From unknown Sat Aug 16 16:06:58 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#73925] [PATCH] add access control to daemon socket in shepherd service Resent-From: Reepca Russelstein Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 21 Oct 2024 04:41:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 73925 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 73925@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.17294856147013 (code B ref -1); Mon, 21 Oct 2024 04:41:04 +0000 Received: (at submit) by debbugs.gnu.org; 21 Oct 2024 04:40:14 +0000 Received: from localhost ([127.0.0.1]:49660 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t2kDF-0001ox-Gb for submit@debbugs.gnu.org; Mon, 21 Oct 2024 00:40:14 -0400 Received: from lists.gnu.org ([209.51.188.17]:33812) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t2fPP-00041u-QB for submit@debbugs.gnu.org; Sun, 20 Oct 2024 19:32:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t2fOz-00063Q-7U for guix-patches@gnu.org; Sun, 20 Oct 2024 19:32:01 -0400 Received: from mailout.russelstein.xyz ([2605:6400:20:11e::1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t2fOw-00051X-J4 for guix-patches@gnu.org; Sun, 20 Oct 2024 19:32:00 -0400 DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=russelstein.xyz; s=ed25519; h=Content-Type:MIME-Version:Message-ID:Date: Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=V6/hgqdvYBjrtHd9gIXEG/K8V7vSCfIrNwzezuIE33Q=; b=I2XHTNhVuuYV81kLdHH8+QU8bf PJ5s7Lw2QtZ1/stl/xGuhTJwJ7n5a4kCIgyJoZvq80gCKZXuIy7h56cDUhCA==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=russelstein.xyz; s=rsa; h=Content-Type:MIME-Version:Message-ID:Date:Subject :To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=V6/hgqdvYBjrtHd9gIXEG/K8V7vSCfIrNwzezuIE33Q=; b=dN+4OtAhvZR0Ix3EVS2XPRmp0c zk/PpnZdoSilLmNaY3S1FNLEnBaSLUSkEZG8EoY56eieKMfgweVwydUbgFEbA6ad/kcKkxb6+qXhs sbi8J8Mnk+EwiK76F9cz9ri5ZsnwQmUoAPg7PKHXgjQ8uQuSbQZN+41/sQIfJQd0jzngv3cfG6HZ4 rJsVPSGcIgmq0m9U82B2qJFgQWWl/tzMKO1QGY/B4SVKJ8uGZRtLxijX+9GBL+BeniMdpHVCIEVLF SjIOSH3VedEKuL9hBOcMHPUni8ppm/Nx9Yw5VeGkDOifD89FwsnoxIeTS8cN2qfOuQF5EqD8Zh4TV YBFgp3AKxIHWLdTttC9rwoPANfCM4z1Htyz4vZLT3mlXiOsxAHZgf1LTSwDKAU+X2qyX8+EJQdMmh iBRocBrbfaXOHL4scwfPzrWhoIl20THMwKFnIm6h3iL0SdXbF43HuEf+woehJ43HytoJPVDV4u6Z2 ytWOxjy9BVc9w6BShcyEBj1XZyhnuWoOrT9Tt5I9oDJeJT9HzaR9sOIKBapuov49L2FbcKoFDXvYb 469Pvd4ExM/9VcCfqp5rh1iAh2X5uTrj8sg4SaYpw5EYzgWPxhSL5hMr9gs006Hv3ymzbEkxi39u4 EzO4kX4tUeIn2eE2QSGR2+6wN+BYgnMD+AfpHGuWk=; Received: by russelstein.xyz with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.98) (envelope-from ) id 1t2fOr-000000001YA-3XWB for guix-patches@gnu.org; Sun, 20 Oct 2024 18:31:55 -0500 From: Reepca Russelstein User-Agent: Gnus/5.13 (Gnus v5.13) Date: Sun, 20 Oct 2024 18:31:31 -0500 Message-ID: <87a5eyjqr0.fsf@russelstein.xyz> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 0.9 X-Spam-Bar: / X-Spam-Score-Int: 9 X-Spam-Report: Spam detection software, running on the system "Sanctum", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Passing "--disable-chroot" to guix-daemon makes it possible for the build users to be taken over by anybody who can start a build: they need only cause a builder to put a setuid binary in /tmp. That b [...] Content analysis details: (0.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 NO_RELAYS Informational: message was not relayed via SMTP 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 0.4 FROM_SUSPICIOUS_NTLD_FP From abused NTLD Received-SPF: pass client-ip=2605:6400:20:11e::1; envelope-from=reepca@russelstein.xyz; helo=mailout.russelstein.xyz X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Mailman-Approved-At: Mon, 21 Oct 2024 00:40:08 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Passing "--disable-chroot" to guix-daemon makes it possible for the build users to be taken over by anybody who can start a build: they need only cause a builder to put a setuid binary in /tmp. That being said, there are some situations where it currently can't be avoided, like on Hurd. It would also probably be good to have the ability to harden a guix daemon in general by restricting access to it. For example, there's no reason that the ntpd user needs access to the guix daemon (note that this is distinct from access to the *store*, which is of course always world-readable). The attached patch implements that restriction for users of guix-service-type by limiting access to /var/guix/daemon-socket in accordance with the user-supplied permissions, user, and group. Example usage: ------------------------------------ ;; Limit access to the