From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id sEYDBgqGZWRS1AAASxT56A (envelope-from ) for ; Thu, 18 May 2023 03:57:30 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id IEshBQqGZWQYDAEAG6o9tA (envelope-from ) for ; Thu, 18 May 2023 03:57:30 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C61BB406B7 for ; Thu, 18 May 2023 03:57:29 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pzStE-0004Cf-Jz; Wed, 17 May 2023 21:57:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pzSt5-0004Bw-06 for guix-patches@gnu.org; Wed, 17 May 2023 21:57:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pzSt4-0007Lx-Nk for guix-patches@gnu.org; Wed, 17 May 2023 21:57:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pzSt4-0000B3-Iw for guix-patches@gnu.org; Wed, 17 May 2023 21:57:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#63562] [PATCH 2/2] services: rsync: Use least authority wrapper. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 18 May 2023 01:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 63562 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 63562@debbugs.gnu.org Cc: Maxim Cournoyer X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.1684375005641 (code B ref -1); Thu, 18 May 2023 01:57:02 +0000 Received: (at submit) by debbugs.gnu.org; 18 May 2023 01:56:45 +0000 Received: from localhost ([127.0.0.1]:51545 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzSsm-0000AC-Ia for submit@debbugs.gnu.org; Wed, 17 May 2023 21:56:45 -0400 Received: from lists.gnu.org ([209.51.188.17]:43276) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzSsi-00009y-Kc for submit@debbugs.gnu.org; Wed, 17 May 2023 21:56:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pzSsi-0004B9-D0 for guix-patches@gnu.org; Wed, 17 May 2023 21:56:40 -0400 Received: from mail-qt1-x834.google.com ([2607:f8b0:4864:20::834]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pzSsg-0007DR-IK for guix-patches@gnu.org; Wed, 17 May 2023 21:56:40 -0400 Received: by mail-qt1-x834.google.com with SMTP id d75a77b69052e-3f38a7c5d45so3700611cf.0 for ; Wed, 17 May 2023 18:56:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684374997; x=1686966997; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=T8kLQ0JawpOqBVrtrIcrFDG8Fmd+mkEpr10o75CfZsM=; b=G+9JkqwMeDWAVOBYeH1bbI41AAK9v8EQaspMNXoG8vq6kYpmmB2b/2/mmjBRA9t0lH 2r70wLBz3KVr+Pmv4uZp1oXYR10Bi10bxPcRayDlt9qwVWDgN41uVWk7o7n7prZh1Tjr 4cnmegvZK804inllTTe3D7rLod1+kfS7r/gdFccIcEja7Z9JggCRVLODMmpAFUw+HTpp 3UcQVVpDEvUS2M8tVJjorQI19Ny6StKsYL2OnpyRijctBeJitJziKfcm6gkqnyE6saVZ 3g3iNwGtvuHDCZSsR2zvKDtAXOt9eh57m6MTpJ1+lOPtTUsH5/edoaMsBkyZ0jmcG4jo e9Kw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684374997; x=1686966997; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=T8kLQ0JawpOqBVrtrIcrFDG8Fmd+mkEpr10o75CfZsM=; b=mBSiWkNzfwEIaQd4JibSdkCiMf9QE6QmEQH7rzBqzSQlG3AF6GGnxBRbCXmzk6GPZy cD8A6wmIhuScbPJPUNI4aR/5UFFFHWvtj+jV+vX3hE3FEXHRSPa+EGZOdb5j2aTUfsYF ZMSgkFTk6CBbE3cQHe0VPUKTm3dbzdhxevdV6pNrZZ2EbrsW1VV2CHrtIiETXHRjTApp BwQgTbsHGZ0ch07Xza1g1ge1X6powQROL0n6nfwJKfbbgbvhjMVWFnN5jEjXc1WLQoe1 +Td+j9YAhMHO1MEiDbVCN3b+4cn1CUGPXRyuDgTr0smGBWJoVUMoNDi0oNF/9S0xsh3z lUmw== X-Gm-Message-State: AC+VfDzRYtDk0CVZ/hItXacqD3AxTNUZuNGUHVVXEvzFJwuybIQdEYf4 J/ZsMw2fVSYqlahvyxlf6U/P1kSerZgaQw== X-Google-Smtp-Source: ACHHUZ5YYqCJ6CHVTqj1OsY61vdeDmYmNbM/ZdyZQtKmeQNjJ3yCwP/zqebFLY8g7yKXnnYC0pE4YA== X-Received: by 2002:a05:622a:12:b0:3ef:33da:e25 with SMTP id x18-20020a05622a001200b003ef33da0e25mr2613909qtw.22.1684374997139; Wed, 17 May 2023 18:56:37 -0700 (PDT) Received: from localhost.localdomain (dsl-150-33.b2b2c.ca. [66.158.150.33]) by smtp.gmail.com with ESMTPSA id gc11-20020a05622a59cb00b003f38b4167e5sm138672qtb.2.2023.05.17.18.56.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 May 2023 18:56:36 -0700 (PDT) From: Maxim Cournoyer Date: Wed, 17 May 2023 21:56:18 -0400 Message-Id: <8f60f8bfcbf58ab39308f799319f25b9851871a7.1684374978.git.maxim.cournoyer@gmail.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2607:f8b0:4864:20::834; envelope-from=maxim.cournoyer@gmail.com; helo=mail-qt1-x834.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Seal: i=1; s=key1; d=yhetil.org; t=1684375049; a=rsa-sha256; cv=none; b=Xnu9HgaZoN2CBJA9w5LCSMbZvrILWdLhTkZG4gCQDyzh3TodZ/ydGtbo/X1LAf8S5Mjm3l Ay0KzGlAyH+w6yUIgeEbs0jp5CDnIaxblUa93gp6zQM+DLR/EzO2zi2m3yAbMpo4yveA1l 8f418HcFOFO+6RlpL1tNNYvQNe0GfBO22BnCkxFI6GBzbxdIESaXLXo34EFgUdRb4IWfzw v1A7abcp4lB0olGM0u18LWOudtz4z4e+to+HNK4iBtOLpIoWNjr6AmNu03qndSKShOwU34 /wNoCRnerLB2/NbiX5ymodWM8Qm5fSdSZTd9V3fjPePZRFf4xxYY5cwAi8ViiA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20221208 header.b=G+9JkqwM; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1684375049; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=T8kLQ0JawpOqBVrtrIcrFDG8Fmd+mkEpr10o75CfZsM=; b=ts58/W4gTQQMJVyV7/UNKdvO1abVjzsV9LEWsH6caNOdReWdUL5S0bgENwvSgvRnpAKNUu Xvd5E18AC3qp0ymGan54ehckHDn2kIt+Kq8h1Q2ZS0MqDDpCyHgTQ/O/fB/XqFGyhgiQBS fpnJ0FmrB+Bb+4yJGM0tv/VcDKkx0f1bKkbO0MHTDpHILUHR98+XhWBJtIcthrg3c207+1 3Fw9f36QSI+wrVeZdC6JpNofW89oVNZ3EjDemnlPStBAg7TeKgLo5b/b5UsN79Jp04agX3 zP10r5Woe5bxrgxa5w+JMCilQQ7GKY13oJ8eS222MO7vaKHxFOUjiRLOPrFWOw== X-Migadu-Scanner: scn1.migadu.com Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20221208 header.b=G+9JkqwM; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 7.61 X-Spam-Score: 7.61 X-Migadu-Queue-Id: C61BB406B7 X-TUID: TF37yTfHOSVn * gnu/services/rsync.scm (rsync-shepherd-service) Wrap rsync command in a least-authority-wrapper. --- gnu/services/rsync.scm | 97 ++++++++++++++++++++++++++++-------------- 1 file changed, 65 insertions(+), 32 deletions(-) diff --git a/gnu/services/rsync.scm b/gnu/services/rsync.scm index 826b757b1c..42e4d0247e 100644 --- a/gnu/services/rsync.scm +++ b/gnu/services/rsync.scm @@ -19,16 +19,20 @@ ;;; along with GNU Guix. If not, see . (define-module (gnu services rsync) + #:use-module ((gnu build linux-container) #:select (%namespaces)) #:use-module (gnu services) #:use-module (gnu services base) #:use-module (gnu services shepherd) + #:autoload (gnu system file-systems) (file-system-mapping) #:use-module (gnu system shadow) - #:use-module (gnu packages rsync) #:use-module (gnu