From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id mAp+Fk+6NWLapgAAgWs5BA (envelope-from ) for ; Sat, 19 Mar 2022 12:11:11 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id YAE1D0+6NWL8DAAAG6o9tA (envelope-from ) for ; Sat, 19 Mar 2022 12:11:11 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C349E3EC09 for ; Sat, 19 Mar 2022 12:11:10 +0100 (CET) Received: from localhost ([::1]:47972 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nVWzD-0002Wj-07 for larch@yhetil.org; Sat, 19 Mar 2022 07:11:07 -0400 Received: from eggs.gnu.org ([209.51.188.92]:42618) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nVWz8-0002WS-9I for guix-patches@gnu.org; Sat, 19 Mar 2022 07:11:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:37018) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nVWz8-0005QQ-0a for guix-patches@gnu.org; Sat, 19 Mar 2022 07:11:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nVWz7-0006xp-QU for guix-patches@gnu.org; Sat, 19 Mar 2022 07:11:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#54309] What is the process from here? Resent-From: fesoj000 Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 19 Mar 2022 11:11:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 54309 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Liliana Marie Prikler , 54309@debbugs.gnu.org Received: via spool by 54309-submit@debbugs.gnu.org id=B54309.164768825726758 (code B ref 54309); Sat, 19 Mar 2022 11:11:01 +0000 Received: (at 54309) by debbugs.gnu.org; 19 Mar 2022 11:10:57 +0000 Received: from localhost ([127.0.0.1]:59148 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nVWz2-0006xW-LN for submit@debbugs.gnu.org; Sat, 19 Mar 2022 07:10:56 -0400 Received: from mail-ej1-f53.google.com ([209.85.218.53]:39819) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nVWz0-0006xF-IB for 54309@debbugs.gnu.org; Sat, 19 Mar 2022 07:10:55 -0400 Received: by mail-ej1-f53.google.com with SMTP id dr20so21054542ejc.6 for <54309@debbugs.gnu.org>; Sat, 19 Mar 2022 04:10:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to:content-transfer-encoding; bh=rAHiG3oL7jHXw2Ux9SPAawIcnssirZXc/n8lGvroY2c=; b=Gd4dluGzKLvTgvBoafAJBwEEFuHvB1yaQIeMdZXZAdmQ5NRoJ7wlFRaApdExpu95P+ VvB/xaLp4iuccVmVJdDsoj7lzNuxE1m8ZFLYHZIv1IwF8dMltQ8ZemkkTWiU8GIntC3f sMO1C2aWcULs0da1xRR8n9W+FMCNrCpZ5p0Wn8rQeSxayWdqUvQAbk4QeXZIfNRnwDMK 2cOGwoiJ3/Rh912CEPi5LfXBEdyjKpDC+ESDDxHWRRh//Py5wboGVpivbA1jZKY+s8Da 263wB8jgzwTxJr3Vs3i/EMmCz8aURTYg53VwQBbu0r2dChYACY0pgr0krYP7bufQkyVY BOrw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=rAHiG3oL7jHXw2Ux9SPAawIcnssirZXc/n8lGvroY2c=; b=YvuuUg55wuOuMi8J9vqi3R02o2tPcDczk+eGmyjho+AXWYSs6IzAmefHNcedEMgVra AqPOsenKBCoD/Dp7OHm/dYfdGrl2NdVwc6snveW8rBLRpzEg2JUAdqyMwmrrP7yNo3fW p7BYZwc5plfIYbxSNsh4CGXFaUuiqPyMtd25c8Av7i5/7RmUtWWlNE0pPRqOrmNkUNbG VgeG60ewkbpt6LLI+n3AzPLZvQgIUQ+Mjzj6HnHQRjE5cGW4v9aVeMzv0jhpWtFMEPh7 qtMTfZA3n2g7G5CQIDpzUn5+L+yMIMvESfZp7mEabM6I089Phd3YnX7mokFkXjbtd9x9 k7ng== X-Gm-Message-State: AOAM531WfZR31XVcVrf8IV9TEeH0rwO74czm0HunFp7PFgpYoi+Dejck kCYFF+zNjpErLJSlGkUPxDQ= X-Google-Smtp-Source: ABdhPJw94kxOLDlrVWyleSCfr7MgaG0YpMg5BGNSnG/F/qTAhhejwCJxPJrmlL5A0kjcT35YSQOc8g== X-Received: by 2002:a17:906:2bc5:b0:6cd:e676:3624 with SMTP id n5-20020a1709062bc500b006cde6763624mr12767689ejg.277.1647688248631; Sat, 19 Mar 2022 04:10:48 -0700 (PDT) Received: from ?IPV6:2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5? (p200300eeaf2f0e00c2f9c2bbbf951fc5.dip0.t-ipconnect.de. [2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5]) by smtp.gmail.com with ESMTPSA id l2-20020aa7cac2000000b003f9b3ac68d6sm5486432edt.15.2022.03.19.04.10.47 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 19 Mar 2022 04:10:48 -0700 (PDT) Message-ID: Date: Sat, 19 Mar 2022 12:10:47 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Content-Language: en-US References: <8640c4e7b1a46e76ea4df8c21a290d1aa72de0d8.camel@gmail.com> <87f117ba35bb40fe063d5cd0bee61039a5f9801e.camel@gmail.com> From: fesoj000 In-Reply-To: <87f117ba35bb40fe063d5cd0bee61039a5f9801e.camel@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1647688270; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=rAHiG3oL7jHXw2Ux9SPAawIcnssirZXc/n8lGvroY2c=; b=EKlPdagugVIIvRPPnbCbt3dp62aA5qNlYPiXKWN90YS58xXhs32Ib31LMFXyxeE9mFD9mB SH8qZup3op/o35fmbS9U33Oo6tAtk9Q907NQ0N9QhYKd/Crvws8ICT7jgBjlT1F75h4qui W0RbYHy3sM2LPxyufD+76KTg9rQS5etgXG8JOf/xvo/1mmAN6gl29OS+i6f33GyXciTzsK G+7RScRm/8m8Y/4KD3VBBX+Zj8ZjQZnnOVLF2YPP+5sCV1RYEIIWUHpKvrdKBG9UXuR0eg