GNU bug report logs - #73925
[PATCH] add access control to daemon socket in shepherd service

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#73925: closed ([PATCH] add access control to daemon socket in
 shepherd service)
Date: Sun, 03 Nov 2024 22:07:01 +0000

[Message part 1 (text/plain, inline)]

Your message dated Sun, 03 Nov 2024 23:05:46 +0100
with message-id <87h68okm6d.fsf <at> gnu.org>
and subject line Re: [bug#73925] [PATCH] add access control to daemon socket in shepherd service
has caused the debbugs.gnu.org bug report #73925,
regarding [PATCH] add access control to daemon socket in shepherd service
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
73925: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=73925
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Reepca Russelstein <reepca <at> russelstein.xyz>
To: guix-patches <at> gnu.org
Subject: [PATCH] add access control to daemon socket in shepherd service
Date: Sun, 20 Oct 2024 18:31:31 -0500

[Message part 3 (text/plain, inline)]

Passing "--disable-chroot" to guix-daemon makes it possible for the
build users to be taken over by anybody who can start a build: they need
only cause a builder to put a setuid binary in /tmp.  That being said,
there are some situations where it currently can't be avoided, like on
Hurd.  It would also probably be good to have the ability to harden a
guix daemon in general by restricting access to it.  For example,
there's no reason that the ntpd user needs access to the guix daemon
(note that this is distinct from access to the *store*, which is of
course always world-readable).

The attached patch implements that restriction for users of
guix-service-type by limiting access to /var/guix/daemon-socket in
accordance with the user-supplied permissions, user, and group.

Example usage:

------------------------------------
;; Limit access to the guix-daemon socket to members of the "users"
;; group
(modify-services %desktop-services
  (guix-service-type config =>
                     (guix-configuration
                      (inherit config)
                      (socket-directory-perms #o750)
                      (socket-directory-group "users"))))
------------------------------------

- reepca

[0001-services-guix-configuration-add-access-control-to-da.patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

[Message part 6 (message/rfc822, inline)]

From: Ludovic Courtès <ludo <at> gnu.org>
To: Reepca Russelstein <reepca <at> russelstein.xyz>
Cc: 73925-done <at> debbugs.gnu.org
Subject: Re: [bug#73925] [PATCH] add access control to daemon socket in
 shepherd service
Date: Sun, 03 Nov 2024 23:05:46 +0100

Reepca Russelstein <reepca <at> russelstein.xyz> skribis:

> From b8ea0288a35c27912580bd7fe861dd6e497f4c33 Mon Sep 17 00:00:00 2001
> Message-ID: <b8ea0288a35c27912580bd7fe861dd6e497f4c33.1729840060.git.reepca <at> russelstein.xyz>
> From: Reepca Russelstein <reepca <at> russelstein.xyz>
> Date: Sat, 19 Oct 2024 22:43:27 -0500
> Subject: [PATCH] services: guix-configuration: add access control to daemon
>  socket.
>
> * gnu/services/base.scm
>   (guix-configuration-socket-directory-{permissions,group,user}): new fields.
>   (guix-shepherd-service): use them.
> * doc/guix.texi: document them.
>
> Change-Id: I8f4c2e20392ced47c09812e62903c87cc0f4a97a

Applied, thanks!

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.