GNU bug report logs - #73810
[PATCH] services: cuirass: Run ‘remote-worker’ under its own user/group.

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Mon, 14 Oct 2024 21:17:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 73810 in the body.
You can then email your comments to 73810 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#73810; Package guix-patches. (Mon, 14 Oct 2024 21:17:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Ludovic Courtès <ludo <at> gnu.org>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Mon, 14 Oct 2024 21:17:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: guix-patches <at> gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>
Subject: [PATCH] services: cuirass: Run ‘remote-worker’ under its own user/group.
Date: Mon, 14 Oct 2024 23:16:02 +0200

The ‘--user’ option was added to ‘cuirass remote-worker’ in Cuirass
commit 3a6abc17f904f38098d3ab08e9d82de2e821d348 (Nov. 2023).

* gnu/services/cuirass.scm (%cuirass-remote-worker-accounts): New
variable.
(cuirass-remote-worker-shepherd-service): Pass ‘--user’.
(cuirass-remote-worker-service-type): Add ACCOUNT-SERVICE-TYPE
extension.

Change-Id: I075ea02b6972adcad0a75e330073e85c4dacbbc5
---
 gnu/services/cuirass.scm | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

Hello!

This is fixing longstanding flakiness...

Ludo'.

diff --git a/gnu/services/cuirass.scm b/gnu/services/cuirass.scm
index f68b4dc5a2..187766bc99 100644
--- a/gnu/services/cuirass.scm
+++ b/gnu/services/cuirass.scm
@@ -384,6 +384,19 @@ (define-record-type* <cuirass-remote-worker-configuration>
   (private-key      cuirass-remote-worker-configuration-private-key ;string
                     (default #f)))
 
+(define %cuirass-remote-worker-accounts
+  ;; User account and group for the 'cuirass remote-worker' process.
+  (list (user-group
+         (name "cuirass-worker")
+         (system? #t))
+        (user-account
+         (name "cuirass-worker")
+         (group name)
+         (system? #t)
+         (comment "Cuirass worker privilege separation user")
+         (home-directory "/var/empty")
+         (shell (file-append shadow "/sbin/nologin")))))
+
 (define (cuirass-remote-worker-shepherd-service config)
   "Return a <shepherd-service> for the Cuirass remote worker service with
 CONFIG."
@@ -397,6 +410,7 @@ (define (cuirass-remote-worker-shepherd-service config)
            (start #~(make-forkexec-constructor
                      (list (string-append #$cuirass "/bin/cuirass")
                            "remote-worker"
+                           "--user=cuirass-worker" ;drop privileges early on
                            (string-append "--workers="
                                           #$(number->string workers))
                            #$@(if server
@@ -444,6 +458,8 @@ (define cuirass-remote-worker-service-type
    (extensions
     (list (service-extension shepherd-root-service-type
                              cuirass-remote-worker-shepherd-service)
+          (service-extension account-service-type
+                             (const %cuirass-remote-worker-accounts))
           (service-extension rottlog-service-type
                              cuirass-remote-worker-log-rotations)))
    (description

base-commit: 6757bfdfc0b22a1e23a3d33566155550182244fc
-- 
2.46.0
Reply sent to Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility. (Sun, 03 Nov 2024 22:17:03 GMT) Full text and rfc822 format available.
Notification sent to Ludovic Courtès <ludo <at> gnu.org>:
bug acknowledged by developer. (Sun, 03 Nov 2024 22:17:03 GMT) Full text and rfc822 format available.

Message #10 received at 73810-done <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: 73810-done <at> debbugs.gnu.org
Subject: Re: [bug#73810] [PATCH] services: cuirass: Run
 ‘remote-worker’ under its own user/group.
Date: Sun, 03 Nov 2024 23:16:29 +0100

Ludovic Courtès <ludo <at> gnu.org> skribis:

> The ‘--user’ option was added to ‘cuirass remote-worker’ in Cuirass
> commit 3a6abc17f904f38098d3ab08e9d82de2e821d348 (Nov. 2023).
>
> * gnu/services/cuirass.scm (%cuirass-remote-worker-accounts): New
> variable.
> (cuirass-remote-worker-shepherd-service): Pass ‘--user’.
> (cuirass-remote-worker-service-type): Add ACCOUNT-SERVICE-TYPE
> extension.
>
> Change-Id: I075ea02b6972adcad0a75e330073e85c4dacbbc5

Pushed as e7a445571d0e45be96894bc6b298b67ceb2f3989.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Mon, 02 Dec 2024 12:24:06 GMT) Full text and rfc822 format available.
This bug report was last modified 200 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.