dX8sqc0cJrCumOdHZbS6s18OxYU/TtFkWEqm27lUCNMd//PXIpBHNx8TcWkjwA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1647688270; a=rsa-sha256; cv=none; b=AUvJDDl+8In11QeBnLYo3n8+UknBej7H2rYvh7aFIA6AekkTXLDvyZgC618LeYAZIYNdi3 3fd5EKmCyHD5ZDZYF4rB9B9xJ2xwVkgqM4Q7p06bYWt2mnfCjw9Rrou83sNgx7lylHOdH9 vycZXycqfFXsx8LX7Gio2vS2gC9dPruFlsTEENVZf6S7nQXxmHnVmHT79+29PqPLVXrDA1 rKZGqlYxD8IMWVS6OYJM/q0ua7wcEz4YCtnjeHQtBvdoKSlYAuNeL46t5/VyYJmXxKa+yD /ZOQjj2DSrP4Fkdb3fMLSiOo4sW7u0Tbi6m86BfHr4x4Bd3ZfsIRvH265Bm1dA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=Gd4dluGz; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 6.66 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=Gd4dluGz; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: C349E3EC09 X-Spam-Score: 6.66 X-Migadu-Scanner: scn0.migadu.com X-TUID: qM4frOer37nR On 3/18/22 11:36 PM, Liliana Marie Prikler wrote: > Am Freitag, dem 18.03.2022 um 22:48 +0100 schrieb fesoj000: >> On 3/18/22 9:06 PM, Liliana Marie Prikler wrote: >>>> So, i assume that there has to be interest and time from a guix >>>> developer to review, maybe test and then integrate the >>>> changes/packages into one of the branches. >>> Note that there have already been two people reviewing; you >>> currently >>> owe me a v2 addressing the TOCTOU "race" of creating the audit >>> directory without 700 permissions. >> Yes, that is true. But i addressed the rest, i think. New version >> inline. > For the record, inline patches generate noise that's hard to separate > when applying, so you'd probably want to avoid them. If you don't have > git send-email set up regular attachments also work for some, though > they do become tedious as well with series. > >> From 0605a2b5cc8beb816e3ff557d7be060a050f91b7 Mon Sep 17 00:00:00 >> 2001 >> From: fesoj000 >> Date: Wed, 9 Mar 2022 20:07:42 +0100 >> Subject: [PATCH] services: auditd: use exclusive log directory for >> auditd >> >> Use /var/log/audit for auditd. This is the upstream default. >> >> Further, rework the config file generated by auditd-service-type. >> Only >> write values which diverge from the upstream default. >> >> * gnu/services/auditd.scm: add auditd-activation function and extend >> activation-service-type. >> --- >>   gnu/services/auditd.scm | 20 +++++++++++++++----- >>   1 file changed, 15 insertions(+), 5 deletions(-) >> >> diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm >> index abde811f51..602a6c5a48 100644 >> --- a/gnu/services/auditd.scm >> +++ b/gnu/services/auditd.scm >> @@ -31,10 +31,10 @@ (define-module (gnu services auditd) >>               %default-auditd-configuration-directory)) >> >>   (define auditd.conf >> -  (plain-file "auditd.conf" "log_file = >> /var/log/audit.log\nlog_format = \ >> -ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \ >> -syslog\nadmin_space_left_action = ignore\ndisk_full_action = \ >> -ignore\ndisk_error_action = syslog\n")) >> +  (plain-file "auditd.conf" "\ >> +space_left = 5% >> +space_left_action = syslog >> +")) > I can understand discarding the log_file entry because we now use > upstream default, but the rest should remain imo. Alright. Lets first keep all options. At another point in time we can rethink the default options. Maybe when implementing configuration for auditd. >>   (define %default-auditd-configuration-directory >>     (computed-file "auditd" >> @@ -50,6 +50,14 @@ (define-record-type* >>                              (default audit)) >>     (configuration-directory auditd-configuration-configuration- >> directory))      ; file-like >> >> +(define (auditd-activation config) >> +  (with-imported-modules '((guix build utils)) >> +    #~(begin >> +        (use-modules (guix build utils)) >> +        (let ((var-log-audit "/var/log/audit")) >> +          (umask #o077) >> +          (mkdir-p var-log-audit))))) >> + > This would also apply umask 077 to /var and /var/log if those don't > already exist. Hm, it seems that 'gnu/services.scm: (activation-script)' ensures the existence of /var/log before the auditd activation gexp is running. So, the reasoning behind your remark is that we can not guarantee the existence of /var/log in every case? What cases might that be? I will take care of it anyway for the sake of robustness, but i am curious. > More importantly, code executed after that will also > inherit the umask, which I don't think is the intended consequence. I was under the impression that every activation script is run it its own process. But that is not the case. This changes things, more care is needed. Patch will follow later.