From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id wAVcAXs0HGdwZAAAqHPOHw:P1 (envelope-from ) for ; Sat, 26 Oct 2024 00:14:51 +0000 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id wAVcAXs0HGdwZAAAqHPOHw (envelope-from ) for ; Sat, 26 Oct 2024 02:14:51 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=OWY3+M3o; dkim=fail ("headers eddsa verify failed") header.d=russelstein.xyz header.s=ed25519 header.b=i8l+pXjH; dkim=fail ("headers rsa verify failed") header.d=russelstein.xyz header.s=rsa header.b=B+MVyOSh; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1729901690; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=LPj7LbXTWnRYtXx79rZx8kJmzn7z+YDwXc1fEi1vhUY=; b=r+at90xAR6MAAT6UMCPlvfILIFwO/ycXBXaPfwFUHFY0PIdQGWbTV4FhGhY8PKbFEAzW3j v08FhH0/dgJXdoFyFKW6rCCJ4MBVlQnQAN3Mv4C1eCPxQdstwrQ+S98nPtqkiGTe1phpNG 1t79KrymdZX7/0aKfKqgKN51+zJ6LTw5VHUBcjYPyrndmbO8Cg4lsdQuTitN6UC/gma4Ut yj7Vue8/+fq5mTEvQ5GaGXOdS5RAR+bHd+DSCyeBoHK4375SgPC4qgfCFsUCaNyRt8TXuZ Kh34GuHaaTjzxdr5bAISrSkmg8s0RUxyHQa2JzPsNIBP0eACk9Vl1tTbt6WBTQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1729901690; a=rsa-sha256; cv=none; b=YK8Fv3snoJATiOGPzkdUyio4WLjFZ7F/xE/BSyLxcCE83vfIdJnw9FlY0p83J44C6UR53o KN8JC/4wiOH553ixb4TeTSyr18NT+z6KtpqM+TrSbnE5JMTUhnjqN13550VeuMAWycZh+T nIHONvNk+MWH+0LtePRNR/E4N31olzJ/IWM1IOGWM/hrLL5biV+4rDkdTADKV46hx4y+0N g5ZJfzGKUYBK1LAB8E1IAe0sUTUacnhDI7g3/Zwt3967ZZfBeF05Jc+UrM8dZJqjgLj9Ct Ely7mLmDpggDiKvS59hArtBdtn+GK8pmCRLOrWitnmFWX870p4bjiwxU2FUwvg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=OWY3+M3o; dkim=fail ("headers eddsa verify failed") header.d=russelstein.xyz header.s=ed25519 header.b=i8l+pXjH; dkim=fail ("headers rsa verify failed") header.d=russelstein.xyz header.s=rsa header.b=B+MVyOSh; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9A756802FD for ; Sat, 26 Oct 2024 02:14:49 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t4URt-0007pN-N7; Fri, 25 Oct 2024 20:14:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t4URq-0007oz-FD for guix-patches@gnu.org; Fri, 25 Oct 2024 20:14:30 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1t4URq-000700-6c for guix-patches@gnu.org; Fri, 25 Oct 2024 20:14:30 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:References:In-Reply-To:From:To:Subject; bh=LPj7LbXTWnRYtXx79rZx8kJmzn7z+YDwXc1fEi1vhUY=; b=OWY3+M3ojja4f/cXpTO5hlDE50I+HXeETi4nh6vfGB12fyKwOGxlrz8CdgBkBR0ZXAaPyWvHJdw3WbyfeYu+I04TRDlu6AQSOEQryqkOC26QJB2e3BFWpB7TvbKqCu594kqRP9pX2z/zBNoMmRlVr2POFU+8r6ABFsLoMN9pBORgFTv45xFXXlLrfsk+XwAWrQNIO4uQ+zu9bsc2sJuJI9mVsesXkp1OUVrKHylHKgXbb2kB+Zcy1mXvr7Gcx0kmJm3ZvsHw2Ad4aBHWnGPuQBpsRucxR7+cG/B32hZDHsz3a9WY3PowtiEn10G5N7CJ8XJ/kLiT4J9XPIrPu2JUXg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1t4USM-0001CP-9E for guix-patches@gnu.org; Fri, 25 Oct 2024 20:15:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#73925] [PATCH] add access control to daemon socket in shepherd service Resent-From: Reepca Russelstein Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 26 Oct 2024 00:15:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 73925 