From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id OM2pN2PbFWft/wAAqHPOHw:P1 (envelope-from ) for ; Mon, 21 Oct 2024 04:41:08 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id OM2pN2PbFWft/wAAqHPOHw (envelope-from ) for ; Mon, 21 Oct 2024 06:41:08 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=Ci9AsgC2; dkim=fail ("headers eddsa verify failed") header.d=russelstein.xyz header.s=ed25519 header.b=I2XHTNhV; dkim=fail ("headers rsa verify failed") header.d=russelstein.xyz header.s=rsa header.b=dN+4OtAh; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1729485667; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:list-id:list-help:list-unsubscribe:list-subscribe: list-post:dkim-signature; bh=V6/hgqdvYBjrtHd9gIXEG/K8V7vSCfIrNwzezuIE33Q=; b=R8TLx+/LRvAcw44NO8FT459M9VKy4HvIkWypdIOiVlePkvkN8z7PhyknMfm1jNir56X/p/ JZYP+72BVkJ2fyOUizwCsQhjdM/VD+T5pyIKp/ku9MCNn7QbpTm5EIux6Z/2fa5eNCSu6Z kJIiQn4wj+U6psLAdb2ASxLWIqvBK0gVowAGb8SwpFNgVsDOD+FSaUzvNMSGL71vGG6bL9 nxGcwHkFtKmD783bvanfem6ilA40UNErPJONbeTUrptmMu7HVTMd0DFnikasL8Ozyjx98a mOFp0xsx2+nrfp1az0Dx+dd7aw5aCZPKZEb/Njc8ICAhwyNIXKbHGtkU49vTEw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=Ci9AsgC2; dkim=fail ("headers eddsa verify failed") header.d=russelstein.xyz header.s=ed25519 header.b=I2XHTNhV; dkim=fail ("headers rsa verify failed") header.d=russelstein.xyz header.s=rsa header.b=dN+4OtAh; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Seal: i=1; s=key1; d=yhetil.org; t=1729485667; a=rsa-sha256; cv=none; b=cldCaCULwiYESCpc/z5dXtJL79yxPO6+rRaqwpJ9ivZQ2KWjJYF03GLfQ5C24uP7RZqPSr EsqqdxJ04czbWjhbxURGD4V2Xtj8VSWB95Oe0Sx9JSBqlujQ8ZxdA76vlvHzRcpcmFzq2N iNdwreR8w0oiG5bFWs2YxoI3f8iAndNEwWh1XbJEFMgRll8IDTfvn6RpqHOw4Ekegv38aI P0+CX7caGKTI7N5eJ4bm2aUc8xZ6f6oqvjpWVBUUME2qrSQfeMQdbFN/jrklZ4Nl5wInKH CPEVrPacpQHMVkJhWCHY7UBkbQUdaSh8FEU32WowKWHYqfrgp/MltlPZnHl4bQ== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6358A42975 for ; Mon, 21 Oct 2024 06:41:06 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t2kDj-0003GO-Gv; Mon, 21 Oct 2024 00:40:43 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t2kDe-0003Et-Ny for guix-patches@gnu.org; Mon, 21 Oct 2024 00:40:39 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1t2kDe-0006pk-FL for guix-patches@gnu.org; Mon, 21 Oct 2024 00:40:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:Subject; bh=V6/hgqdvYBjrtHd9gIXEG/K8V7vSCfIrNwzezuIE33Q=; b=Ci9AsgC2184qwh0EikTsWC5NsiFK1RhdYzaL9MWGHTfBAHg0R93jwa8ZznMBNLY6fDfnJZ/bYWvJ4i/2gCn2rZOItakbXmNQCeg9PLF5ZZ1XAfPD4x6iNxCByK/pBtcW+2dl2WKOb4RR4nFAlexfjsfXbH6QI438AyPAV+0KyRIqXRcpPQisf4G+LK4U6qkDeScvM99KzOGgT4z2VEZZrrAjyK577kGvbdl1DL4hRGW0EO4b9WbpHIhLExyVN4ZtU46QoMf8AtHDlvOPFjUV+1nzNK446kOlZENSVPZUSf/iI82hqId/yCpVfiN1abB/7EVK6p1bkIb7wxI8j9Q9Mw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1t2kE4-0001wr-Cw for guix-patches@gnu.org; Mon, 21 Oct 2024 00:41:04 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#73925] [PATCH] add access control to daemon socket in shepherd service Resent-From: Reepca Russelstein Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 21 Oct 2024 