From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 14 17:16:44 2024 Received: (at submit) by debbugs.gnu.org; 14 Oct 2024 21:16:44 +0000 Received: from localhost ([127.0.0.1]:44573 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t0SQl-000759-Tj for submit@debbugs.gnu.org; Mon, 14 Oct 2024 17:16:44 -0400 Received: from lists.gnu.org ([209.51.188.17]:39552) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t0SQj-000751-Ma for submit@debbugs.gnu.org; Mon, 14 Oct 2024 17:16:42 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t0SQR-0006YV-2M for guix-patches@gnu.org; Mon, 14 Oct 2024 17:16:24 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t0SQQ-0000g9-4G; Mon, 14 Oct 2024 17:16:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to: references; bh=n9RC19JlV9W1kXjE//Y3hmjInCqi/o2Tg1Pl8Y1SIKw=; b=heYEraUGPR0GEV VKLvS5O+UBCNns1c+e9/Ozo9A4B1ExNWbZZdXJwB8zGEFI0d8h+C644zVz/S33ABDRLoxQ9pyUEEV LCbE8Ndng1ziRv9PSaYZvZ8fTryrgp/7kN7+gLAyXmGWrw+8/7Y2yMSdbBe5mR8rXt2hou+C4aLTP LNy3MaL31mqnVTEebfueBRC4OAPKu9MQCG5JJRyHVqzEvtUNxMMK+q40HQAMbNa5A+2avDtVNEmqg K6f/kWqGz3Xns6PSl0j7B1sHlJIE6NPmszLvd9i3d/vsZQ21RAW8lkQKyUkaxjlgWd9Q81AZ1DIhl kb9pNdpN48ERADOH+ieQ==; From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= To: guix-patches@gnu.org Subject: [PATCH] =?UTF-8?q?services:=20cuirass:=20Run=20=E2=80=98remote-wo?= =?UTF-8?q?rker=E2=80=99=20under=20its=20own=20user/group.?= Date: Mon, 14 Oct 2024 23:16:02 +0200 Message-ID: X-Mailer: git-send-email 2.46.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit Cc: =?UTF-8?q?Ludovic=20Court=C3=A8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) The ‘--user’ option was added to ‘cuirass remote-worker’ in Cuirass commit 3a6abc17f904f38098d3ab08e9d82de2e821d348 (Nov. 2023). * gnu/services/cuirass.scm (%cuirass-remote-worker-accounts): New variable. (cuirass-remote-worker-shepherd-service): Pass ‘--user’. (cuirass-remote-worker-service-type): Add ACCOUNT-SERVICE-TYPE extension. Change-Id: I075ea02b6972adcad0a75e330073e85c4dacbbc5 --- gnu/services/cuirass.scm | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) Hello! This is fixing longstanding flakiness... Ludo'. diff --git a/gnu/services/cuirass.scm b/gnu/services/cuirass.scm index f68b4dc5a2..187766bc99 100644 --- a/gnu/services/cuirass.scm +++ b/gnu/services/cuirass.scm @@ -384,6 +384,19 @@ (define-record-type* (private-key cuirass-remote-worker-configuration-private-key ;string (default #f))) +(define %cuirass-remote-worker-accounts + ;; User account and group for the 'cuirass remote-worker' process. + (list (user-group + (name "cuirass-worker") + (system? #t)) + (user-account + (name "cuirass-worker") + (group name) + (system? #t) + (comment "Cuirass worker privilege separation user") + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin"))))) + (define (cuirass-remote-worker-shepherd-service config) "Return a for the Cuirass remote worker service with CONFIG." @@ -397,6 +410,7 @@ (define (cuirass-remote-worker-shepherd-service config) (start #~(make-forkexec-constructor (list (string-append #$cuirass "/bin/cuirass") "remote-worker" + "--user=cuirass-worker" ;drop privileges early on (string-append "--workers=" #$(number->string workers)) #$@(if server @@ -444,6 +458,8 @@ (define cuirass-remote-worker-service-type (extensions (list (service-extension shepherd-root-service-type cuirass-remote-worker-shepherd-service) + (service-extension account-service-type + (const %cuirass-remote-worker-accounts)) (service-extension rottlog-service-type cuirass-remote-worker-log-rotations))) (description base-commit: 6757bfdfc0b22a1e23a3d33566155550182244fc -- 2.46.0 From debbugs-submit-bounces@debbugs.gnu.org Sun Nov 03 17:16:46 2024 Received: (at 73810-done) by debbugs.gnu.org; 3 Nov 2024 22:16:46 +0000 Received: from localhost ([127.0.0.1]:35207 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t7itq-0007e4-BY for submit@debbugs.gnu.org; Sun, 03 Nov 2024 17:16:46 -0500 Received: from eggs.gnu.org ([209.51.188.92]:54930) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t7ito-0007dv-0P for 73810-done@debbugs.gnu.org; Sun, 03 Nov 2024 17:16:44 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t7ith-0006tu-QZ for 73810-done@debbugs.gnu.org; Sun, 03 Nov 2024 17:16:37 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=K5EcwcqWunwhxJpMjLl+zg4PO73hZGiFSgQHyVIHs/c=; b=dJ/jLu5f4pCiYG9+v9Xa 7GwdrTGR6qtCJYeGZA/R+Pr0Eihl8jztJwWaYBQ0BXAgfE+JpmBv7iTNzEr2BNua+zX4Bvd60LRv9 U6tmqs0G7kDzpRqiMwIEAKnNIsWNUcO4izYIvtR7nhckVM0gkOxZY6FtaX4b7TVBYY8B4g7dIRmJ3 aj10SarK2I5XdhRVk28GG5E1e6QuwuHdnQqtarXIGJh9Snw2Wl9E1x4yZT7Wt1ZKYZx62kU1I21AA 0QLkGVIxD43NXcduDWSALQ91w1U4+NkLBELWhx00dM4zi9QoJ8wN03OTO0O42JXAF4P6C8Fw0utrT pIfkeeI/t02Trg==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: 73810-done@debbugs.gnu.org Subject: Re: [bug#73810] [PATCH] services: cuirass: Run =?utf-8?Q?=E2=80=98remote-worker=E2=80=99?= under its own user/group. In-Reply-To: ("Ludovic =?utf-8?Q?Court=C3=A8s=22's?= message of "Mon, 14 Oct 2024 23:16:02 +0200") References: Date: Sun, 03 Nov 2024 23:16:29 +0100 Message-ID: <87zfmgj742.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 73810-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Ludovic Court=C3=A8s skribis: > The =E2=80=98--user=E2=80=99 option was added to =E2=80=98cuirass remote-= worker=E2=80=99 in Cuirass > commit 3a6abc17f904f38098d3ab08e9d82de2e821d348 (Nov. 2023). > > * gnu/services/cuirass.scm (%cuirass-remote-worker-accounts): New > variable. > (cuirass-remote-worker-shepherd-service): Pass =E2=80=98--user=E2=80=99. > (cuirass-remote-worker-service-type): Add ACCOUNT-SERVICE-TYPE > extension. > > Change-Id: I075ea02b6972adcad0a75e330073e85c4dacbbc5 Pushed as e7a445571d0e45be96894bc6b298b67ceb2f3989. From unknown Sun Aug 10 10:55:01 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Mon, 02 Dec 2024 12:24:06 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator