.scm
@@ -19,16 +19,20 @@
 ;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
 
 (define-module (gnu services rsync)
+  #:use-module ((gnu build linux-container) #:select (%namespaces))
   #:use-module (gnu services)
   #:use-module (gnu services base)
   #:use-module (gnu services shepherd)
+  #:autoload   (gnu system file-systems) (file-system-mapping)
   #:use-module (gnu system shadow)
-  #:use-module (gnu packages rsync)
   #:use-module (gnu packages admin)
+  #:use-module (gnu packages linux)
+  #:use-module (gnu packages rsync)
   #:use-module (guix records)
   #:use-module (guix gexp)
   #:use-module (guix diagnostics)
   #:use-module (guix i18n)
+  #:use-module (guix least-authority)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-26)
   #:use-module (ice-9 match)
@@ -236,37 +240,66 @@ (define (rsync-shepherd-service config)
             #t))
         (const #f)))
 
-  (let* ((rsync       (rsync-configuration-package config))
-         (pid-file    (rsync-configuration-pid-file config))
-         (port-number (rsync-configuration-port-number config))
-         (user        (rsync-configuration-user config))
-         (group       (rsync-configuration-group config))
-         (config-file (rsync-config-file config))
-         (rsync-command #~(list (string-append #$rsync "/bin/rsync")
-                                "--config" #$config-file "--daemon")))
-    (list (shepherd-service
-           (provision '(rsync))
-           (documentation "Run rsync daemon.")
-           (actions (list (shepherd-configuration-action config-file)))
-           (start #~(if #$inetd-style?
-                        (make-inetd-constructor
-                         #$rsync-command
-                         (cons (endpoint
-                                (make-socket-address AF_INET INADDR_ANY
-                                                     #$port-number))
-                               (if #$ipv6-support?
-                                   (list
-                                    (endpoint
-                                     (make-socket-address AF_INET6 IN6ADDR_ANY
-                                                          #$port-number)))
-                                   '()))
-                         #:user #$user
-                         #:group #$group)
-                        (make-forkexec-constructor #$rsync-command
-                                                   #:pid-file #$pid-file
-                                                   #:user #$user
-                                                   #:group #$group)))
-           (stop #~(make-kill-destructor))))))
+  (define (module->file-system-mapping module)
+    "Return the <file-system-mapping> record corresponding to MODULE, an
+<rsync-module> object."
+    (match-record module <rsync-module>
+      (file-name read-only?)
+      (file-system-mapping
+       (source file-name)
+       (target source)
+       (writable? (not read-only?)))))
+
+  (match-record config <rsync-configuration>
+    (package log-file modules pid-file port-number user group)
+    ;; Run the rsync daemon in its own 'mnt' namespace, to guard against
+    ;; change to mount points it may be serving.
+    (let* ((config-file (rsync-config-file config))
+           (rsync-command #~(list #$(least-authority-wrapper
+                                     (file-append rsync "/bin/rsync")
+                                     #:name "rsync"
+                                     #:namespaces (fold delq %namespaces
+                                                        '(net user))
+                                     #:mappings
+                                     (append (list (file-system-mapping
+                                                    (source "/var/run/rsyncd")
+                                                    (target source)
+                                                    (writable? #t))
+                                                   (file-system-mapping
+                                                    (source (dirname log-file))
+                                                    (target source)
+                                                    (writable? #t))
+                                                   (file-system-mapping
+                                                    (source config-file)
+                                                    (target source)))
+                                             (map module->file-system-mapping
+                                                  modules)))
+                                  "--config" #$config-file "--daemon")))
+      (list (shepherd-service
+             (provision '(rsync))
+             (documentation "Run rsync daemon.")
+             (actions (list (shepherd-configuration-action config-file)))
+             (start #~(if #$inetd-style?
+                          (make-inetd-constructor
+                           #$rsync-command
+                           (cons (endpoint
+                                  (make-socket-address AF_INET INADDR_ANY
+                                                       #$port-number))
+                                 (if #$ipv6-support?
+                                     (list
+                                      (endpoint
+                                       (make-socket-address AF_INET6 IN6ADDR_ANY
+                                                            #$port-number)))
+                                     '()))
+                           #:user #$user
+                           #:group #$group)
+                          (make-forkexec-constructor #$rsync-command
+                                                     #:pid-file #$pid-file
+                                                     #:user #$user
+                                                     #:group #$group)))
+             (stop #~(if #$inetd-style?
+                         (make-inetd-destructor)
+                         (make-kill-destructor))))))))
 
