From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: 63562@debbugs.gnu.org
Cc: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Subject: [bug#63562] [PATCH 2/2] services: rsync: Use least authority wrapper.
Date: Wed, 17 May 2023 21:56:18 -0400 [thread overview]
Message-ID: <8f60f8bfcbf58ab39308f799319f25b9851871a7.1684374978.git.maxim.cournoyer@gmail.com> (raw)
In-Reply-To: <c7931b5dab466a77bc58fdf355dd53658e468ca0.1684374978.git.maxim.cournoyer@gmail.com>
* gnu/services/rsync.scm (rsync-shepherd-service) Wrap rsync command in a
least-authority-wrapper.
---
gnu/services/rsync.scm | 97 ++++++++++++++++++++++++++++--------------
1 file changed, 65 insertions(+), 32 deletions(-)
diff --git a/gnu/services/rsync.scm b/gnu/services/rsync.scm
index 826b757b1c..42e4d0247e 100644
--- a/gnu/services/rsync.scm
+++ b/gnu/services/rsync.scm
@@ -19,16 +19,20 @@
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
(define-module (gnu services rsync)
+ #:use-module ((gnu build linux-container) #:select (%namespaces))
#:use-module (gnu services)
#:use-module (gnu services base)
#:use-module (gnu services shepherd)
+ #:autoload (gnu system file-systems) (file-system-mapping)
#:use-module (gnu system shadow)
- #:use-module (gnu packages rsync)
#:use-module (gnu packages admin)
+ #:use-module (gnu packages linux)
+ #:use-module (gnu packages rsync)
#:use-module (guix records)
#:use-module (guix gexp)
#:use-module (guix diagnostics)
#:use-module (guix i18n)
+ #:use-module (guix least-authority)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-26)
#:use-module (ice-9 match)
@@ -236,37 +240,66 @@ (define (rsync-shepherd-service config)
#t))
(const #f)))
- (let* ((rsync (rsync-configuration-package config))
- (pid-file (rsync-configuration-pid-file config))
- (port-number (rsync-configuration-port-number config))
- (user (rsync-configuration-user config))
- (group (rsync-configuration-group config))
- (config-file (rsync-config-file config))
- (rsync-command #~(list (string-append #$rsync "/bin/rsync")
- "--config" #$config-file "--daemon")))
- (list (shepherd-service
- (provision '(rsync))
- (documentation "Run rsync daemon.")
- (actions (list (shepherd-configuration-action config-file)))
- (start #~(if #$inetd-style?
- (make-inetd-constructor
- #$rsync-command
- (cons (endpoint
- (make-socket-address AF_INET INADDR_ANY
- #$port-number))
- (if #$ipv6-support?
- (list
- (endpoint
- (make-socket-address AF_INET6 IN6ADDR_ANY
- #$port-number)))
- '()))
- #:user #$user
- #:group #$group)
- (make-forkexec-constructor #$rsync-command
- #:pid-file #$pid-file
- #:user #$user
- #:group #$group)))
- (stop #~(make-kill-destructor))))))
+ (define (module->file-system-mapping module)
+ "Return the <file-system-mapping> record corresponding to MODULE, an
+<rsync-module> object."
+ (match-record module <rsync-module>
+ (file-name read-only?)
+ (file-system-mapping
+ (source file-name)
+ (target source)
+ (writable? (not read-only?)))))
+
+ (match-record config <rsync-configuration>
+ (package log-file modules pid-file port-number user group)
+ ;; Run the rsync daemon in its own 'mnt' namespace, to guard against
+ ;; change to mount points it may be serving.
+ (let* ((config-file (rsync-config-file config))
+ (rsync-command #~(list #$(least-authority-wrapper
+ (file-append rsync "/bin/rsync")
+ #:name "rsync"
+ #:namespaces (fold delq %namespaces
+ '(net user))
+ #:mappings
+ (append (list (file-system-mapping
+ (source "/var/run/rsyncd")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source (dirname log-file))
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source config-file)
+ (target source)))
+ (map module->file-system-mapping
+ modules)))
+ "--config" #$config-file "--daemon")))
+ (list (shepherd-service
+ (provision '(rsync))
+ (documentation "Run rsync daemon.")
+ (actions (list (shepherd-configuration-action config-file)))
+ (start #~(if #$inetd-style?
+ (make-inetd-constructor
+ #$rsync-command
+ (cons (endpoint
+ (make-socket-address AF_INET INADDR_ANY
+ #$port-number))
+ (if #$ipv6-support?
+ (list
+ (endpoint
+ (make-socket-address AF_INET6 IN6ADDR_ANY
+ #$port-number)))
+ '()))
+ #:user #$user
+ #:group #$group)
+ (make-forkexec-constructor #$rsync-command
+ #:pid-file #$pid-file
+ #:user #$user
+ #:group #$group)))
+ (stop #~(if #$inetd-style?
+ (make-inetd-destructor)
+ (make-kill-destructor))))))))
(define rsync-service-type
(service-type
--
2.39.2
next prev parent reply other threads:[~2023-05-18 1:57 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-18 1:56 [bug#63561] [PATCH 1/2] services: rsync: Use make-inetd-constructor Maxim Cournoyer
2023-05-18 1:56 ` Maxim Cournoyer [this message]
2023-05-18 17:00 ` [bug#63562] [PATCH 2/2] services: rsync: Use least authority wrapper Ludovic Courtès
2023-05-19 3:20 ` bug#63562: " Maxim Cournoyer
2023-05-18 16:58 ` [bug#63562] " Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8f60f8bfcbf58ab39308f799319f25b9851871a7.1684374978.git.maxim.cournoyer@gmail.com \
--to=maxim.cournoyer@gmail.com \
--cc=63562@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).