packages admin) + #:use-module (gnu packages linux) + #:use-module (gnu packages rsync) #:use-module (guix records) #:use-module (guix gexp) #:use-module (guix diagnostics) #:use-module (guix i18n) + #:use-module (guix least-authority) #:use-module (srfi srfi-1) #:use-module (srfi srfi-26) #:use-module (ice-9 match) @@ -236,37 +240,66 @@ (define (rsync-shepherd-service config) #t)) (const #f))) - (let* ((rsync (rsync-configuration-package config)) - (pid-file (rsync-configuration-pid-file config)) - (port-number (rsync-configuration-port-number config)) - (user (rsync-configuration-user config)) - (group (rsync-configuration-group config)) - (config-file (rsync-config-file config)) - (rsync-command #~(list (string-append #$rsync "/bin/rsync") - "--config" #$config-file "--daemon"))) - (list (shepherd-service - (provision '(rsync)) - (documentation "Run rsync daemon.") - (actions (list (shepherd-configuration-action config-file))) - (start #~(if #$inetd-style? - (make-inetd-constructor - #$rsync-command - (cons (endpoint - (make-socket-address AF_INET INADDR_ANY - #$port-number)) - (if #$ipv6-support? - (list - (endpoint - (make-socket-address AF_INET6 IN6ADDR_ANY - #$port-number))) - '())) - #:user #$user - #:group #$group) - (make-forkexec-constructor #$rsync-command - #:pid-file #$pid-file - #:user #$user - #:group #$group))) - (stop #~(make-kill-destructor)))))) + (define (module->file-system-mapping module) + "Return the record corresponding to MODULE, an + object." + (match-record module + (file-name read-only?) + (file-system-mapping + (source file-name) + (target source) + (writable? (not read-only?))))) + + (match-record config + (package log-file modules pid-file port-number user group) + ;; Run the rsync daemon in its own 'mnt' namespace, to guard against + ;; change to mount points it may be serving. + (let* ((config-file (rsync-config-file config)) + (rsync-command #~(list #$(least-authority-wrapper + (file-append rsync "/bin/rsync") + #:name "rsync" + #:namespaces (fold delq %namespaces + '(net user)) + #:mappings + (append (list (file-system-mapping + (source "/var/run/rsyncd") + (target source) + (writable? #t)) + (file-system-mapping + (source (dirname log-file)) + (target source) + (writable? #t)) + (file-system-mapping + (source config-file) + (target source))) + (map module->file-system-mapping + modules))) + "--config" #$config-file "--daemon"))) + (list (shepherd-service + (provision '(rsync)) + (documentation "Run rsync daemon.") + (actions (list (shepherd-configuration-action config-file))) + (start #~(if #$inetd-style? + (make-inetd-constructor + #$rsync-command + (cons (endpoint + (make-socket-address AF_INET INADDR_ANY + #$port-number)) + (if #$ipv6-support? + (list + (endpoint + (make-socket-address AF_INET6 IN6ADDR_ANY + #$port-number))) + '())) + #:user #$user + #:group #$group) + (make-forkexec-constructor #$rsync-command + #:pid-file #$pid-file + #:user #$user + #:group #$group))) + (stop #~(if #$inetd-style? + (make-inetd-destructor) + (make-kill-destructor)))))))) (define rsync-service-type (service-type -- 2.39.2