 (define rsync-service-type
   (service-type
-- 
2.39.2





From debbugs-submit-bounces@debbugs.gnu.org Wed May 17 22:01:48 2023
Received: (at control) by debbugs.gnu.org; 18 May 2023 02:01:48 +0000
Received: from localhost ([127.0.0.1]:51552 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pzSxg-0000Jh-HF
	for submit@debbugs.gnu.org; Wed, 17 May 2023 22:01:48 -0400
Received: from mail-qv1-f49.google.com ([209.85.219.49]:50277)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@gmail.com>) id 1pzSxf-0000JV-1n
 for control@debbugs.gnu.org; Wed, 17 May 2023 22:01:47 -0400
Received: by mail-qv1-f49.google.com with SMTP id
 6a1803df08f44-61b58779b93so13763976d6.0
 for <control@debbugs.gnu.org>; Wed, 17 May 2023 19:01:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1684375301; x=1686967301;
 h=subject:from:to:message-id:date:from:to:cc:subject:date:message-id
 :reply-to; bh=+PlhS/LZ4DJhfHTDhiQHLITfD0oPtj83SKBsxdKIlnU=;
 b=a7+4QcnI6lLQZiPwl0BCRWB/k6jDz3OkyvRZdaZfQuxP2UcMvbRuDnr2XKxIdKmnQb
 nNcMyMfvxrDA2yUyDHW3ZBLBLjEhMXkG8MEV8b3mDvZBBwJ+lYyRBpoW9rf5URw00d87
 BLLIoCSrDVFxOMPenz++S1uWsETxtARtEwqchoBgjWT6d5biJ/KQGHK+8RyVOa5OMELF
 3ISXonsVg3VWlgpZA+9Gbnd/o05Xh342hPOP3rK0bp8f4r2EOWKcHoUUwcS1VV/tXGCa
 ksuxE1WgImMgEjt80RVOP3oYNVq2G47G/NJ1IfUPxZxYUS4rKWjsJfVNBvQ/u0QKKMH5
 vLew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1684375301; x=1686967301;
 h=subject:from:to:message-id:date:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=+PlhS/LZ4DJhfHTDhiQHLITfD0oPtj83SKBsxdKIlnU=;
 b=if4chK6tCyqH/Fw/db0qdfbR7d860dAHia0UmP7PTsSeMQox8N3thPp86P/xVyktYp
 h4vUB8UqhFdgvD4jNOInuZvqtv5a+WllBUL1oL7Y1bmay6Nr2F+7FU69cE03A+Wu/Dhu
 o3uACyJUfcfZaxLietkotQxqu6nDHvNAGyu3H2H6wjPwcTc6YPzsS1S+1TCe/dFUqf+L
 I/AqcGUCkHmM6z0VUQDdzkL5J6bVUzELmGW6Mbxovm8hHLdFkSv1kGWfjCYIKGE40I9v
 csY3PLhDgrOFAFH6FKIRrFPZ3Nsd8vrBhr7hlssbAvCldR/aYGr0r3CQxYA0f9tJqR2A
 ZHfA==
X-Gm-Message-State: AC+VfDwBJe9p0tL4GEteSRbFyiArG17FihhSyPOU9h+DIapVsnI9ArY9
 qpAZ6psoUl0//NdkR4c0bzGzhBM6rm1ysA==
X-Google-Smtp-Source: ACHHUZ6R/DW8oMkpGUJf/qjSCcmimbE2+lKS7HzklTwfaxoyd10wEjWjYo5Z8CVVZMXZzt7gAQAqDg==
X-Received: by 2002:ad4:4ee7:0:b0:621:363c:ea99 with SMTP id
 dv7-20020ad44ee7000000b00621363cea99mr3366054qvb.30.1684375300865; 
 Wed, 17 May 2023 19:01:40 -0700 (PDT)
Received: from hurd (dsl-150-33.b2b2c.ca. [66.158.150.33])
 by smtp.gmail.com with ESMTPSA id
 cx3-20020a056214188300b006238f82cde4sm173104qvb.108.2023.05.17.19.01.33
 for <control@debbugs.gnu.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 17 May 2023 19:01:40 -0700 (PDT)
Date: Wed, 17 May 2023 22:01:33 -0400
Message-Id: <87y1lmmm82.fsf@gmail.com>
To: control@debbugs.gnu.org
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Subject: control message for bug #63562
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: control
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

