GNU bug report logs - #77383
[PATCH 0/2] Run speakersafetyd as unprivileged user

Previous Next

Package: guix-patches;

Reported by: Roman Scherer <roman <at> burningswell.com>

Date: Sun, 30 Mar 2025 12:25:01 UTC

Severity: normal

Tags: patch

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

Message #32 received at 77383 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Roman Scherer <roman <at> burningswell.com>
Cc: 77383 <at> debbugs.gnu.org, Ludovic Courtès <ludo <at> gnu.org>
Subject: Re: [bug#77383] [PATCH v2 2/3] gnu: speakersafetyd: Run as
 unprivileged user.
Date: Tue, 08 Apr 2025 11:13:03 +0900

Hi,

Roman Scherer <roman <at> burningswell.com> writes:

> * gnu/services/sound.scm (speakersafetyd): Run as unprivileged user.
> * doc/guix.texi: Document user and group fields.
>
> Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2

[...]

> +(define speakersafetyd-accounts
> +  (match-record-lambda <speakersafetyd-configuration>
> +      ( blackbox-directory configuration-directory group
> +        maximum-gain-reduction speakersafetyd user)

You don't need to list all the fields when using match-record, and I
assume match-record-lambda as well.  Here only `group' and `user'
appears useful.

> +    (list (user-group
> +           (name group)
> +           (system? #t))
> +          (user-account
> +           (name user)
> +           (group group)
> +           (system? #t)
> +           (home-directory "/var/empty")
> +           (shell (file-append shadow "/sbin/nologin"))
> +           (supplementary-groups '("audio"))))))
> +
> +(define speakersafetyd-activation
> +  (match-record-lambda <speakersafetyd-configuration>
> +      ( blackbox-directory configuration-directory group
> +        maximum-gain-reduction speakersafetyd user)

Likewise.

> +    (with-imported-modules (source-module-closure '((gnu build activation)))
> +      #~(begin
> +          (use-modules (gnu build activation))
> +          (let ((user (getpwnam #$user)))
> +            (mkdir-p/perms "/run/speakersafetyd" user #o755)
> +            (mkdir-p/perms "/var/lib/speakersafetyd" user #o755)
> +            ;; Blackbox files contain audio recordings and might be sensitive
> +            ;; information
> +            (mkdir-p/perms #$blackbox-directory user #o700))))))
>  
>  (define speakersafetyd-shepherd-service
>    (match-record-lambda <speakersafetyd-configuration>
> -      (blackbox-directory configuration-directory maximum-gain-reduction speakersafetyd)
> +      ( blackbox-directory configuration-directory group
> +        maximum-gain-reduction speakersafetyd user)
>      (shepherd-service
>       (documentation "Run the speaker safety daemon")
>       (provision '(speakersafetyd))
> @@ -306,7 +344,10 @@ (define speakersafetyd-shepherd-service
>                 (list #$(file-append speakersafetyd "/bin/speakersafetyd")
>                       "--config-path" #$configuration-directory
>                       "--blackbox-path" #$blackbox-directory
> -                     "--max-reduction" (number->string #$maximum-gain-reduction))))
> +                     "--max-reduction" (number->string #$maximum-gain-reduction))
> +               #:group #$group
> +               #:supplementary-groups '("audio")
> +               #:user #$user))
>       (stop #~(make-kill-destructor)))))

Not for a future improvement: we also have a least-authority-wrapper
defined in (guix least-authority) that can wrap a binary to have it run
in a Linux container, to further sandbox the process.

-- 
Thanks,
Maxim
This bug report was last modified 37 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.