From e7a445571d0e45be96894bc6b298b67ceb2f3989 Mon Sep 17 00:00:00 2001
From: Ludovic Courtès <ludo@gnu.org>
Date: Mon, 14 Oct 2024 23:12:25 +0200
Subject: services: cuirass: Run ‘remote-worker’ under its own user/group.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The ‘--user’ option was added to ‘cuirass remote-worker’ in Cuirass
commit 3a6abc17f904f38098d3ab08e9d82de2e821d348 (Nov. 2023).

* gnu/services/cuirass.scm (%cuirass-remote-worker-accounts): New
variable.
(cuirass-remote-worker-shepherd-service): Pass ‘--user’.
(cuirass-remote-worker-service-type): Add ACCOUNT-SERVICE-TYPE
extension.

Change-Id: I075ea02b6972adcad0a75e330073e85c4dacbbc5
---
 gnu/services/cuirass.scm | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'gnu/services/cuirass.scm')

diff --git a/gnu/services/cuirass.scm b/gnu/services/cuirass.scm
index f68b4dc5a2..187766bc99 100644
--- a/gnu/services/cuirass.scm
+++ b/gnu/services/cuirass.scm
@@ -384,6 +384,19 @@
   (private-key      cuirass-remote-worker-configuration-private-key ;string
                     (default #f)))
 
+(define %cuirass-remote-worker-accounts
+  ;; User account and group for the 'cuirass remote-worker' process.
+  (list (user-group
+         (name "cuirass-worker")
+         (system? #t))
+        (user-account
+         (name "cuirass-worker")
+         (group name)
+         (system? #t)
+         (comment "Cuirass worker privilege separation user")
+         (home-directory "/var/empty")
+         (shell (file-append shadow "/sbin/nologin")))))
+
 (define (cuirass-remote-worker-shepherd-service config)
   "Return a <shepherd-service> for the Cuirass remote worker service with
 CONFIG."
@@ -397,6 +410,7 @@ CONFIG."
            (start #~(make-forkexec-constructor
                      (list (string-append #$cuirass "/bin/cuirass")
                            "remote-worker"
+                           "--user=cuirass-worker" ;drop privileges early on
                            (string-append "--workers="
                                           #$(number->string workers))
                            #$@(if server
@@ -444,6 +458,8 @@ CONFIG."
    (extensions
     (list (service-extension shepherd-root-service-type
                              cuirass-remote-worker-shepherd-service)
+          (service-extension account-service-type
+                             (const %cuirass-remote-worker-accounts))
           (service-extension rottlog-service-type
                              cuirass-remote-worker-log-rotations)))
    (description
-- 
cgit v1.2.3