guix-daemon socket to members of the "users" ;; group (modify-services %desktop-services (guix-service-type config => (guix-configuration (inherit config) (socket-directory-perms #o750) (socket-directory-group "users")))) ------------------------------------ - reepca --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-services-guix-configuration-add-access-control-to-da.patch Content-Transfer-Encoding: quoted-printable From=20b5163889efb544cfe83cd2bcb3ebd3a957c95a18 Mon Sep 17 00:00:00 2001 Message-ID: From: Reepca Russelstein Date: Sat, 19 Oct 2024 22:43:27 -0500 Subject: [PATCH] services: guix-configuration: add access control to daemon socket. * gnu/services/base.scm (guix-configuration-socket-directory-{perms,group,user}): new fields. (guix-shepherd-service): use them. * doc/guix.texi: document them. Change-Id: Ic228377b25a83692b0c637dafbd03c4609e332fc =2D-- doc/guix.texi | 15 +++++++++++++++ gnu/services/base.scm | 43 ++++++++++++++++++++++++++++++++++++------- 2 files changed, 51 insertions(+), 7 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index cb758f9005..0e387f0a17 100644 =2D-- a/doc/guix.texi +++ b/doc/guix.texi @@ -19775,6 +19775,21 @@ Base Services Environment variables to be set before starting the daemon, as a list of @code{key=3Dvalue} strings. =20 +@item @code{socket-directory-perms} (default: @code{#o755}) +Permissions to set for the directory @file{/var/guix/daemon-socket}. +This, together with @code{socket-directory-group} and +@code{socket-directory-user}, determines who can connect to the guix +daemon via its unix socket. TCP socket operation is unaffected by +these. + +@item @code{socket-directory-group} (default: @code{#f}) +Group to set for the directory @file{/var/guix/daemon-socket}, or +@code{#f} to keep its group as root. + +@item @code{socket-directory-user} (default: @code{#f}) +User to set for the directory @file{/var/guix/daemon-socket}, or +@code{#f} to keep its user as root. + @end table @end deftp =20 diff --git a/gnu/services/base.scm b/gnu/services/base.scm index fd2cc9d17a..daedc77468 100644 =2D-- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1880,7 +1880,13 @@ (define-record-type* (build-machines guix-configuration-build-machines ;list of gexps | '() (default '())) (environment guix-configuration-environment ;list of strings =2D (default '()))) + (default '())) + (socket-directory-perms guix-configuration-socket-directory-perms + (default #o755)) + (socket-directory-group guix-configuration-socket-directory-group + (default #f)) + (socket-directory-user guix-configuration-socket-directory-user + (default #f))) =20 (define %default-guix-configuration (guix-configuration)) @@ -1941,10 +1947,12 @@ (define (guix-shepherd-service config) glibc-utf8-locales))) =20 (match-record config =2D (guix build-group build-accounts authorize-key? authorized-keys =2D use-substitutes? substitute-urls max-silent-time timeout =2D log-compression discover? extra-options log-file =2D http-proxy tmpdir chroot-directories environment) + (guix build-group build-accounts authorize-key? authorized= -keys + use-substitutes? substitute-urls max-silent-time tim= eout + log-compression discover? extra-options log-file + http-proxy tmpdir chroot-directories environment + socket-directory-perms socket-directory-group + socket-directory-user) (list (shepherd-service (documentation "Run the Guix daemon.") (provision '(guix-daemon)) @@ -1954,11 +1962,13 @@ (define (guix-shepherd-service config) shepherd-discover-action)) (modules '((srfi srfi-1) (ice-9 match) =2D (gnu build shepherd))) + (gnu build shepherd) + (guix build utils))) (start (with-imported-modules `(((guix config) =3D> ,(make-config.scm= )) ,@(source-module-closure =2D '((gnu build shepherd)) + '((gnu build shepherd) + (guix build utils)) #:select? not-config?)) #~(lambda args (define proxy @@ -1969,7 +1979,26 @@ (define (guix-shepherd-service config) (define discover? (or (getenv "discover") #$discover?)) =20 + (mkdir-p "/var/guix") + ;; Ensure that a fresh directory is used, in case the old + ;; one was more permissive and processes have a file + ;; descriptor referencing it hanging around, ready to use + ;; with openat. + (false-if-exception + (delete-file-recursively "/var/guix/daemon-socket")) + (let ((perms #$(logand socket-directory-perms + (lognot #o022)))) + (mkdir "/var/guix/daemon-socket" perms) + ;; Override umask + (chmod "/var/guix/daemon-socket" perms)) + + (let* ((user #$socket-directory-user) + (uid (if user (passwd:uid (getpwnam user)) -1)) + (group #$socket-directory-group) + (gid (if group (group:gid (getgrnam