forcemerge 63562 63561
quit





From debbugs-submit-bounces@debbugs.gnu.org Thu May 18 12:58:58 2023
Received: (at 63562) by debbugs.gnu.org; 18 May 2023 16:58:58 +0000
Received: from localhost ([127.0.0.1]:54288 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pzgxt-0000GL-QA
	for submit@debbugs.gnu.org; Thu, 18 May 2023 12:58:57 -0400
Received: from eggs.gnu.org ([209.51.188.92]:38396)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>)
 id 1pzgxp-0000G1-Rf; Thu, 18 May 2023 12:58:56 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>)
 id 1pzgxk-0005kW-CA; Thu, 18 May 2023 12:58:48 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To:
 From; bh=Fpx3+nLl0yAOOtBxRIeX2GatqWheXq/dq1AZvoz1MdM=; b=JQ1lN24fVGgeRb+80wGV
 oB86fYU46Q4Si9o+6enVNi0wvZg8JkPsK9uThFg0zGgqRixY4TMACqqDasXa8AglI1UGGBS6lQlns
 3geQXnMZ5M8SG3Le0uJONOCfWIhLrogb6cTa8sLKkg+0mn3ZYy9lKfcTmCRJvy+Tj6NGM1GTdZn8s
 nxJpDkPHu7ESBIQkP0xASdpHdnO49uR9EmlCyIdO5CiI57wqVnbk0FEZj4BUbXHk6i3Z1kIXYM51q
 z74RC5Dv4IGqdxRLsF8XsfFCPSb2QcfUSUT2rBbi7ysUXzyYyXVR5jc23W+KU+XYiQDMyRaF//15l
 j+x1GAn4qlA6Lw==;
Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201] helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>)
 id 1pzgxj-0000oP-MF; Thu, 18 May 2023 12:58:47 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
To: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Subject: Re: bug#63562: [PATCH 2/2] services: rsync: Use least authority
 wrapper.
References: <c7931b5dab466a77bc58fdf355dd53658e468ca0.1684374978.git.maxim.cournoyer@gmail.com>
Date: Thu, 18 May 2023 18:58:45 +0200
In-Reply-To: <c7931b5dab466a77bc58fdf355dd53658e468ca0.1684374978.git.maxim.cournoyer@gmail.com>
 (Maxim Cournoyer's message of "Wed, 17 May 2023 21:56:17 -0400")
Message-ID: <87jzx54lve.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 63562
Cc: 63562@debbugs.gnu.org, 63561@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi,

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

> +                        (make-inetd-constructor
> +                         #$rsync-command
> +                         (cons (endpoint
> +                                (make-socket-address AF_INET INADDR_ANY
> +                                                     #$port-number))
> +                               (if #$ipv6-support?
> +                                   (list
> +                                    (endpoint
> +                                     (make-socket-address AF_INET6 IN6AD=
DR_ANY
> +                                                          #$port-number)=
))
> +                                   '()))
> +                         #:user #$user
> +                         #:group #$group)
> +                        (make-forkexec-constructor #$rsync-command

I found it fishy that the same command could be used both in inetd mode
and in =E2=80=9Cregular=E2=80=9D daemon mode.  Turns out that rsync does so=
mething=E2=80=A6
surprising, as noted in rsync(1):

   If standard input is a socket then rsync will assume that it is being
   run via inetd, otherwise it will detach from the current terminal and
   become a background daemon.

So I guess this is fine, and a welcome change!

Ludo=E2=80=99.




