From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id wPWvK2tVHmL2DgAAgWs5BA (envelope-from ) for ; Tue, 01 Mar 2022 18:18:35 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id aJz1KGtVHmInkwAA9RJhRA (envelope-from ) for ; Tue, 01 Mar 2022 18:18:35 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 50C49102D0 for ; Tue, 1 Mar 2022 18:18:35 +0100 (CET) Received: from localhost ([::1]:39350 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nP68w-0006jX-Dp for larch@yhetil.org; Tue, 01 Mar 2022 12:18:34 -0500 Received: from eggs.gnu.org ([209.51.188.92]:38964) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nP68R-0006ih-HW for guix-patches@gnu.org; Tue, 01 Mar 2022 12:18:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:44225) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nP68Q-0004vw-HH for guix-patches@gnu.org; Tue, 01 Mar 2022 12:18:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nP68Q-0002lF-Cv for guix-patches@gnu.org; Tue, 01 Mar 2022 12:18:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#54205] [PATCH v2] Factor out a public FORK-AND-CALL. Resent-From: Christine Lemmer-Webber Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 01 Mar 2022 17:18:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 54205 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Liliana Marie Prikler Cc: 54205@debbugs.gnu.org, attila@lendvai.name X-Debbugs-Original-Cc: 54205@debbugs.gnu.org, Attila Lendvai , guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.164615502510541 (code B ref -1); Tue, 01 Mar 2022 17:18:02 +0000 Received: (at submit) by debbugs.gnu.org; 1 Mar 2022 17:17:05 +0000 Received: from localhost ([127.0.0.1]:38122 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nP67V-0002jx-9n for submit@debbugs.gnu.org; Tue, 01 Mar 2022 12:17:05 -0500 Received: from lists.gnu.org ([209.51.188.17]:56808) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nP67T-0002jp-Kt for submit@debbugs.gnu.org; Tue, 01 Mar 2022 12:17:04 -0500 Received: from eggs.gnu.org ([209.51.188.92]:38746) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nP67T-0005rv-CA for guix-patches@gnu.org; Tue, 01 Mar 2022 12:17:03 -0500 Received: from dustycloud.org ([50.116.34.160]:40462) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nP67A-0004it-QZ for guix-patches@gnu.org; Tue, 01 Mar 2022 12:17:03 -0500 Received: from chicory (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id 52EAA26617; Tue, 1 Mar 2022 12:16:40 -0500 (EST) References: <20220301072927.26525-1-attila@lendvai.name> <240241970295ff5351378c915461eea180cc79d5.camel@ist.tugraz.at> User-agent: mu4e 1.6.10; emacs 27.2 From: Christine Lemmer-Webber Date: Tue, 01 Mar 2022 12:14:55 -0500 In-reply-to: <240241970295ff5351378c915461eea180cc79d5.camel@ist.tugraz.at> Message-ID: <87y21tk2yw.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=50.116.34.160; envelope-from=cwebber@dustycloud.org; helo=dustycloud.org X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1646155115; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post; bh=kNfANo+SZmB55r1oE9dzXb3Dh2QQ8JwXBmYyjyLiL9c=; b=qm+AplB9NUsk3PzOTBwc08gc+wJVr/ves9SYjLcZM3KZkmMJGeUNaC0iFFrasxazYaCD9t upD5u5hQNywYSkWBcm2kEJgjOIlCo1L5oZcfi5yZMb1kSJqcQBO6aLRoROfmn2bLwSOyVG sqHHUxsyVxof1DsSoHQOMMIna4IbxKXh/5Bb/AapWjgb6AhFKYiy4qF7mI3Rm+fBpFHqg4 +hjALQuuH0LaiQJXuGXwM6dAdi8KM9N5v+B+myfnzsZUYzTraOa3qrmY3L4e3LYFcs3Z0W bOIwaC0Y+OWw5o0VJrMitq2LiAlnW8fYdtc2sFKTOnlKeLUDgIquUyFWp4Wc5g== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1646155115; a=rsa-sha256; cv=none; b=IUGfq89+Y1sEkpy7XtM2HB+VfqltXfyyQdWlv5Yv+Ors8nu6hg+5NFmi7vxN+n7FFOmcx6 SxPBpQP8RoH32JZS3bwJOwoStXUmqRejjct9FZgPi4bQBGruqj4qGjO8kUkne7bZTviaT5 qLQQIfgP+4LuuqeD1w4OwKw1Z4ar6X2iApQf9FudGhlWOpaGbItdjMVRp09L8UTi2QPYdA mm5rG19ES7qcl34cOSovQE15r1kCZv3ISwkAntOrVwux+po8mO8nl0LxTlGfiERbPr75ye 14gOz0h4ClHEsnnHpdVf6kQF3f5t8xBbpCuftxcqn86kqgtKCRoN88Lpiwhe0g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -3.38 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 50C49102D0 X-Spam-Score: -3.38 X-Migadu-Scanner: scn1.migadu.com X-TUID: KTAN/JQpoACi Liliana Marie Prikler writes: > Am Dienstag, dem 01.03.2022 um 13:04 +0000 schrieb Attila Lendvai: >> > In general, I think such capabilities should be added to exec- >> > command, rather than resorting to a lambda. It takes a little while >> > to realize that call-in-fork, fork-and-call or whatever you want to >> > name it is in fact not pure evil; mainly because shepherd could in >> > its stead already invoke any lambda you throw at it. That being >> > said, one should always be aware that this child process runs with >> > the full permissions of shepherd, which you normally don't want to >> > do for a service. >> >> >> does the above mean that you're concerned about the security >> implications? if so, then i don't understand, because Guile already >> allows calling/accessing private functions/symbols, and thus this >> change doesn't really increase the (already enormous) attack surface >> in the guile codebase. > This attack surface is less enormous if you consider the average case > of a shepherd service in which the arguments to fork+exec-command are > already evaluated by the time the procedure is call and thus both > "sane" within and without the fork. Most of the time people are not > too conscious about the fact that shepherd can already run arbitrary > Guile code as part of actions and you typically only use that to its > fullest extent when you're trying to do something real clever. In general this would be improved if we move Guix in general, and the Shepherd services in particular, to an object capability based security model. It's on my TODO to lay out a sketch for how this could happen, assuming there's support for it in the community (which I don't expect to go one way or another until a plan is laid out to talk about).