group)) -1))) + (chown "/var/guix/daemon-socket" uid gid)) + ;; Start the guix-daemon from a container, when supporte= d, ;; to solve an installation issue. See the comment below= for ;; more details. =2D-=20 2.45.2 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEdNapMPRLm4SepVYGwWaqSV9/GJwFAmcVktMXHHJlZXBjYUBy dXNzZWxzdGVpbi54eXoACgkQwWaqSV9/GJxz2Qf/aj6zuGBzw6QM+DJ9asEi2LzL Nk1Wwcosm8jUIzJHBzS4qpjh/1z5PVDVv1Pu5boXaAgCBMsllUAJQSF0R1gGmYHT dvBMkNXHD1uz/eafOfX3ig3ypFmWw3np5jXul00oBoOIDnNMJRgUdTMAaahGB/el a5WqLLiz45F5Dtrr/6jwLZ7nUOuHqT0SzwE0ET8t2dtKANQJN6RTQg382AJQlMcH cmhHibcxiEpUnKhfdIZAQfkTILLJTMIuoS5TEsNyopXyjQ8bINP3NiRJxvbz5e+v 0+dpndwZY736/St3sHKMLxcPFKxoR1vY6S/INm+KBlUtqxIRO8kF8nb5RNjx9A== =WBEf -----END PGP SIGNATURE----- --==-=-=-- From unknown Sat Aug 16 16:06:58 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#73925] [PATCH] add access control to daemon socket in shepherd service Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 24 Oct 2024 12:45:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 73925 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Reepca Russelstein Cc: 73925@debbugs.gnu.org Received: via spool by 73925-submit@debbugs.gnu.org id=B73925.17297738715099 (code B ref 73925); Thu, 24 Oct 2024 12:45:01 +0000 Received: (at 73925) by debbugs.gnu.org; 24 Oct 2024 12:44:31 +0000 Received: from localhost ([127.0.0.1]:33999 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3xCY-0001KB-Nd for submit@debbugs.gnu.org; Thu, 24 Oct 2024 08:44:31 -0400 Received: from eggs.gnu.org ([209.51.188.92]:46056) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3xCW-0001Jy-0R for 73925@debbugs.gnu.org; Thu, 24 Oct 2024 08:44:29 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t3xBv-0001O1-A8; Thu, 24 Oct 2024 08:43:51 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=TcNQgYI3zxD8DCGUxJhiRD6gmdCihjcRUl0b2X4z1bs=; b=L82DNEghV8g4J6UxrUu6 jLYkr9OP9RnDVgvy/aKppDq31HtIbgNjzAll5RbDZCF7GOKv4atVMWs7NafDU+/NIUsl0Q5WUsO7E QtevpjGyqApjWkbhVUCu225j0lzUFd/OtO0msmVUn0l3E2QF/h6TZwohT7jFKylJj6O9gWuwBIUww z5qL9S6h7w4sWMWrVW3z25/T7utSefOXn8ApK5+qoPfuaIi0aQlD9N9IAujOpzOaHHzOYgkYBufpo cmLtAnH//JhaQmUAKCzWMIVwANI60ZDMIHP9gK67jdjmtiSBEFscayc2fNbxNMA49GrMFj9zuJ+bK zpG2nG6wsAUtLA==; From: Ludovic =?UTF-8?Q?Court=C3=A8s?= In-Reply-To: <87a5eyjqr0.fsf@russelstein.xyz> (Reepca Russelstein's message of "Sun, 20 Oct 2024 18:31:31 -0500") References: <87a5eyjqr0.fsf@russelstein.xyz> Date: Thu, 24 Oct 2024 14:43:48 +0200 Message-ID: <871q05658b.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, Reepca Russelstein skribis: > From b5163889efb544cfe83cd2bcb3ebd3a957c95a18 Mon Sep 17 00:00:00 2001 > Message-ID: > From: Reepca Russelstein > Date: Sat, 19 Oct 2024 22:43:27 -0500 > Subject: [PATCH] services: guix-configuration: add access control to daem= on > socket. > > * gnu/services/base.scm > (guix-configuration-socket-directory-{perms,group,user}): new fields. > (guix-shepherd-service): use them. > * doc/guix.texi: document them. > > Change-Id: Ic228377b25a83692b0c637dafbd03c4609e332fc That=E2=80=99s a welcome addition. > +@item @code{socket-directory-perms} (default: @code{#o755}) s/perms/permissions/ > +Permissions to set for the directory @file{/var/guix/daemon-socket}. > +This, together with @code{socket-directory-group} and > +@code{socket-directory-user}, determines who can connect to the guix > +daemon via its unix socket. TCP socket operation is unaffected by > +these. s/guix daemon/build daemon/ and s/unix/Unix/ > +@item @code{socket-directory-group} (default: @code{#f}) > +Group to set for the directory @file{/var/guix/daemon-socket}, or > +@code{#f} to keep its group as root. > + > +@item @code{socket-directory-user} (default: @code{#f}) > +User to set for the directory @file{/var/guix/daemon-socket}, or > +@code{#f} to keep its user as root. Maybe group them together: @item @code{socket-directory-user} (default: @code{#f}) @itemx @code{socket-directory-group} (default: @code{#f}) User and group owning the @file{/var/guix/daemon-socket} directory. =E2=80=A6 > - (guix build-group build-accounts authorize-key? authorized-keys > - use-substitutes? substitute-urls max-silent-time timeout > - log-compression discover? extra-options log-file > - http-proxy tmpdir chroot-directories environment) > + (guix build-group build-accounts authorize-key? authoriz= ed-keys Please avoid reindenting. > + ;; Ensure that a fresh directory is used, in case the = old > + ;; one was more permissive and processes have a file > + ;; descriptor referencing it hanging around, ready to = use > + ;; with openat. > + (false-if-exception > + (delete-file-recursively "/var/guix/daemon-socket")) > + (let ((perms #$(logand socket-directory-perms > + (lognot #o022)))) > + (mkdir "/var/guix/daemon-socket" perms) > + ;; Override umask > + (chmod "/var/guix/daemon-socket" perms)) Speaking of =E2=80=98openat=E2=80=99, maybe use =E2=80=98mkdir-p/perms=E2= =80=99 instead of doing it in two steps? Apart from that it LGTM. Could you send an updated patch? Thanks, Ludo=E2=80=99. From unknown Sat Aug 16 16:06:58 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#73925] [PATCH] add access control to daemon socket in shepherd service Resent-From: Reepca Russelstein Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 26 Oct 2024 00:15:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 73925 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 73925@debbugs.gnu.org Received: via spool by 73925-submit@debbugs.gnu.org id=B73925.17299016504512 (code B ref 73925); Sat, 26 Oct 2024 00:15:02 +0000 Received: (at 73925) by debbugs.gnu.org; 26 Oct 2024 00:14:10 +0000 Received: from localhost ([127.0.0.1]:39875 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t4URS-0001AY-4J for submit@debbugs.gnu.org; Fri, 25 Oct 2024 20:14:09 -0400 Received: from mailout.russelstein.xyz ([209.141.47.21]:48332) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t4URO-00019z-81 for 73925@debbugs.gnu.org; Fri, 25 Oct 2024 20:14:04 -0400 DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=russelstein.xyz; s=ed25519; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=LPj7LbXTWnRYtXx79rZx8kJmzn7z+YDwXc1fEi1vhUY=; b=i8l+pXjHZHc7lwhlMCEhCgEjwv bQk+VoFFOYIZs91JW4AlXkmO0Kr2x/JQg1opv2NH75HI0EZ9Se2p1Jwc4oAQ==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=russelstein.xyz; s=rsa; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=LPj7LbXTWnRYtXx79rZx8kJmzn7z+YDwXc1fEi1vhUY=; b=B+MVyOShTYZL9OTPgfurNpvJ2L rXfDuI2TWzFwuOVOcpIvTvY+LTun6IV18i/C34M1CiziHhJWztrkrVAJom0rg8nuPyCVIgjJqqJKk ng9RThze3maQGsHKGwPXguVeu4Sj81FDOu4YVDLdBXE0PTgP7YibMW+LQmliMP1mESCZZrO086JcQ CjqIa3Ni9z9nwOCeepCenvpo9WkDCiXmvRqvk5ak09I/A9/WHEB3w7mqCYWdInEGvEkD+mh2YvO97 l5uSwkbQ5QiKKyxlE9tRzpSkOLWuqopFHgYSaiFq7Sz7lmsx3zpSp8cz84PEGjaMwjlpSDxYRyTQq fdJaNAQWeXTYp0rUMYpMPgaVBv0//NMjJD5PWFwiDPsWKgR9JHJGrgw4VmrYEuFqaGhC7PS5bxjcP KUGNnIeeSUHsZkbhzH99kzOaZ5hjrLgQK4rknZmE8KcLkHxHG6Be+DHlHGEr+fyFTiym+NhX6yDdP vGIZLb9BqjolYciJ25Jrk4qDg7jrPPJaGbIfKbQrbL/yd7zZedD3f4oWIFWpMlnOaSpjLu3vsVCGO 7Q+6QDnuPtX5Ny44ERtfPDPjVFjipllWHfZeIHAkx9TBXyEd8GmaiMLJO/vjOa3TXGjXu7La9drs1 /Rzy0HZzMNqvZX5NSTX5AmbdQPzoY0K7KPhCB3CmY=; Received: by russelstein.xyz with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.98) (envelope-from ) id 1t4UOi-000000000Xz-17hF; Fri, 25 Oct 2024 19:11:17 -0500 From: Reepca Russelstein In-Reply-To: <871q05658b.fsf@gnu.org> ("Ludovic =?UTF-8?Q?Court=C3=A8s?="'s message of "Thu, 24 Oct 2024 14:43:48 +0200") References: <87a5eyjqr0.fsf@russelstein.xyz> <871q05658b.fsf@gnu.org> Date: Fri, 25 Oct 2024 19:10:32 -0500 Message-ID: <87wmhvhgg7.fsf@russelstein.xyz> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 0.5 X-Spam-Bar: / X-Spam-Score-Int: 5 X-Spam-Report: Spam detection software, running on the system "Sanctum", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Ludovic =?UTF-8?Q?Court=C3=A8s?= writes: >> + ;; Ensure that a fresh directory is used, in case the old >> + ;; one was more permissive and processes have a file >> + ;; descriptor referencing it hanging around, ready to use >> + ;; with ope [...] Content analysis details: (0.5 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 NO_RELAYS Informational: message was not relayed via SMTP 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: >> + ;; Ensure that a fresh directory is used, in case the= old >> + ;; one was more permissive and processes have a file >> + ;; descriptor referencing it hanging around, ready to= use >> + ;; with openat. >> + (false-if-exception >> + (delete-file-recursively "/var/guix/daemon-socket")) >> + (let ((perms #$(logand socket-directory-perms >> + (lognot #o022)))) >> + (mkdir "/var/guix/daemon-socket" perms) >> + ;; Override umask >> + (chmod "/var/guix/daemon-socket" perms)) > > Speaking of =E2=80=98openat=E2=80=99, maybe use =E2=80=98mkdir-p/perms=E2= =80=99 instead of doing it in > two steps? PERMS is passed directly to mkdir; the umask may cause the permissions the directory is created with to be less permissive than those, but never more. The only reason I call chmod here is because the umask may happen to be more strict than PERMS. mkdir-p/perms creates the directory with the permissions initially restricted