GNU bug report logs -
#77383
[PATCH 0/2] Run speakersafetyd as unprivileged user
Previous Next
Reported by: Roman Scherer <roman <at> burningswell.com>
Date: Sun, 30 Mar 2025 12:25:01 UTC
Severity: normal
Tags: patch
Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Bug is archived. No further changes may be made.
Full log
Message #50 received at 77383 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
References: <92c75e4d057966fdf586b34e34d8b43a7361e006.1743695029.git.roman <at> burningswell.com>
<2788a4ea937715053ca7210a52ed0be3976fd0b6.1743695029.git.roman <at> burningswell.com>
<87h62zz9hs.fsf <at> gmail.com>
User-Agent: mu4e 1.12.9; emacs 29.4
Hi Maxim,
Date: Wed, 09 Apr 2025 19:31:06 +0200
Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:
> Hi,
>
> Roman Scherer <roman <at> burningswell.com> writes:
>
>> * gnu/services/sound.scm (speakersafetyd): Run as unprivileged user.
>> * doc/guix.texi: Document user and group fields.
>>
>> Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2
>
> [...]
>
>> +(define speakersafetyd-accounts
>> + (match-record-lambda <speakersafetyd-configuration>
>> + ( blackbox-directory configuration-directory group
>> + maximum-gain-reduction speakersafetyd user)
>
> You don't need to list all the fields when using match-record, and I
> assume match-record-lambda as well. Here only `group' and `user'
> appears useful.
>
>> + (list (user-group
>> + (name group)
>> + (system? #t))
>> + (user-account
>> + (name user)
>> + (group group)
>> + (system? #t)
>> + (home-directory "/var/empty")
>> + (shell (file-append shadow "/sbin/nologin"))
>> + (supplementary-groups '("audio"))))))
>> +
>> +(define speakersafetyd-activation
>> + (match-record-lambda <speakersafetyd-configuration>
>> + ( blackbox-directory configuration-directory group
>> + maximum-gain-reduction speakersafetyd user)
>
> Likewise.
>
>> + (with-imported-modules (source-module-closure '((gnu build activation)))
>> + #~(begin
>> + (use-modules (gnu build activation))
>> + (let ((user (getpwnam #$user)))
>> + (mkdir-p/perms "/run/speakersafetyd" user #o755)
>> + (mkdir-p/perms "/var/lib/speakersafetyd" user #o755)
>> + ;; Blackbox files contain audio recordings and might be sensitive
>> + ;; information
>> + (mkdir-p/perms #$blackbox-directory user #o700))))))
>>
>> (define speakersafetyd-shepherd-service
>> (match-record-lambda <speakersafetyd-configuration>
>> - (blackbox-directory configuration-directory maximum-gain-reduction speakersafetyd)
>> + ( blackbox-directory configuration-directory group
>> + maximum-gain-reduction speakersafetyd user)
>> (shepherd-service
>> (documentation "Run the speaker safety daemon")
>> (provision '(speakersafetyd))
>> @@ -306,7 +344,10 @@ (define speakersafetyd-shepherd-service
>> (list #$(file-append speakersafetyd "/bin/speakersafetyd")
>> "--config-path" #$configuration-directory
>> "--blackbox-path" #$blackbox-directory
>> - "--max-reduction" (number->string #$maximum-gain-reduction))))
>> + "--max-reduction" (number->string #$maximum-gain-reduction))
>> + #:group #$group
>> + #:supplementary-groups '("audio")
>> + #:user #$user))
>> (stop #~(make-kill-destructor)))))
>
> Not for a future improvement: we also have a least-authority-wrapper
> defined in (guix least-authority) that can wrap a binary to have it run
> in a Linux container, to further sandbox the process.
Interesting. Didn't know that module. I will take a look.
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 37 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.