From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:55453) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fic0E-0003fQ-B5 for guix-patches@gnu.org; Thu, 26 Jul 2018 04:52:09 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fic0A-0003jP-SR for guix-patches@gnu.org; Thu, 26 Jul 2018 04:52:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:53253) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fic0A-0003jG-Nz for guix-patches@gnu.org; Thu, 26 Jul 2018 04:52:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1fic0A-0004G5-H5 for guix-patches@gnu.org; Thu, 26 Jul 2018 04:52:02 -0400 Subject: [bug#32141] [PATCH] services: Add ddclient service. Resent-Message-ID: From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Message-ID: <87o9eu2xl1.fsf@gnu.org> References: <20180713145854.12250-1-go.wigust@gmail.com> <87lga7wokr.fsf@gnu.org> <87effrpynp.fsf@gmail.com> Date: Thu, 26 Jul 2018 10:51:30 +0200 In-Reply-To: <87effrpynp.fsf@gmail.com> (Oleg Pykhalov's message of "Wed, 25 Jul 2018 10:22:50 +0300") MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Oleg Pykhalov Cc: 32141@debbugs.gnu.org Hi Oleg, Oleg Pykhalov skribis: > ludo@gnu.org (Ludovic Court=C3=A8s) writes: [...] >>> +@subsubheading ddclient Service >>> + >>> +@cindex ddclient >>> +@uref{https://sourceforge.net/projects/ddclient/, ddclient} is an addr= ess >>> +updating utility for dynamic DNS services. >> >> It would be nice to expound a bit, like: >> >> The ddclient service described below runs the ddclient daemon, which >> takes care of automatically updating DNS entries for service providers >> such as DynDNS.com. > > OK. I improved little bit with =E2=80=9Csuch as @uref{https://dyn.com/dn= s/, > Dyn}.=E2=80=9D if you don't mind. Sure. >> Does it run as root? If there=E2=80=99s no option to run it (mostly) as >> non-root, perhaps it would make sense to try using >> =E2=80=98make-forkexec-constructor/container=E2=80=99 here (as a separat= e patch.) >> >> WDYT? > > It did run as root. I've succeeded to run it with =E2=80=98ddclient=E2= =80=99 user. Awesome. > Also, the generated =E2=80=98ddclient.conf=E2=80=99 which contains secret= s is stored in > the store. I probably should change the =E2=80=98ddclient-activation=E2= =80=99 procedure > > (copy-file #$(plain-file "ddclient.conf" config-str) file) > > to a procedure which writes =E2=80=98config-str=E2=80=99 to the file with= out storing it > somewhere else. WDYT? The problem would be the same: the activation script would contain =E2=80=98config-str=E2=80=99, and it would live in the store. In short we must not manipulate secrets in anything that goes through the store. The only thing I can suggest is to leave it up to the user to create a file containing the secret in an out-of-band fashion; /etc is a good place for such things. For example, they could create /etc/ddclient-secrets and then we would somehow arrange to get that file read. To do that there are two possibilities that come to mind: 1. If the config file syntax has an =E2=80=9Cinclude=E2=80=9D directive, = just include /etc/ddclient-secrets unconditionally in the generated config file. 2. Write an activation snippet that concatenates the generated config file with /etc/ddclient-secrets and stores that as /etc/ddclient.conf (or something like that.) Thoughts? Ludo=E2=80=99.