only by the umask, then later chmods it in a separate step, leaving a window during which the directory is likely world-executable and world-readable. So while mkdir-p/perms would be an improvement on the "make sure no components are symlinks" front, it would be a downgrade in restricting access to the directory. This behavior can be remedied by ensuring that the final call to 'mkdirat' passes in the specified permission bits. I've submitted a patch to do this in issue #74002. There's also a minor annoyance in that the 'owner' argument that mkdir-p/perms wants MUST be a passwd object. This means that the uid and gid to use can't be specified independently, nor can they be specified as -1 or 0, you *have* to do (getpwnam "root") or something similar. For now I'm going to keep this part as-is, since currently using mkdir-p/perms would neither make it more secure nor more concise. The attached patch incorporates all the other changes you've mentioned. =2D reepca --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-services-guix-configuration-add-access-control-to-da.patch Content-Transfer-Encoding: quoted-printable From=20b8ea0288a35c27912580bd7fe861dd6e497f4c33 Mon Sep 17 00:00:00 2001 Message-ID: From: Reepca Russelstein Date: Sat, 19 Oct 2024 22:43:27 -0500 Subject: [PATCH] services: guix-configuration: add access control to daemon socket. * gnu/services/base.scm (guix-configuration-socket-directory-{permissions,group,user}): new field= s. (guix-shepherd-service): use them. * doc/guix.texi: document them. Change-Id: I8f4c2e20392ced47c09812e62903c87cc0f4a97a =2D-- doc/guix.texi | 12 ++++++++++++ gnu/services/base.scm | 38 ++++++++++++++++++++++++++++++++++---- 2 files changed, 46 insertions(+), 4 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index cb758f9005..fb750bd449 100644 =2D-- a/doc/guix.texi +++ b/doc/guix.texi @@ -19775,6 +19775,18 @@ Base Services Environment variables to be set before starting the daemon, as a list of @code{key=3Dvalue} strings. =20 +@item @code{socket-directory-permissions} (default: @code{#o755}) +Permissions to set for the directory @file{/var/guix/daemon-socket}. +This, together with @code{socket-directory-group} and +@code{socket-directory-user}, determines who can connect to the build +daemon via its Unix socket. TCP socket operation is unaffected by +these. + +@item @code{socket-directory-user} (default: @code{#f}) +@itemx @code{socket-directory-group} (default: @code{#f}) +User and group owning the @file{/var/guix/daemon-socket} directory or +@code{#f} to keep the user or group as root. + @end table @end deftp =20 diff --git a/gnu/services/base.scm b/gnu/services/base.scm index fd2cc9d17a..0bd60c5eb5 100644 =2D-- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1880,7 +1880,14 @@ (define-record-type* (build-machines guix-configuration-build-machines ;list of gexps | '() (default '())) (environment guix-configuration-environment ;list of strings =2D (default '()))) + (default '())) + (socket-directory-permissions + guix-configuration-socket-directory-permissions + (default #o755)) + (socket-directory-group guix-configuration-socket-directory-group + (default #f)) + (socket-directory-user guix-configuration-socket-directory-user + (default #f))) =20 (define %default-guix-configuration (guix-configuration)) @@ -1944,7 +1951,9 @@ (define (guix-shepherd-service config) (guix build-group build-accounts authorize-key? authorized-keys use-substitutes? substitute-urls max-silent-time timeout log-compression discover? extra-options log-file =2D http-proxy tmpdir chroot-directories environment) + http-proxy tmpdir chroot-directories environment + socket-directory-permissions socket-directory-group + socket-directory-user) (list (shepherd-service (documentation "Run the Guix daemon.") (provision '(guix-daemon)) @@ -1954,11 +1963,13 @@ (define (guix-shepherd-service config) shepherd-discover-action)) (modules '((srfi srfi-1) (ice-9 match) =2D (gnu build shepherd))) + (gnu build shepherd) + (guix build utils))) (start (with-imported-modules `(((guix config) =3D> ,(make-config.scm= )) ,@(source-module-closure =2D '((gnu build shepherd)) + '((gnu build shepherd) + (guix build utils)) #:select? not-config?)) #~(lambda args (define proxy @@ -1969,7 +1980,26 @@ (define (guix-shepherd-service config) (define discover? (or (getenv "discover") #$discover?)) =20 + (mkdir-p "/var/guix") + ;; Ensure that a fresh directory is used, in case the old + ;; one was more permissive and processes have a file + ;; descriptor referencing it hanging around, ready to use + ;; with openat. + (false-if-exception + (delete-file-recursively "/var/guix/daemon-socket")) + (let ((perms #$(logand socket-directory-permissions + (lognot #o022)))) + (mkdir "/var/guix/daemon-socket" perms) + ;; Override umask + (chmod "/var/guix/daemon-socket" perms)) + + (let* ((user #$socket-directory-user) + (uid (if user (passwd:uid (getpwnam user)) -1)) + (group #$socket-directory-group) + (gid (if group (group:gid (getgrnam group)) -1))) + (chown "/var/guix/daemon-socket" uid gid)) + ;; Start the guix-daemon from a container, when supporte= d, ;; to solve an installation issue. See the comment below= for ;; more details. =2D-=20 2.45.2 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEdNapMPRLm4SepVYGwWaqSV9/GJwFAmccM3kXHHJlZXBjYUBy dXNzZWxzdGVpbi54eXoACgkQwWaqSV9/GJxL8ggAohfTefX5mUB2Cwabms2gGR3P Ik2C4z/if0yu9MvWrf9Fkr408D1EtKkObeWI1e0iHSOR62uZqez8u5I6TNeuqH/Y QcBDtarKCKAH8FeV2YynuH+udii+bhj9I+ZB8G5RCCo1gpsmxEEQApXe9nT4datG kGLkqlrO5eAF4wxhCaGFiiyL0E9yKaBGXPw6jC03G2ebh7GhvJIvHgvITfu0fAVa VaSZD73NbjZ+/TWg2GZ+Zi+CFh80wajY6FecMa0t/JUP3zcCNNWagbKN5bL/HX18 555hWwDnIBr/CPXRcStxe3d+1cNfjCBlQHqqPxQK4jaCa88ExnlnmUEIbMIDtA== =lDo/ -----END PGP SIGNATURE----- --==-=-=-- From unknown Sat Aug 16 16:06:58 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Reepca Russelstein Subject: bug#73925: closed (Re: [bug#73925] [PATCH] add access control to daemon socket in shepherd service) Message-ID: References: <87h68okm6d.fsf@gnu.org> <87a5eyjqr0.fsf@russelstein.xyz> X-Gnu-PR-Message: they-closed 73925 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 73925@debbugs.gnu.org Date: Sun, 03 Nov 2024 22:07:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1730671622-27803-1" This is a multi-part message in MIME format... ------------=_1730671622-27803-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #73925: [PATCH] add access control to daemon socket in shepherd service which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 73925@debbugs.gnu.org. --=20 73925: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D73925 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1730671622-27803-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 73925-done) by debbugs.gnu.org; 3 Nov 2024 22:06:12 +0000 Received: from localhost ([127.0.0.1]:35021 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t7ijb-0007Da-LX for submit@debbugs.gnu.org; Sun, 03 Nov 2024 17:06:11 -0500 Received: from eggs.gnu.org ([209.51.188.92]:46480) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t7ijZ-0007DO-It for 73925-done@debbugs.gnu.org; Sun, 03 Nov 2024 17:06:10 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t7ijR-0003tp-Qx; Sun, 03 Nov 2024 17:06:03 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=pXorK1kYY9nlmavqCKydPUtVB2Y88wDsmI0TUMI+6Cg=; b=Q5PHEGg7nI+BxctsAdxn m2mSp2G7+HANauAy/Mz3GrO18O/7o4CsUePPR4MzUlUo7AY05kS+kDvkb6DyVSeREDZHqErBM20Ep J/QReZvNRXNIONgYpJ7tLMhbCVHd5QJjKcUhyAi0WpgwwjFDedwlPYNZJ+VHt4TTJeA+knytLx5Nq lXPK1ob0GxPvkPfCBbB6Eyrhz7ncxMN+pWa3Y1r/7hIakpODKR2OlGg2VhuwVhnIIJVDSV4/OsEcH n/BmdCKyPYfaAuRFlF4pmo4SfZRmDl3Ru2shTdhqs/c7qxXmOQ5pharVVBlrfi2vrv2CF9XAckjoY 1y3u0CSX9bwvlQ==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Reepca Russelstein Subject: Re: [bug#73925] [PATCH] add access control to daemon socket in shepherd service In-Reply-To: <87wmhvhgg7.fsf@russelstein.xyz> (Reepca Russelstein's message of "Fri, 25 Oct 2024 19:10:32 -0500") References: <87a5eyjqr0.fsf@russelstein.xyz> <871q05658b.fsf@gnu.org> <87wmhvhgg7.fsf@russelstein.xyz> Date: Sun, 03 Nov 2024 23:05:46 +0100 Message-ID: <87h68okm6d.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 73925-done Cc: 73925-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Reepca Russelstein skribis: > From b8ea0288a35c27912580bd7fe861dd6e497f4c33 Mon Sep 17 00:00:00 2001 > Message-ID: > From: Reepca Russelstein > Date: Sat, 19 Oct 2024 22:43:27 -0500 > Subject: [PATCH] services: guix-configuration: add access control to daemon > socket. > > * gnu/services/base.scm > (guix-configuration-socket-directory-{permissions,group,user}): new fields. > (guix-shepherd-service): use them. > * doc/guix.texi: document them. > > Change-Id: I8f4c2e20392ced47c09812e62903c87cc0f4a97a Applied, thanks! ------------=_1730671622-27803-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 21 Oct 2024 04:40:14 +0000 Received: from localhost ([127.0.0.1]:49660 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t2kDF-0001ox-Gb for submit@debbugs.gnu.org; Mon, 21 Oct 2024 00:40:14 -0400 Received: from lists.gnu.org ([209.51.188.17]:33812) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t2fPP-00041u-QB