04:41:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 73925 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 73925@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.17294856147013 (code B ref -1); Mon, 21 Oct 2024 04:41:04 +0000 Received: (at submit) by debbugs.gnu.org; 21 Oct 2024 04:40:14 +0000 Received: from localhost ([127.0.0.1]:49660 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t2kDF-0001ox-Gb for submit@debbugs.gnu.org; Mon, 21 Oct 2024 00:40:14 -0400 Received: from lists.gnu.org ([209.51.188.17]:33812) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t2fPP-00041u-QB for submit@debbugs.gnu.org; Sun, 20 Oct 2024 19:32:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t2fOz-00063Q-7U for guix-patches@gnu.org; Sun, 20 Oct 2024 19:32:01 -0400 Received: from mailout.russelstein.xyz ([2605:6400:20:11e::1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t2fOw-00051X-J4 for guix-patches@gnu.org; Sun, 20 Oct 2024 19:32:00 -0400 DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=russelstein.xyz; s=ed25519; h=Content-Type:MIME-Version:Message-ID:Date: Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=V6/hgqdvYBjrtHd9gIXEG/K8V7vSCfIrNwzezuIE33Q=; b=I2XHTNhVuuYV81kLdHH8+QU8bf PJ5s7Lw2QtZ1/stl/xGuhTJwJ7n5a4kCIgyJoZvq80gCKZXuIy7h56cDUhCA==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=russelstein.xyz; s=rsa; h=Content-Type:MIME-Version:Message-ID:Date:Subject :To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=V6/hgqdvYBjrtHd9gIXEG/K8V7vSCfIrNwzezuIE33Q=; b=dN+4OtAhvZR0Ix3EVS2XPRmp0c zk/PpnZdoSilLmNaY3S1FNLEnBaSLUSkEZG8EoY56eieKMfgweVwydUbgFEbA6ad/kcKkxb6+qXhs sbi8J8Mnk+EwiK76F9cz9ri5ZsnwQmUoAPg7PKHXgjQ8uQuSbQZN+41/sQIfJQd0jzngv3cfG6HZ4 rJsVPSGcIgmq0m9U82B2qJFgQWWl/tzMKO1QGY/B4SVKJ8uGZRtLxijX+9GBL+BeniMdpHVCIEVLF SjIOSH3VedEKuL9hBOcMHPUni8ppm/Nx9Yw5VeGkDOifD89FwsnoxIeTS8cN2qfOuQF5EqD8Zh4TV YBFgp3AKxIHWLdTttC9rwoPANfCM4z1Htyz4vZLT3mlXiOsxAHZgf1LTSwDKAU+X2qyX8+EJQdMmh iBRocBrbfaXOHL4scwfPzrWhoIl20THMwKFnIm6h3iL0SdXbF43HuEf+woehJ43HytoJPVDV4u6Z2 ytWOxjy9BVc9w6BShcyEBj1XZyhnuWoOrT9Tt5I9oDJeJT9HzaR9sOIKBapuov49L2FbcKoFDXvYb 469Pvd4ExM/9VcCfqp5rh1iAh2X5uTrj8sg4SaYpw5EYzgWPxhSL5hMr9gs006Hv3ymzbEkxi39u4 EzO4kX4tUeIn2eE2QSGR2+6wN+BYgnMD+AfpHGuWk=; Received: by russelstein.xyz with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.98) (envelope-from ) id 1t2fOr-000000001YA-3XWB for guix-patches@gnu.org; Sun, 20 Oct 2024 18:31:55 -0500 User-Agent: Gnus/5.13 (Gnus v5.13) Date: Sun, 20 Oct 2024 18:31:31 -0500 Message-ID: <87a5eyjqr0.fsf@russelstein.xyz> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Received-SPF: pass client-ip=2605:6400:20:11e::1; envelope-from=reepca@russelstein.xyz; helo=mailout.russelstein.xyz X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Mon, 21 Oct 2024 00:40:08 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Reepca Russelstein X-ACL-Warn: , Reepca Russelstein via Guix-patches From: Reepca Russelstein via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Scanner: mx11.migadu.com X-Migadu-Spam-Score: -2.10 X-Spam-Score: -2.10 X-Migadu-Queue-Id: 6358A42975 X-TUID: dnYVIi8SLhce --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Passing "--disable-chroot" to guix-daemon makes it possible for the build users to be taken over by anybody who can start a build: they need only cause a builder to put a setuid binary in /tmp. That being said, there are some situations where it currently can't be avoided, like on Hurd. It would also probably be good to have the ability to harden a guix daemon in general by restricting access to it. For example, there's no reason that the ntpd user needs access to the guix daemon (note that this is distinct from access to the *store*, which is of course always world-readable). The attached patch implements that restriction for users of guix-service-type by limiting access to /var/guix/daemon-socket in accordance with the user-supplied permissions, user, and group. Example usage: ------------------------------------ ;; Limit access to the guix-daemon socket to members of the "users" ;; group (modify-services %desktop-services (guix-service-type config => (guix-configuration (inherit config) (socket-directory-perms #o750) (socket-directory-group "users")))) ------------------------------------ - reepca --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-services-guix-configuration-add-access-control-to-da.patch Content-Transfer-Encoding: quoted-printable From=20b5163889efb544cfe83cd2bcb3ebd3a957c95a18 Mon Sep 17 00:00:00 2001 Message-ID: From: Reepca Russelstein Date: Sat, 19 Oct 2024 22:43:27 -0500 Subject: [PATCH] services: guix-configuration: add access control to daemon socket. * gnu/services/base.scm (guix-configuration-socket-directory-{perms,group,user}): new fields. (guix-shepherd-service): use them. * doc/guix.texi: document them. Change-Id: Ic228377b25a83692b0c637dafbd03c4609e332fc =2D-- doc/guix.texi | 15 +++++++++++++++ gnu/services/base.scm | 43 ++++++++++++++++++++++++++++++++++++------- 2 files changed, 51 insertions(+), 7 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index cb758f9005..0e387f0a17 100644 =2D-- a/doc/guix.texi +++ b/doc/guix.texi @@ -19775,6 +19775,21 @@ Base Services Environment variables to be set before starting the daemon, as a list of @code{key=3Dvalue} strings. =20 +@item @code{socket-directory-perms} (default: @code{#o755}) +Permissions to set for the directory @file{/var/guix/daemon-socket}. +This, together with @code{socket-directory-group} and +@code{socket-directory-user}, determines who can connect to the guix +daemon via its unix socket. TCP socket operation is unaffected by +these. + +@item @code{socket-directory-group} (default: @code{#f}) +Group to set for the directory @file{/var/guix/daemon-socket}, or +@code{#f} to keep its group as root. + +@item @code{socket-directory-user} (default: @code{#f}) +User to set for the directory @file{/var/guix/daemon-socket}, or +@code{#f} to keep its user as root. + @end table @end deftp =20 diff --git a/gnu/services/base.scm b/gnu/services/base.scm index fd2cc9d17a..daedc77468 100644 =2D-- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1880,7 +1880,13 @@ (define-record-type* (build-machines guix-configuration-build-machines ;list of gexps | '() (default '())) (environment guix-configuration-environment ;list of strings =2D (default '()))) + (default '())) + (socket-directory-perms guix-configuration-socket-directory-perms + (default #o755)) + (socket-directory-group guix-configuration-socket-directory-group + (default #f)) + (socket-directory-user guix-configuration-socket-directory-user + (default #f))) =20 (define %default-guix-configuration (guix-configuration)) @@ -1941,10 +1947,12 @@ (define (guix-shepherd-service config) glibc-utf8-locales))) =20 (match-record config =2D (guix build-group build-accounts authorize-key? authorized-keys =2D use-substitutes? substitute-urls max-silent-time timeout =2D log-compression discover? extra-options log-file =2D http-proxy tmpdir chroot-directories environment) + (guix build-group build-accounts authorize-key? authorized= -keys + use-substitutes? substitute-urls max-silent-time tim= eout + log-compression discover? extra-options log-file + http-proxy tmpdir chroot-directories environment + socket-directory-perms socket-directory-group + socket-directory-user) (list (shepherd-service (documentation "Run the Guix daemon.") (provision '(guix-daemon)) @@ -1954,11 +1962,13 @@ (define (guix-shepherd-service config) shepherd-discover-action)) (modules '((srfi srfi-1) (ice-9 match) =2D (gnu build shepherd))) + (gnu build shepherd) + (guix build utils))) (start (with-imported-modules `(((guix config) =3D> ,(make-config.scm= )) ,@(source-module-closure =2D '((gnu build shepherd)) + '((gnu build shepherd) + (guix build utils)) #:select? not-config?)) #~(lambda args (define proxy @@ -1969,7 +1979,26 @@ (define (guix-shepherd-service config) (define discover? (or (getenv "discover") #$discover?)) =20 + (mkdir-p "/var/guix") + ;; Ensure that a fresh directory is used, in case the old + ;; one was more permissive and processes have a file + ;; descriptor referencing it hanging around, ready to use + ;; with openat. + (false-if-exception + (delete-file-recursively "/var/guix/daemon-socket")) + (let ((perms #$(logand socket-directory-perms + (lognot #o022)))) + (mkdir "/var/guix/daemon-socket" perms) + ;; Override umask + (chmod "/var/guix/daemon-socket" perms)) + + (let* ((user #$socket-directory-user) + (uid (if user (passwd:uid (getpwnam user)) -1)) + (group #$socket-directory-group) + (gid (if group (group:gid (getgrnam group)) -1))) + (chown "/var/guix/daemon-socket" uid gid)) + ;; Start the guix-daemon from a container, when supporte= d, ;; to solve an installation issue. See the comment below= for ;; more details. =2D-=20 2.45.2 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEdNapMPRLm4SepVYGwWaqSV9/GJwFAmcVktMXHHJlZXBjYUBy dXNzZWxzdGVpbi54eXoACgkQwWaqSV9/GJxz2Qf/aj6zuGBzw6QM+DJ9asEi2LzL Nk1Wwcosm8jUIzJHBzS4qpjh/1z5PVDVv1Pu5boXaAgCBMsllUAJQSF0R1gGmYHT dvBMkNXHD1uz/eafOfX3ig3ypFmWw3np5jXul00oBoOIDnNMJRgUdTMAaahGB/el a5WqLLiz45F5Dtrr/6jwLZ7nUOuHqT0SzwE0ET8t2dtKANQJN6RTQg382AJQlMcH cmhHibcxiEpUnKhfdIZAQfkTILLJTMIuoS5TEsNyopXyjQ8bINP3NiRJxvbz5e+v 0+dpndwZY736/St3sHKMLxcPFKxoR1vY6S/INm+KBlUtqxIRO8kF8nb5RNjx9A== =WBEf -----END PGP SIGNATURE----- --==-=-=--