From debbugs-submit-bounces@debbugs.gnu.org Thu May 18 13:00:57 2023
Received: (at 63562) by debbugs.gnu.org; 18 May 2023 17:00:57 +0000
Received: from localhost ([127.0.0.1]:54301 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pzgzo-0000Ls-Vb
	for submit@debbugs.gnu.org; Thu, 18 May 2023 13:00:57 -0400
Received: from eggs.gnu.org ([209.51.188.92]:45702)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1pzgzn-0000Ld-2i
 for 63562@debbugs.gnu.org; Thu, 18 May 2023 13:00:55 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>)
 id 1pzgzh-0006Mo-SL; Thu, 18 May 2023 13:00:49 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To:
 From; bh=vS00lTeAucRJ+hgphlZ62CUsZPm8XZqbW+UKnzYpVYA=; b=bDnmU/4DdwSDgmFgZq+Z
 SiJEiQy4PZq2DUdRl0owiXGXV5SzBGiqrdp/Z12soeia9YzkVkuI1/ihEXN/KkjaX+EDUwjkc7nvl
 nBvbT4h1FRh0Zx1eOL9JcxMqp6duqy0BXQQQ39Wz2bcsvpEDM9OsmHWexA54a3fFUgPim5sOpHgQO
 itdOd6uSxfqsGVT9ERSV1CJAfYfNSSKc3Mwtgn4usqYRArj7YdrbrSYJUQMB5G5apgB6bIziv4Nlm
 kNvPz2gkXcqOjt3qOZZ/eumTIbEzCw8yK2FcCQogm2OqIMMNidIdwbfLrUAHFT60JmTge7OkbAyyI
 eXmTmZLiTuNM4A==;
Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201] helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>)
 id 1pzgzg-0005fK-1g; Thu, 18 May 2023 13:00:49 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
To: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Subject: Re: bug#63562: [PATCH 2/2] services: rsync: Use least authority
 wrapper.
References: <c7931b5dab466a77bc58fdf355dd53658e468ca0.1684374978.git.maxim.cournoyer@gmail.com>
 <8f60f8bfcbf58ab39308f799319f25b9851871a7.1684374978.git.maxim.cournoyer@gmail.com>
Date: Thu, 18 May 2023 19:00:46 +0200
In-Reply-To: <8f60f8bfcbf58ab39308f799319f25b9851871a7.1684374978.git.maxim.cournoyer@gmail.com>
 (Maxim Cournoyer's message of "Wed, 17 May 2023 21:56:18 -0400")
Message-ID: <87fs7t4ls1.fsf_-_@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 63562
Cc: 63562@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:

> * gnu/services/rsync.scm (rsync-shepherd-service) Wrap rsync command in a
> least-authority-wrapper.

Nice, LGTM!

Since berlin relies on it for backups, we=E2=80=99ll have to double-check t=
hat
it all goes well, in case we overlooked something.

Ludo=E2=80=99.