for submit@debbugs.gnu.org; Sun, 20 Oct 2024 19:32:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t2fOz-00063Q-7U for guix-patches@gnu.org; Sun, 20 Oct 2024 19:32:01 -0400 Received: from mailout.russelstein.xyz ([2605:6400:20:11e::1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t2fOw-00051X-J4 for guix-patches@gnu.org; Sun, 20 Oct 2024 19:32:00 -0400 DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=russelstein.xyz; s=ed25519; h=Content-Type:MIME-Version:Message-ID:Date: Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=V6/hgqdvYBjrtHd9gIXEG/K8V7vSCfIrNwzezuIE33Q=; b=I2XHTNhVuuYV81kLdHH8+QU8bf PJ5s7Lw2QtZ1/stl/xGuhTJwJ7n5a4kCIgyJoZvq80gCKZXuIy7h56cDUhCA==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=russelstein.xyz; s=rsa; h=Content-Type:MIME-Version:Message-ID:Date:Subject :To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=V6/hgqdvYBjrtHd9gIXEG/K8V7vSCfIrNwzezuIE33Q=; b=dN+4OtAhvZR0Ix3EVS2XPRmp0c zk/PpnZdoSilLmNaY3S1FNLEnBaSLUSkEZG8EoY56eieKMfgweVwydUbgFEbA6ad/kcKkxb6+qXhs sbi8J8Mnk+EwiK76F9cz9ri5ZsnwQmUoAPg7PKHXgjQ8uQuSbQZN+41/sQIfJQd0jzngv3cfG6HZ4 rJsVPSGcIgmq0m9U82B2qJFgQWWl/tzMKO1QGY/B4SVKJ8uGZRtLxijX+9GBL+BeniMdpHVCIEVLF SjIOSH3VedEKuL9hBOcMHPUni8ppm/Nx9Yw5VeGkDOifD89FwsnoxIeTS8cN2qfOuQF5EqD8Zh4TV YBFgp3AKxIHWLdTttC9rwoPANfCM4z1Htyz4vZLT3mlXiOsxAHZgf1LTSwDKAU+X2qyX8+EJQdMmh iBRocBrbfaXOHL4scwfPzrWhoIl20THMwKFnIm6h3iL0SdXbF43HuEf+woehJ43HytoJPVDV4u6Z2 ytWOxjy9BVc9w6BShcyEBj1XZyhnuWoOrT9Tt5I9oDJeJT9HzaR9sOIKBapuov49L2FbcKoFDXvYb 469Pvd4ExM/9VcCfqp5rh1iAh2X5uTrj8sg4SaYpw5EYzgWPxhSL5hMr9gs006Hv3ymzbEkxi39u4 EzO4kX4tUeIn2eE2QSGR2+6wN+BYgnMD+AfpHGuWk=; Received: by russelstein.xyz with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.98) (envelope-from ) id 1t2fOr-000000001YA-3XWB for guix-patches@gnu.org; Sun, 20 Oct 2024 18:31:55 -0500 From: Reepca Russelstein To: guix-patches@gnu.org Subject: [PATCH] add access control to daemon socket in shepherd service User-Agent: Gnus/5.13 (Gnus v5.13) Date: Sun, 20 Oct 2024 18:31:31 -0500 Message-ID: <87a5eyjqr0.fsf@russelstein.xyz> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 0.9 X-Spam-Bar: / X-Spam-Score-Int: 9 X-Spam-Report: Spam detection software, running on the system "Sanctum", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Passing "--disable-chroot" to guix-daemon makes it possible for the build users to be taken over by anybody who can start a build: they need only cause a builder to put a setuid binary in /tmp. That b [...] Content analysis details: (0.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 NO_RELAYS Informational: message was not relayed via SMTP 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 0.4 FROM_SUSPICIOUS_NTLD_FP From abused NTLD Received-SPF: pass client-ip=2605:6400:20:11e::1; envelope-from=reepca@russelstein.xyz; helo=mailout.russelstein.xyz X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Mon, 21 Oct 2024 00:40:08 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Passing "--disable-chroot" to guix-daemon makes it possible for the build users to be taken over by anybody who can start a build: they need only cause a builder to put a setuid binary in /tmp. That being said, there are some situations where it currently can't be avoided, like on Hurd. It would also probably be good to have the ability to harden a guix daemon in general by restricting access to it. For example, there's no reason that the ntpd user needs access to the guix daemon (note that this is distinct from access to the *store*, which is of course always world-readable). The attached patch implements that restriction for users of guix-service-type by limiting access to /var/guix/daemon-socket in accordance with the user-supplied permissions, user, and group. Example usage: ------------------------------------ ;; Limit access to the guix-daemon socket to members of the "users" ;; group (modify-services %desktop-services (guix-service-type config => (guix-configuration (inherit config) (socket-directory-perms #o750) (socket-directory-group "users")))) ------------------------------------ - reepca --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-services-guix-configuration-add-access-control-to-da.patch Content-Transfer-Encoding: quoted-printable From=20b5163889efb544cfe83cd2bcb3ebd3a957c95a18 Mon Sep 17 00:00:00 2001 Message-ID: From: Reepca Russelstein Date: Sat, 19 Oct 2024 22:43:27 -0500 Subject: [PATCH] services: guix-configuration: add access control to daemon socket. * gnu/services/base.scm (guix-configuration-socket-directory-{perms,group,user}): new fields. (guix-shepherd-service): use