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 73925@debbugs.gnu.org Received: via spool by 73925-submit@debbugs.gnu.org id=B73925.17299016504512 (code B ref 73925); Sat, 26 Oct 2024 00:15:02 +0000 Received: (at 73925) by debbugs.gnu.org; 26 Oct 2024 00:14:10 +0000 Received: from localhost ([127.0.0.1]:39875 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t4URS-0001AY-4J for submit@debbugs.gnu.org; Fri, 25 Oct 2024 20:14:09 -0400 Received: from mailout.russelstein.xyz ([209.141.47.21]:48332) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t4URO-00019z-81 for 73925@debbugs.gnu.org; Fri, 25 Oct 2024 20:14:04 -0400 DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=russelstein.xyz; s=ed25519; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=LPj7LbXTWnRYtXx79rZx8kJmzn7z+YDwXc1fEi1vhUY=; b=i8l+pXjHZHc7lwhlMCEhCgEjwv bQk+VoFFOYIZs91JW4AlXkmO0Kr2x/JQg1opv2NH75HI0EZ9Se2p1Jwc4oAQ==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=russelstein.xyz; s=rsa; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=LPj7LbXTWnRYtXx79rZx8kJmzn7z+YDwXc1fEi1vhUY=; b=B+MVyOShTYZL9OTPgfurNpvJ2L rXfDuI2TWzFwuOVOcpIvTvY+LTun6IV18i/C34M1CiziHhJWztrkrVAJom0rg8nuPyCVIgjJqqJKk ng9RThze3maQGsHKGwPXguVeu4Sj81FDOu4YVDLdBXE0PTgP7YibMW+LQmliMP1mESCZZrO086JcQ CjqIa3Ni9z9nwOCeepCenvpo9WkDCiXmvRqvk5ak09I/A9/WHEB3w7mqCYWdInEGvEkD+mh2YvO97 l5uSwkbQ5QiKKyxlE9tRzpSkOLWuqopFHgYSaiFq7Sz7lmsx3zpSp8cz84PEGjaMwjlpSDxYRyTQq fdJaNAQWeXTYp0rUMYpMPgaVBv0//NMjJD5PWFwiDPsWKgR9JHJGrgw4VmrYEuFqaGhC7PS5bxjcP KUGNnIeeSUHsZkbhzH99kzOaZ5hjrLgQK4rknZmE8KcLkHxHG6Be+DHlHGEr+fyFTiym+NhX6yDdP vGIZLb9BqjolYciJ25Jrk4qDg7jrPPJaGbIfKbQrbL/yd7zZedD3f4oWIFWpMlnOaSpjLu3vsVCGO 7Q+6QDnuPtX5Ny44ERtfPDPjVFjipllWHfZeIHAkx9TBXyEd8GmaiMLJO/vjOa3TXGjXu7La9drs1 /Rzy0HZzMNqvZX5NSTX5AmbdQPzoY0K7KPhCB3CmY=; Received: by russelstein.xyz with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.98) (envelope-from ) id 1t4UOi-000000000Xz-17hF; Fri, 25 Oct 2024 19:11:17 -0500 In-Reply-To: <871q05658b.fsf@gnu.org> ("Ludovic =?UTF-8?Q?Court=C3=A8s?="'s message of "Thu, 24 Oct 2024 14:43:48 +0200") References: <87a5eyjqr0.fsf@russelstein.xyz> <871q05658b.fsf@gnu.org> Date: Fri, 25 Oct 2024 19:10:32 -0500 Message-ID: <87wmhvhgg7.fsf@russelstein.xyz> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Reepca Russelstein X-ACL-Warn: , Reepca Russelstein via Guix-patches From: Reepca Russelstein via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -5.33 X-Spam-Score: -5.33 X-Migadu-Queue-Id: 9A756802FD X-Migadu-Scanner: mx13.migadu.com X-TUID: +AwZBpTANdoi --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: >> + ;; Ensure that a fresh directory is used, in case the= old >> + ;; one was more permissive and processes have a file >> + ;; descriptor referencing it hanging around, ready to= use >> + ;; with openat. >> + (false-if-exception >> + (delete-file-recursively "/var/guix/daemon-socket")) >> + (let ((perms #$(logand socket-directory-perms >> + (lognot #o022)))) >> + (mkdir "/var/guix/daemon-socket" perms) >> + ;; Override umask >> + (chmod "/var/guix/daemon-socket" perms)) > > Speaking of =E2=80=98openat=E2=80=99, maybe use =E2=80=98mkdir-p/perms=E2= =80=99 instead of doing it in > two steps? PERMS is passed directly to mkdir; the umask may cause the permissions the directory is created with to be less permissive than those, but never more. The only reason I call chmod here is because the umask may happen to be more strict than PERMS. mkdir-p/perms creates the directory with the permissions initially restricted only by the umask, then later chmods it in a separate step, leaving a window during which the directory is likely world-executable and world-readable. So while mkdir-p/perms would be an improvement on the "make sure no components are symlinks" front, it would be a downgrade in restricting access to the directory. This behavior can be remedied by ensuring that the final call to 'mkdirat' passes in the specified permission bits. I've submitted a patch to do this in issue #74002. There's also a minor annoyance in that the 'owner' argument that mkdir-p/perms wants MUST be a passwd object. This means that the uid and gid to use can't be specified independently, nor can they be specified as -1 or 0, you *have* to do (getpwnam "root") or something similar. For now I'm going to keep this part as-is, since currently using mkdir-p/perms would neither make it more secure nor more concise. The attached patch incorporates all the other changes you've mentioned. =2D reepca --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-services-guix-configuration-add-access-control-to-da.patch Content-Transfer-Encoding: quoted-printable From=20b8ea0288a35c27912580bd7fe861dd6e497f4c33 Mon Sep 17 00:00:00 2001 Message-ID: From: Reepca Russelstein Date: Sat, 19 Oct 2024 22:43:27 -0500 Subject: [PATCH] services: guix-configuration: add access control to daemon socket. * gnu/services/base.scm (guix-configuration-socket-directory-{permissions,group,user}): new field= s. (guix-shepherd-service): use them. * doc/guix.texi: document them. Change-Id: I8f4c2e20392ced47c09812e62903c87cc0f4a97a =2D-- doc/guix.texi | 12 ++++++++++++ gnu/services/base.scm | 38 ++++++++++++++++++++++++++++++++++---- 2 files changed, 46 insertions(+), 4 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index cb758f9005..fb750bd449 100644 =2D-- a/doc/guix.texi +++ b/doc/guix.texi @@ -19775,6 +19775,18 @@ Base Services Environment variables to be set before starting the daemon, as a list of @code{key=3Dvalue} strings. =20 +@item @code{socket-directory-permissions} (default: @code{#o755}) +Permissions to set for the directory @file{/var/guix/daemon-socket}. +This, together with @code{socket-directory-group} and +@code{socket-directory-user}, determines who can connect to the build +daemon via its Unix socket. TCP socket operation is unaffected by +these. + +@item @code{socket-directory-user} (default: @code{#f}) +@itemx @code{socket-directory-group} (default: @code{#f}) +User and group owning the @file{/var/guix/daemon-socket} directory or +@code{#f} to keep the user or group as root. + @end table @end deftp =20 diff --git a/gnu/services/base.scm b/gnu/services/base.scm index