all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: Christine Lemmer-Webber <cwebber@dustycloud.org>
To: Liliana Marie Prikler <liliana.prikler@ist.tugraz.at>
Cc: 54205@debbugs.gnu.org, attila@lendvai.name
Subject: [bug#54205] [PATCH v2] Factor out a public FORK-AND-CALL.
Date: Tue, 01 Mar 2022 12:14:55 -0500	[thread overview]
Message-ID: <87y21tk2yw.fsf@dustycloud.org> (raw)
In-Reply-To: <240241970295ff5351378c915461eea180cc79d5.camel@ist.tugraz.at>

Liliana Marie Prikler <liliana.prikler@ist.tugraz.at> writes:

> Am Dienstag, dem 01.03.2022 um 13:04 +0000 schrieb Attila Lendvai:
>> > In general, I think such capabilities should be added to exec-
>> > command, rather than resorting to a lambda. It takes a little while
>> > to realize that call-in-fork, fork-and-call or whatever you want to
>> > name it is in fact not pure evil; mainly because shepherd could in
>> > its stead already invoke any lambda you throw at it. That being
>> > said, one should always be aware that this child process runs with
>> > the full permissions of shepherd, which you normally don't want to
>> > do for a service.
>> 
>> 
>> does the above mean that you're concerned about the security
>> implications? if so, then i don't understand, because Guile already
>> allows calling/accessing private functions/symbols, and thus this
>> change doesn't really increase the (already enormous) attack surface
>> in the guile codebase.
> This attack surface is less enormous if you consider the average case
> of a shepherd service in which the arguments to fork+exec-command are
> already evaluated by the time the procedure is call and thus both
> "sane" within and without the fork.  Most of the time people are not
> too conscious about the fact that shepherd can already run arbitrary
> Guile code as part of actions and you typically only use that to its
> fullest extent when you're trying to do something real clever.

In general this would be improved if we move Guix in general, and the
Shepherd services in particular, to an object capability based security
model.

It's on my TODO to lay out a sketch for how this could happen, assuming
there's support for it in the community (which I don't expect to go one
way or another until a plan is laid out to talk about).




  reply	other threads:[~2022-03-01 17:18 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-01  7:06 [bug#54205] [PATCH Shepherd] Factor out a public CALL-IN-FORK Attila Lendvai
2022-03-01  7:29 ` [bug#54205] [PATCH v2] Factor out a public FORK-AND-CALL Attila Lendvai
2022-03-01 12:01   ` Liliana Marie Prikler
2022-03-01 13:04     ` Attila Lendvai
2022-03-01 14:01       ` Liliana Marie Prikler
2022-03-01 17:14         ` Christine Lemmer-Webber [this message]
2022-03-01 12:47 ` [bug#54205] [PATCH Shepherd] Factor out a public CALL-IN-FORK Maxime Devos
2022-03-02 16:05   ` Ludovic Courtès
2022-03-02 18:21     ` Maxime Devos
2022-03-03  8:04     ` Attila Lendvai
2022-03-21 13:03       ` bug#54205: " Ludovic Courtès

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87y21tk2yw.fsf@dustycloud.org \
    --to=cwebber@dustycloud.org \
    --cc=54205@debbugs.gnu.org \
    --cc=attila@lendvai.name \
    --cc=liliana.prikler@ist.tugraz.at \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.