them. * doc/guix.texi: document them. Change-Id: Ic228377b25a83692b0c637dafbd03c4609e332fc =2D-- doc/guix.texi | 15 +++++++++++++++ gnu/services/base.scm | 43 ++++++++++++++++++++++++++++++++++++------- 2 files changed, 51 insertions(+), 7 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index cb758f9005..0e387f0a17 100644 =2D-- a/doc/guix.texi +++ b/doc/guix.texi @@ -19775,6 +19775,21 @@ Base Services Environment variables to be set before starting the daemon, as a list of @code{key=3Dvalue} strings. =20 +@item @code{socket-directory-perms} (default: @code{#o755}) +Permissions to set for the directory @file{/var/guix/daemon-socket}. +This, together with @code{socket-directory-group} and +@code{socket-directory-user}, determines who can connect to the guix +daemon via its unix socket. TCP socket operation is unaffected by +these. + +@item @code{socket-directory-group} (default: @code{#f}) +Group to set for the directory @file{/var/guix/daemon-socket}, or +@code{#f} to keep its group as root. + +@item @code{socket-directory-user} (default: @code{#f}) +User to set for the directory @file{/var/guix/daemon-socket}, or +@code{#f} to keep its user as root. + @end table @end deftp =20 diff --git a/gnu/services/base.scm b/gnu/services/base.scm index fd2cc9d17a..daedc77468 100644 =2D-- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1880,7 +1880,13 @@ (define-record-type* (build-machines guix-configuration-build-machines ;list of gexps | '() (default '())) (environment guix-configuration-environment ;list of strings =2D (default '()))) + (default '())) + (socket-directory-perms guix-configuration-socket-directory-perms + (default #o755)) + (socket-directory-group guix-configuration-socket-directory-group + (default #f)) + (socket-directory-user guix-configuration-socket-directory-user + (default #f))) =20 (define %default-guix-configuration (guix-configuration)) @@ -1941,10 +1947,12 @@ (define (guix-shepherd-service config) glibc-utf8-locales))) =20 (match-record config =2D (guix build-group build-accounts authorize-key? authorized-keys =2D use-substitutes? substitute-urls max-silent-time timeout =2D log-compression discover? extra-options log-file =2D http-proxy tmpdir chroot-directories environment) + (guix build-group build-accounts authorize-key? authorized= -keys + use-substitutes? substitute-urls max-silent-time tim= eout + log-compression discover? extra-options log-file + http-proxy tmpdir chroot-directories environment + socket-directory-perms socket-directory-group + socket-directory-user) (list (shepherd-service (documentation "Run the Guix daemon.") (provision '(guix-daemon)) @@ -1954,11 +1962,13 @@ (define (guix-shepherd-service config) shepherd-discover-action)) (modules '((srfi srfi-1) (ice-9 match) =2D (gnu build shepherd))) + (gnu build shepherd) + (guix build utils))) (start (with-imported-modules `(((guix config) =3D> ,(make-config.scm= )) ,@(source-module-closure =2D '((gnu build shepherd)) + '((gnu build shepherd) + (guix build utils)) #:select? not-config?)) #~(lambda args (define proxy @@ -1969,7 +1979,26 @@ (define (guix-shepherd-service config) (define discover? (or (getenv "discover") #$discover?)) =20 + (mkdir-p "/var/guix") + ;; Ensure that a fresh directory is used, in case the old + ;; one was more permissive and processes have a file + ;; descriptor referencing it hanging around, ready to use + ;; with openat. + (false-if-exception + (delete-file-recursively "/var/guix/daemon-socket")) + (let ((perms #$(logand socket-directory-perms + (lognot #o022)))) + (mkdir "/var/guix/daemon-socket" perms) + ;; Override umask + (chmod "/var/guix/daemon-socket" perms)) + + (let* ((user #$socket-directory-user) + (uid (if user (passwd:uid (getpwnam user)) -1)) + (group #$socket-directory-group) + (gid (if group (group:gid (getgrnam group)) -1))) + (chown "/var/guix/daemon-socket" uid gid)) + ;; Start the guix-daemon from a container, when supporte= d, ;; to solve an installation issue. See the comment below= for ;; more details. =2D-=20 2.45.2 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEdNapMPRLm4SepVYGwWaqSV9/GJwFAmcVktMXHHJlZXBjYUBy dXNzZWxzdGVpbi54eXoACgkQwWaqSV9/GJxz2Qf/aj6zuGBzw6QM+DJ9asEi2LzL Nk1Wwcosm8jUIzJHBzS4qpjh/1z5PVDVv1Pu5boXaAgCBMsllUAJQSF0R1gGmYHT dvBMkNXHD1uz/eafOfX3ig3ypFmWw3np5jXul00oBoOIDnNMJRgUdTMAaahGB/el a5WqLLiz45F5Dtrr/6jwLZ7nUOuHqT0SzwE0ET8t2dtKANQJN6RTQg382AJQlMcH cmhHibcxiEpUnKhfdIZAQfkTILLJTMIuoS5TEsNyopXyjQ8bINP3NiRJxvbz5e+v 0+dpndwZY736/St3sHKMLxcPFKxoR1vY6S/INm+KBlUtqxIRO8kF8nb5RNjx9A== =WBEf -----END PGP SIGNATURE----- --==-=-=-- ------------=_1730671622-27803-1--