From debbugs-submit-bounces@debbugs.gnu.org Thu May 18 23:20:37 2023
Received: (at 63562-done) by debbugs.gnu.org; 19 May 2023 03:20:37 +0000
Received: from localhost ([127.0.0.1]:55003 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1pzqfU-0000jY-Qh
	for submit@debbugs.gnu.org; Thu, 18 May 2023 23:20:37 -0400
Received: from mail-qv1-f52.google.com ([209.85.219.52]:50567)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@gmail.com>) id 1pzqfR-0000jJ-AA
 for 63562-done@debbugs.gnu.org; Thu, 18 May 2023 23:20:35 -0400
Received: by mail-qv1-f52.google.com with SMTP id
 6a1803df08f44-6235aac00edso25184696d6.1
 for <63562-done@debbugs.gnu.org>; Thu, 18 May 2023 20:20:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1684466427; x=1687058427;
 h=content-transfer-encoding:mime-version:user-agent:message-id
 :in-reply-to:date:references:subject:cc:to:from:from:to:cc:subject
 :date:message-id:reply-to;
 bh=b94B5bOvYgkIz8ImHc9u2wb7XAwNR457qMtSLDELR+o=;
 b=GEbHG69ZBQhMCl8aw12dZh8tF9fwTvIDs4lkdMUOgfbCvwTXKsXeTDAl2Siwi0ioM1
 vMT/zkYE+McHH1NWjF1xHff22tJUHelYMXVqt99BnFyQmIvQIzJdUL2rypQUr+/LG0bv
 csE1OrhbF+B85ah9hVLBiB/uK/6oWTTsu85ma38Fsqf1JiyGykllXZxEOLUoc9ogpBAc
 0fECrsUxV/Rob8enu/GPUXXo5WGW1zOVm48B400q9N18/u2CETDaFmZTb+gcv01NpfOr
 VlJjITYWgg4cuAbevPVSC3I/i0l7NP3fnVMkvIy6QJxBiopR+/YUWaavuYxUhDh6+PAE
 +SXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1684466427; x=1687058427;
 h=content-transfer-encoding:mime-version:user-agent:message-id
 :in-reply-to:date:references:subject:cc:to:from:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=b94B5bOvYgkIz8ImHc9u2wb7XAwNR457qMtSLDELR+o=;
 b=kZntWKPLb9eTpKopw4JsTV7huoacwj63Gmrc/X9zVjhZn65k+SgOl4TvGr25J6rnZf
 gozpfzkR0PsecMmU0CZDC+ehaU//IuDDQmwSBcxBCjx6EvgZAZlW6SDXNAbvdUeYvB7b
 5p7IPrODXSSSfBdlrKUhFjRaQLXhy3lAMroqvdOiM4x5Twqqmd7tmfofTn6q50rB2RZM
 CX1a9GekTihcL2q6QsVr7UcyP/MvkuB32vGNlMwQc2K7J4U+MIXKhLfkqonc7yfBemaF
 Op4KfwdCWKO16qdD8SiaQmS3U/H111ltHCCiN9CreIOcIJT/JSL2UOLpe7KCzm6PmNgN
 i33g==
X-Gm-Message-State: AC+VfDzE1APsHINwu8p5tZjsqiVXho/iUCtQ1yicxPk9Nwl1FMdYEnyH
 6Sme1fu2o9q5r5b9uWIybsb6xhy5Etc7WA==
X-Google-Smtp-Source: ACHHUZ47le1L4bhqFg7UWzvWOL0xH5RAQFX4FALwRLSpTssVF38nlzFxKveJMa12xN6WbEu3+vTfkg==
X-Received: by 2002:a05:6214:2aa5:b0:621:363c:ea99 with SMTP id
 js5-20020a0562142aa500b00621363cea99mr1834705qvb.30.1684466427423; 
 Thu, 18 May 2023 20:20:27 -0700 (PDT)
Received: from hurd (dsl-150-33.b2b2c.ca. [66.158.150.33])
 by smtp.gmail.com with ESMTPSA id
 x18-20020a05620a01f200b0074df3f7e14esm837210qkn.67.2023.05.18.20.20.26
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 May 2023 20:20:26 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Subject: Re: bug#63562: [PATCH 2/2] services: rsync: Use least authority
 wrapper.
References: <c7931b5dab466a77bc58fdf355dd53658e468ca0.1684374978.git.maxim.cournoyer@gmail.com>
 <8f60f8bfcbf58ab39308f799319f25b9851871a7.1684374978.git.maxim.cournoyer@gmail.com>
 <87fs7t4ls1.fsf_-_@gnu.org>
Date: Thu, 18 May 2023 23:20:25 -0400
In-Reply-To: <87fs7t4ls1.fsf_-_@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s?=
 =?utf-8?Q?=22's?= message of "Thu, 18 May 2023 19:00:46 +0200")
Message-ID: <87ttw9knwm.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63562-done
Cc: 63562-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Ludo,

Ludovic Court=C3=A8s <ludo@gnu.org> writes:

> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis:
>
>> * gnu/services/rsync.scm (rsync-shepherd-service) Wrap rsync command in a
>> least-authority-wrapper.
>
> Nice, LGTM!
>
> Since berlin relies on it for backups, we=E2=80=99ll have to double-check=
 that
> it all goes well, in case we overlooked something.

Thanks for the review!  I've installed the change.

--=20
Thanks,
Maxim




From unknown Fri Aug 15 12:49:29 2025
Received: (at fakecontrol) by fakecontrolmessage;
To: internal_control@debbugs.gnu.org
From: Debbugs Internal Request <help-debbugs@gnu.org>
Subject: Internal Control
Message-Id: bug archived.
Date: Fri, 16 Jun 2023 11:24:11 +0000
User-Agent: Fakemail v42.6.9

# This is a fake control message.
#
# The action:
# bug archived.
thanks
# This fakemail brought to you by your local debbugs
# administrator