Changing permissions of files created with simple-service etc-service-type

Changing permissions of files created with simple-service etc-service-type

[Josua Stingelin]

[-- Attachment #1: Type: text/plain, Size: 1047 bytes --]

Hei Guix!

I've been a long time follower of your distribution. In my humble opinion guix
has the most promising configuration system out there!

I'm trying to set up a guix configuration for my laptop. After playing around
with it for a while I figured now is a great time to get some help.

How do I change the permissions of a configuration file?

For example I'm used to running wpa_supplicant with a configuration file that
I'm copying from machine to machine to keep connected to all my favorite
wireless networks.

I'm using the etc-service-type of the simple-service to copy the file. Which
works great. But sadly grants read-access to everyone. I'd prefer it only be
readable by root.

  (simple-service 'wpasupplicantconf-service
                  etc-service-type
                  `(("wpa_supplicant.conf",
                     (local-file "wpa_supplicant.conf"))))

  $ ls -l /etc/wpa_supplicant.conf
  -r--r--r-- 1 root root 2.3K Feb 11 11:39 /etc/wpa_supplicant.conf

How can I achieve that?


Kind Regards,
Josua a.k.a Joshua/Josh

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: Changing permissions of files created with simple-service etc-service-type

[Ludovic Courtès]

Josua Stingelin <josuast@hotmail.com> skribis:

> I'm using the etc-service-type of the simple-service to copy the file. Which
> works great. But sadly grants read-access to everyone. I'd prefer it only be
> readable by root.
>
>   (simple-service 'wpasupplicantconf-service
>                   etc-service-type
>                   `(("wpa_supplicant.conf",
>                      (local-file "wpa_supplicant.conf"))))
>
>   $ ls -l /etc/wpa_supplicant.conf
>   -r--r--r-- 1 root root 2.3K Feb 11 11:39 /etc/wpa_supplicant.conf
>
> How can I achieve that?

Currently ‘etc-service-type’ does not let you specify permissions.  All
the files that end up in /etc first go through the store though, so
changing the permission of those files once copied under /etc wouldn’t
buy you much in terms of confidentiality.  For example, there’s a copy
of ‘wpa_supplicant.conf’ above in your store.  For that reason, files
containing secrets must be handled “out of band”, without Guix support.

I guess changing permissions for /etc could still be useful for those
programs that verify permission bits and refuse to start if the config
file is readable by all.  However, those programs may have a good reason
to verify that, so…

Thoughts?

Ludo’.

Re: Changing permissions of files created with simple-service etc-service-type

[Josua Stingelin]

> > I'm using the etc-service-type of the simple-service to copy the file. Which
> > works great. But sadly grants read-access to everyone. I'd prefer it only be
> > readable by root.
> >
> > How can I achieve that?
> 
> Currently ‘etc-service-type’ does not let you specify permissions.  All
> the files that end up in /etc first go through the store though, so
> changing the permission of those files once copied under /etc wouldn’t
> buy you much in terms of confidentiality.  For example, there’s a copy
> of ‘wpa_supplicant.conf’ above in your store.  For that reason, files
> containing secrets must be handled “out of band”, without Guix support.
> 
> I guess changing permissions for /etc could still be useful for those
> programs that verify permission bits and refuse to start if the config
> file is readable by all.  However, those programs may have a good reason
> to verify that, so…
> 
> Thoughts?

I see. Thanks for the clarification! I will try that approach.