From: Liliana Marie Prikler <liliana.prikler@ist.tugraz.at>
To: Attila Lendvai <attila@lendvai.name>
Cc: 54205@debbugs.gnu.org
Subject: [bug#54205] [PATCH v2] Factor out a public FORK-AND-CALL.
Date: Tue, 01 Mar 2022 15:01:18 +0100 [thread overview]
Message-ID: <240241970295ff5351378c915461eea180cc79d5.camel@ist.tugraz.at> (raw)
In-Reply-To: <vLp1kLQb-QdCr3XCYBkbjP27y67IPcL-x2n3AmZFwzbmcIl57X-iO-LH-FDlfvhOetPKEPscDuxdhCPYtUNpcfrcxto1x1-OIr-TAyhSN1Y=@lendvai.name>
Am Dienstag, dem 01.03.2022 um 13:04 +0000 schrieb Attila Lendvai:
> > In general, I think such capabilities should be added to exec-
> > command, rather than resorting to a lambda. It takes a little while
> > to realize that call-in-fork, fork-and-call or whatever you want to
> > name it is in fact not pure evil; mainly because shepherd could in
> > its stead already invoke any lambda you throw at it. That being
> > said, one should always be aware that this child process runs with
> > the full permissions of shepherd, which you normally don't want to
> > do for a service.
>
>
> does the above mean that you're concerned about the security
> implications? if so, then i don't understand, because Guile already
> allows calling/accessing private functions/symbols, and thus this
> change doesn't really increase the (already enormous) attack surface
> in the guile codebase.
This attack surface is less enormous if you consider the average case
of a shepherd service in which the arguments to fork+exec-command are
already evaluated by the time the procedure is call and thus both
"sane" within and without the fork. Most of the time people are not
too conscious about the fact that shepherd can already run arbitrary
Guile code as part of actions and you typically only use that to its
fullest extent when you're trying to do something real clever.
> it does increase the shoot-oneself-in-the-foot-surface a little bit,
> though.
>
> it's worth pointing out, though, that trusting a channel, and adding
> a shepherd service defined by it to the machine's config, is
> essentially giving root access to the channel author. and this is
> already the case, prior to my change.
>
> BTW, can i not already simply pass 0, or "root" as #:user to EXEC-
> COMMAND?
Only if you're already root, i.e. this won't work for user shepherds,
which can't become root (easily). On the other hand, I did get my user
shepherd to launch pkexec commands, so that's that.
>
> > In my opinion, it ought to be
> >
> > > +(define* (fork+apply proc . args)
> > [...]
> >
> > WDYT?
>
> makes sense, i'll update the patch... but given the feedback from the
> two of you, should i?
>
> i think i'll abandon this, and implement Maxime's #:rlimits
> suggestion.
>
> i'm not sure how much better that will be, but at least it won't make
> future threading harder, and allows me to make progress with my
> project.
>
> if anyone prefers the FORK+APPLY version, then do speak up!
FWIW Maxime's complaint would also hold w.r.t. fork+exec-command, which
would then be implemented in terms of fork+apply, so assuming that
fork+exec-command still exists after the switch to multiple threads,
we'd have to patch at least one location either way. fork+apply could
make it so that less hacks are required overall to make all forking
behaviour inside shepherd services as intended, but that's so far only
a theoretical claim with no evidence to back it up.
I think the real question is what you are trying to achieve here. If
you only want to add rlimits, that's an exec-command thing. If you
instead wanted to spawn a Guile function within a sandbox (rather than
a completely new command), that would require something along the lines
of fork+apply at least under the hood. With the things you've
described, I don't think it makes sense (yet) to export fork+apply, but
it might still make sense to refactor fork+exec-command under the hood.
Cheers
next prev parent reply other threads:[~2022-03-01 14:11 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-01 7:06 [bug#54205] [PATCH Shepherd] Factor out a public CALL-IN-FORK Attila Lendvai
2022-03-01 7:29 ` [bug#54205] [PATCH v2] Factor out a public FORK-AND-CALL Attila Lendvai
2022-03-01 12:01 ` Liliana Marie Prikler
2022-03-01 13:04 ` Attila Lendvai
2022-03-01 14:01 ` Liliana Marie Prikler [this message]
2022-03-01 17:14 ` Christine Lemmer-Webber
2022-03-01 12:47 ` [bug#54205] [PATCH Shepherd] Factor out a public CALL-IN-FORK Maxime Devos
2022-03-02 16:05 ` Ludovic Courtès
2022-03-02 18:21 ` Maxime Devos
2022-03-03 8:04 ` Attila Lendvai
2022-03-21 13:03 ` bug#54205: " Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=240241970295ff5351378c915461eea180cc79d5.camel@ist.tugraz.at \
--to=liliana.prikler@ist.tugraz.at \
--cc=54205@debbugs.gnu.org \
--cc=attila@lendvai.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).