aboutsummaryrefslogtreecommitdiff
path: root/gnu/services/base.scm
diff options
context:
space:
mode:
authorReepca Russelstein <reepca@russelstein.xyz>2024-10-19 22:43:27 -0500
committerLudovic Courtès <ludo@gnu.org>2024-11-03 23:05:06 +0100
commit6a8a6171a79dd6b9108cf9d25c8f9a86fd9bb8f8 (patch)
tree71d6ce0f2670f071be532a6d6fd336a554705b1c /gnu/services/base.scm
parente5d64e87d4759d62c035dad203e9975de3b621a6 (diff)
downloadguix-6a8a6171a79dd6b9108cf9d25c8f9a86fd9bb8f8.tar.gz
guix-6a8a6171a79dd6b9108cf9d25c8f9a86fd9bb8f8.zip
services: guix: Add access control to daemon socket.
* gnu/services/base.scm (guix-configuration-socket-directory-{permissions,group,user}): New fields. (guix-shepherd-service): Use them. * doc/guix.texi (Base Services): Document them. Change-Id: I8f4c2e20392ced47c09812e62903c87cc0f4a97a Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Diffstat (limited to 'gnu/services/base.scm')
-rw-r--r--gnu/services/base.scm38
1 files changed, 34 insertions, 4 deletions
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index d0a57a8807..7b053ef784 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1888,7 +1888,14 @@ archive' public keys, with GUIX."
(build-machines guix-configuration-build-machines ;list of gexps | '()
(default '()))
(environment guix-configuration-environment ;list of strings
- (default '())))
+ (default '()))
+ (socket-directory-permissions
+ guix-configuration-socket-directory-permissions
+ (default #o755))
+ (socket-directory-group guix-configuration-socket-directory-group
+ (default #f))
+ (socket-directory-user guix-configuration-socket-directory-user
+ (default #f)))
(define %default-guix-configuration
(guix-configuration))
@@ -1952,7 +1959,9 @@ proxy of 'guix-daemon'...~%")
(guix build-group build-accounts authorize-key? authorized-keys
use-substitutes? substitute-urls max-silent-time timeout
log-compression discover? extra-options log-file
- http-proxy tmpdir chroot-directories environment)
+ http-proxy tmpdir chroot-directories environment
+ socket-directory-permissions socket-directory-group
+ socket-directory-user)
(list (shepherd-service
(documentation "Run the Guix daemon.")
(provision '(guix-daemon))
@@ -1962,11 +1971,13 @@ proxy of 'guix-daemon'...~%")
shepherd-discover-action))
(modules '((srfi srfi-1)
(ice-9 match)
- (gnu build shepherd)))
+ (gnu build shepherd)
+ (guix build utils)))
(start
(with-imported-modules `(((guix config) => ,(make-config.scm))
,@(source-module-closure
- '((gnu build shepherd))
+ '((gnu build shepherd)
+ (guix build utils))
#:select? not-config?))
#~(lambda args
(define proxy
@@ -1977,6 +1988,25 @@ proxy of 'guix-daemon'...~%")
(define discover?
(or (getenv "discover") #$discover?))
+ (mkdir-p "/var/guix")
+ ;; Ensure that a fresh directory is used, in case the old
+ ;; one was more permissive and processes have a file
+ ;; descriptor referencing it hanging around, ready to use
+ ;; with openat.
+ (false-if-exception
+ (delete-file-recursively "/var/guix/daemon-socket"))
+ (let ((perms #$(logand socket-directory-permissions
+ (lognot #o022))))
+ (mkdir "/var/guix/daemon-socket" perms)
+ ;; Override umask
+ (chmod "/var/guix/daemon-socket" perms))
+
+ (let* ((user #$socket-directory-user)
+ (uid (if user (passwd:uid (getpwnam user)) -1))
+ (group #$socket-directory-group)
+ (gid (if group (group:gid (getgrnam group)) -1)))
+ (chown "/var/guix/daemon-socket" uid gid))
+
;; Start the guix-daemon from a container, when supported,
;; to solve an installation issue. See the comment below for
;; more details.