;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2021 Oleg Pykhalov ;;; ;;; This file is part of GNU Guix. ;;; ;;; GNU Guix is free software; you can redistribute it and/or modify it ;;; under the terms of the GNU General Public License as published by ;;; the Free Software Foundation; either version 3 of the License, or (at ;;; your option) any later version. ;;; ;;; GNU Guix is distributed in the hope that it will be useful, but ;;; WITHOUT ANY WARRANTY; without even the implied warranty of ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ;;; GNU General Public License for more details. ;;; ;;; You should have received a copy of the GNU General Public License ;;; along with GNU Guix. If not, see . (define-module (gnu services syncthing) #:use-module (gnu packages syncthing) #:use-module (gnu services) #:use-module (gnu services shepherd) #:use-module (guix gexp) #:use-module (guix records) #:use-module (ice-9 match) #:use-module (srfi srfi-1) #:export (syncthing-configuration syncthing-configuration? syncthing-service-type)) ;;; Commentary: ;;; ;;; This module provides a service definition for the syncthing service. ;;; ;;; Code: (define-record-type* syncthing-configuration make-syncthing-configuration syncthing-configuration? (syncthing syncthing-configuration-syncthing ;file-like (default syncthing)) (arguments syncthing-configuration-arguments ;list of strings (default '())) (logflags syncthing-configuration-logflags ;number (default 0)) (user syncthing-configuration-user ;string (default #f)) (group syncthing-configuration-group ;string (default "users")) (home syncthing-configuration-home ;string (default #f))) (define syncthing-shepherd-service (match-lambda (($ syncthing arguments logflags user group home) (list (shepherd-service (provision (list (string->symbol (string-append "syncthing-" user)))) (documentation "Run syncthing.") (requirement '(loopback)) (start #~(make-forkexec-constructor (append (list (string-append #$syncthing "/bin/syncthing") "-no-browser" "-no-restart" (string-append "-logflags=" (number->string #$logflags))) '#$arguments) #:user #$user #:group #$group #:environment-variables (append (list (string-append "HOME=" (or #$home (passwd:dir (getpw #$user)))) "SSL_CERT_DIR=/etc/ssl/certs" "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt") (remove (lambda (str) (or (string-prefix? "HOME=" str) (string-prefix? "SSL_CERT_DIR=" str) (string-prefix? "SSL_CERT_FILE=" str))) (environ))))) (respawn? #f) (stop #~(make-kill-destructor))))))) (define syncthing-service-type (service-type (name 'syncthing) (extensions (list (service-extension shepherd-root-service-type syncthing-shepherd-service))) (description "Run @uref{https://github.com/syncthing/syncthing, Syncthing} decentralized continuous file system synchronization."))) ;;; syncthing.scm ends here en copying, leading to “suspicious ownership or permission […] rejecting this build output” errors. * nix/libstore/build.cc (DerivationGoal::buildDone): Account for ‘chrootRootDir’ when copying ‘drv.outputs’. * nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’ calls to preserve file ownership; this is necessary for chrooted fixed-output derivation builds. * nix/libutil/util.hh: Update comment. Change-Id: Ib59f040e98fed59d1af81d724b874b592cbef156 Ludovic Courtès 2024-03-11daemon: Protect against FD escape when building fixed-output derivations (CVE......This fixes a security issue (CVE-2024-27297) whereby a fixed-output derivation build process could open a writable file descriptor to its output, send it to some outside process for instance over an abstract AF_UNIX socket, which would then allow said process to modify the file in the store after it has been marked as “valid”. Vulnerability discovered by puck <https://github.com/puckipedia>. Nix security advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37 Nix fix: https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9 * nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and a file descriptor. Rewrite the ‘Path’ variant accordingly. (copyFile, copyFileRecursively): New functions. * nix/libutil/util.hh (copyFileRecursively): New declaration. * nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’ is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output. Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4 Reported-by: Picnoir <picnoir@alternativebit.fr>, Théophane Hufschmitt <theophane.hufschmitt@tweag.io> Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88 Ludovic Courtès 2023-01-09daemon: Improve error message for wrong hash sizes....* nix/libutil/hash.cc (parseHash): Show the hash algorithm name and expected size in the error message. * tests/derivations.scm ("fixed-output derivation, invalid hash size"): New test. Ludovic Courtès 2022-12-18daemon: Make "opening file" error messages distinguishable....* nix/libstore/build.cc (DerivationGoal::openLogFile): Customize "opening file" error message. * nix/libutil/hash.cc (hashFile): Likewise. * nix/libutil/util.cc (readFile, writeFile): Likewise. Ludovic Courtès