fd2cc9d17a..0bd60c5eb5 100644 =2D-- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1880,7 +1880,14 @@ (define-record-type* (build-machines guix-configuration-build-machines ;list of gexps | '() (default '())) (environment guix-configuration-environment ;list of strings =2D (default '()))) + (default '())) + (socket-directory-permissions + guix-configuration-socket-directory-permissions + (default #o755)) + (socket-directory-group guix-configuration-socket-directory-group + (default #f)) + (socket-directory-user guix-configuration-socket-directory-user + (default #f))) =20 (define %default-guix-configuration (guix-configuration)) @@ -1944,7 +1951,9 @@ (define (guix-shepherd-service config) (guix build-group build-accounts authorize-key? authorized-keys use-substitutes? substitute-urls max-silent-time timeout log-compression discover? extra-options log-file =2D http-proxy tmpdir chroot-directories environment) + http-proxy tmpdir chroot-directories environment + socket-directory-permissions socket-directory-group + socket-directory-user) (list (shepherd-service (documentation "Run the Guix daemon.") (provision '(guix-daemon)) @@ -1954,11 +1963,13 @@ (define (guix-shepherd-service config) shepherd-discover-action)) (modules '((srfi srfi-1) (ice-9 match) =2D (gnu build shepherd))) + (gnu build shepherd) + (guix build utils))) (start (with-imported-modules `(((guix config) =3D> ,(make-config.scm= )) ,@(source-module-closure =2D '((gnu build shepherd)) + '((gnu build shepherd) + (guix build utils)) #:select? not-config?)) #~(lambda args (define proxy @@ -1969,7 +1980,26 @@ (define (guix-shepherd-service config) (define discover? (or (getenv "discover") #$discover?)) =20 + (mkdir-p "/var/guix") + ;; Ensure that a fresh directory is used, in case the old + ;; one was more permissive and processes have a file + ;; descriptor referencing it hanging around, ready to use + ;; with openat. + (false-if-exception + (delete-file-recursively "/var/guix/daemon-socket")) + (let ((perms #$(logand socket-directory-permissions + (lognot #o022)))) + (mkdir "/var/guix/daemon-socket" perms) + ;; Override umask + (chmod "/var/guix/daemon-socket" perms)) + + (let* ((user #$socket-directory-user) + (uid (if user (passwd:uid (getpwnam user)) -1)) + (group #$socket-directory-group) + (gid (if group (group:gid (getgrnam group)) -1))) + (chown "/var/guix/daemon-socket" uid gid)) + ;; Start the guix-daemon from a container, when supporte= d, ;; to solve an installation issue. See the comment below= for ;; more details. =2D-=20 2.45.2 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEdNapMPRLm4SepVYGwWaqSV9/GJwFAmccM3kXHHJlZXBjYUBy dXNzZWxzdGVpbi54eXoACgkQwWaqSV9/GJxL8ggAohfTefX5mUB2Cwabms2gGR3P Ik2C4z/if0yu9MvWrf9Fkr408D1EtKkObeWI1e0iHSOR62uZqez8u5I6TNeuqH/Y QcBDtarKCKAH8FeV2YynuH+udii+bhj9I+ZB8G5RCCo1gpsmxEEQApXe9nT4datG kGLkqlrO5eAF4wxhCaGFiiyL0E9yKaBGXPw6jC03G2ebh7GhvJIvHgvITfu0fAVa VaSZD73NbjZ+/TWg2GZ+Zi+CFh80wajY6FecMa0t/JUP3zcCNNWagbKN5bL/HX18 555hWwDnIBr/CPXRcStxe3d+1cNfjCBlQHqqPxQK4jaCa88ExnlnmUEIbMIDtA== =lDo/ -----END PGP SIGNATURE----- --==-=-=--