| Message ID | fafb2565-5593-aabb-1852-2af4e7dd7478@gmail.com |
|---|---|
| State | New |
| Headers |
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id EF3C527BBEA; Fri, 18 Mar 2022 21:49:25 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 8263127BBE9 for <patchwork@mira.cbaines.net>; Fri, 18 Mar 2022 21:49:25 +0000 (GMT) Received: from localhost ([::1]:58480 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>) id 1nVKTM-0000oV-1t for patchwork@mira.cbaines.net; Fri, 18 Mar 2022 17:49:24 -0400 Received: from eggs.gnu.org ([209.51.188.92]:41576) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1nVKT0-0000nP-3B for guix-patches@gnu.org; Fri, 18 Mar 2022 17:49:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:36419) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1nVKSz-0008G9-OY for guix-patches@gnu.org; Fri, 18 Mar 2022 17:49:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1nVKSz-0004TZ-KO for guix-patches@gnu.org; Fri, 18 Mar 2022 17:49:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#54309] What is the process from here? Resent-From: fesoj000 <fesoj000@gmail.com> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 18 Mar 2022 21:49:01 +0000 Resent-Message-ID: <handler.54309.B54309.164764012017169@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 54309 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Liliana Marie Prikler <liliana.prikler@gmail.com>, 54309@debbugs.gnu.org Received: via spool by 54309-submit@debbugs.gnu.org id=B54309.164764012017169 (code B ref 54309); Fri, 18 Mar 2022 21:49:01 +0000 Received: (at 54309) by debbugs.gnu.org; 18 Mar 2022 21:48:40 +0000 Received: from localhost ([127.0.0.1]:58549 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>) id 1nVKSd-0004Sr-RV for submit@debbugs.gnu.org; Fri, 18 Mar 2022 17:48:40 -0400 Received: from mail-ej1-f45.google.com ([209.85.218.45]:42534) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <fesoj000@gmail.com>) id 1nVKSc-0004Sf-ME for 54309@debbugs.gnu.org; Fri, 18 Mar 2022 17:48:39 -0400 Received: by mail-ej1-f45.google.com with SMTP id j15so5365965eje.9 for <54309@debbugs.gnu.org>; Fri, 18 Mar 2022 14:48:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to:content-transfer-encoding; bh=+lGFlsXR4IzFbRH7Ui0Z1lTGoSltAYPYoJYfwN7Q+w8=; b=eL5OonMqZFuQ9NI/pfbubLdxb+sjO5t77X27PDovKg8H/xM1pNt+kxC7izTuz0MQv/ 6bNWgKG6Js9MTvUYatkcbAAFnHuMvO9LHBke8GeziaP/wKK4vf3Lmxf8MD7xoOx5cF15 /qHV5Z7W8sKYGtklZ9Jy8D23TfdGBWPExp6NTUSITOynkkBUBRryI0hOKrjqOrPhonqI p1SKPhumO7ukrchFhdeTB4R7rkBLTEpgBYtX0LA6ZVRYdmirJNk157GwiYk5cn8bZWmn BwvN9JhjFl1/QUFdPdnoKS2URiwZJEZZm97BdIMwq+Q1F91WKKsRNuE7ltKfr+KRYAz0 unNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=+lGFlsXR4IzFbRH7Ui0Z1lTGoSltAYPYoJYfwN7Q+w8=; b=8JJzcl6nwKKXqdQsGZawbKaB19jGMfJtNcHHl/rKeV/SYvQIKhKTrVXFzFKWSxYex7 SpoqvelwqHsGCKBySa/6e6AAlwkoF25/tvk+Q5UQ7GhqOFPMQ7Vr80o9FsLnHYz+lOEQ 7p2TGdqpGK2viFfkdbmCv7+G+TF3OjFOl/fAXG0SAqB9ELVKOY4fGCdWWrvw+p/58Owh M/YLXr7grb91Yz+pNr1KrFkkUFP1vsFJyRAFpNX0IBxatWLRWuFvsCBPcHVQr4zNLSb2 IKwL/7ktELtalg1yGZLlT6t3jhdaIO6ufHCcX397gOnoyNMM47l/koqVtye1zqq2X+3d KMHQ== X-Gm-Message-State: AOAM532Z3R9F3nPIFT5rTC7z/0mbSmx6T8Lm8vh0/yYcvFPszh4BxOW4 DiCvVSuYnryuMB5uSWz9pvk= X-Google-Smtp-Source: ABdhPJz/z66+WyQeFV67DgTlbfu3S0IL1MOgicxJW/o1s4Ph/Pz4X8gSMpdvvpZoXxyBetcJ6CcBfg== X-Received: by 2002:a17:907:7ba3:b0:6df:b07c:ee35 with SMTP id ne35-20020a1709077ba300b006dfb07cee35mr5691994ejc.588.1647640112414; Fri, 18 Mar 2022 14:48:32 -0700 (PDT) Received: from ?IPV6:2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5? (p200300eeaf2f0e00c2f9c2bbbf951fc5.dip0.t-ipconnect.de. [2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5]) by smtp.gmail.com with ESMTPSA id h30-20020a056402095e00b00412b81dd96esm4568047edz.29.2022.03.18.14.48.31 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 18 Mar 2022 14:48:32 -0700 (PDT) Message-ID: <fafb2565-5593-aabb-1852-2af4e7dd7478@gmail.com> Date: Fri, 18 Mar 2022 22:48:30 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Content-Language: en-US References: <b70a1fd7-e432-3d6d-8dea-17d4231e407e@gmail.com> <8640c4e7b1a46e76ea4df8c21a290d1aa72de0d8.camel@gmail.com> From: fesoj000 <fesoj000@gmail.com> In-Reply-To: <8640c4e7b1a46e76ea4df8c21a290d1aa72de0d8.camel@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: <guix-patches.gnu.org> List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=unsubscribe> List-Archive: <https://lists.gnu.org/archive/html/guix-patches> List-Post: <mailto:guix-patches@gnu.org> List-Help: <mailto:guix-patches-request@gnu.org?subject=help> List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=subscribe> Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-getmail-retrieved-from-mailbox: Patches |
| Series |
[bug#54309] What is the process from here?
|
|
Commit Message
fesoj000
March 18, 2022, 9:48 p.m. UTC
On 3/18/22 9:06 PM, Liliana Marie Prikler wrote: >> So, i assume that there has to be interest and time from a guix >> developer to review, maybe test and then integrate the >> changes/packages into one of the branches. > Note that there have already been two people reviewing; you currently > owe me a v2 addressing the TOCTOU "race" of creating the audit > directory without 700 permissions. Yes, that is true. But i addressed the rest, i think. New version inline. From 0605a2b5cc8beb816e3ff557d7be060a050f91b7 Mon Sep 17 00:00:00 2001 From: fesoj000 <fesoj000@gmail.com> Date: Wed, 9 Mar 2022 20:07:42 +0100 Subject: [PATCH] services: auditd: use exclusive log directory for auditd Use /var/log/audit for auditd. This is the upstream default. Further, rework the config file generated by auditd-service-type. Only write values which diverge from the upstream default. * gnu/services/auditd.scm: add auditd-activation function and extend activation-service-type. --- gnu/services/auditd.scm | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-)
Comments
Am Freitag, dem 18.03.2022 um 22:48 +0100 schrieb fesoj000: > On 3/18/22 9:06 PM, Liliana Marie Prikler wrote: > > > So, i assume that there has to be interest and time from a guix > > > developer to review, maybe test and then integrate the > > > changes/packages into one of the branches. > > Note that there have already been two people reviewing; you > > currently > > owe me a v2 addressing the TOCTOU "race" of creating the audit > > directory without 700 permissions. > Yes, that is true. But i addressed the rest, i think. New version > inline. For the record, inline patches generate noise that's hard to separate when applying, so you'd probably want to avoid them. If you don't have git send-email set up regular attachments also work for some, though they do become tedious as well with series. > From 0605a2b5cc8beb816e3ff557d7be060a050f91b7 Mon Sep 17 00:00:00 > 2001 > From: fesoj000 <fesoj000@gmail.com> > Date: Wed, 9 Mar 2022 20:07:42 +0100 > Subject: [PATCH] services: auditd: use exclusive log directory for > auditd > > Use /var/log/audit for auditd. This is the upstream default. > > Further, rework the config file generated by auditd-service-type. > Only > write values which diverge from the upstream default. > > * gnu/services/auditd.scm: add auditd-activation function and extend > activation-service-type. > --- > gnu/services/auditd.scm | 20 +++++++++++++++----- > 1 file changed, 15 insertions(+), 5 deletions(-) > > diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm > index abde811f51..602a6c5a48 100644 > --- a/gnu/services/auditd.scm > +++ b/gnu/services/auditd.scm > @@ -31,10 +31,10 @@ (define-module (gnu services auditd) > %default-auditd-configuration-directory)) > > (define auditd.conf > - (plain-file "auditd.conf" "log_file = > /var/log/audit.log\nlog_format = \ > -ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \ > -syslog\nadmin_space_left_action = ignore\ndisk_full_action = \ > -ignore\ndisk_error_action = syslog\n")) > + (plain-file "auditd.conf" "\ > +space_left = 5% > +space_left_action = syslog > +")) I can understand discarding the log_file entry because we now use upstream default, but the rest should remain imo. > (define %default-auditd-configuration-directory > (computed-file "auditd" > @@ -50,6 +50,14 @@ (define-record-type* <auditd-configuration> > (default audit)) > (configuration-directory auditd-configuration-configuration- > directory)) ; file-like > > +(define (auditd-activation config) > + (with-imported-modules '((guix build utils)) > + #~(begin > + (use-modules (guix build utils)) > + (let ((var-log-audit "/var/log/audit")) > + (umask #o077) > + (mkdir-p var-log-audit))))) > + This would also apply umask 077 to /var and /var/log if those don't already exist. More importantly, code executed after that will also inherit the umask, which I don't think is the intended consequence. Cheers
On 3/18/22 11:36 PM, Liliana Marie Prikler wrote: > Am Freitag, dem 18.03.2022 um 22:48 +0100 schrieb fesoj000: >> On 3/18/22 9:06 PM, Liliana Marie Prikler wrote: >>>> So, i assume that there has to be interest and time from a guix >>>> developer to review, maybe test and then integrate the >>>> changes/packages into one of the branches. >>> Note that there have already been two people reviewing; you >>> currently >>> owe me a v2 addressing the TOCTOU "race" of creating the audit >>> directory without 700 permissions. >> Yes, that is true. But i addressed the rest, i think. New version >> inline. > For the record, inline patches generate noise that's hard to separate > when applying, so you'd probably want to avoid them. If you don't have > git send-email set up regular attachments also work for some, though > they do become tedious as well with series. > >> From 0605a2b5cc8beb816e3ff557d7be060a050f91b7 Mon Sep 17 00:00:00 >> 2001 >> From: fesoj000 <fesoj000@gmail.com> >> Date: Wed, 9 Mar 2022 20:07:42 +0100 >> Subject: [PATCH] services: auditd: use exclusive log directory for >> auditd >> >> Use /var/log/audit for auditd. This is the upstream default. >> >> Further, rework the config file generated by auditd-service-type. >> Only >> write values which diverge from the upstream default. >> >> * gnu/services/auditd.scm: add auditd-activation function and extend >> activation-service-type. >> --- >> gnu/services/auditd.scm | 20 +++++++++++++++----- >> 1 file changed, 15 insertions(+), 5 deletions(-) >> >> diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm >> index abde811f51..602a6c5a48 100644 >> --- a/gnu/services/auditd.scm >> +++ b/gnu/services/auditd.scm >> @@ -31,10 +31,10 @@ (define-module (gnu services auditd) >> %default-auditd-configuration-directory)) >> >> (define auditd.conf >> - (plain-file "auditd.conf" "log_file = >> /var/log/audit.log\nlog_format = \ >> -ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \ >> -syslog\nadmin_space_left_action = ignore\ndisk_full_action = \ >> -ignore\ndisk_error_action = syslog\n")) >> + (plain-file "auditd.conf" "\ >> +space_left = 5% >> +space_left_action = syslog >> +")) > I can understand discarding the log_file entry because we now use > upstream default, but the rest should remain imo. Alright. Lets first keep all options. At another point in time we can rethink the default options. Maybe when implementing configuration for auditd. >> (define %default-auditd-configuration-directory >> (computed-file "auditd" >> @@ -50,6 +50,14 @@ (define-record-type* <auditd-configuration> >> (default audit)) >> (configuration-directory auditd-configuration-configuration- >> directory)) ; file-like >> >> +(define (auditd-activation config) >> + (with-imported-modules '((guix build utils)) >> + #~(begin >> + (use-modules (guix build utils)) >> + (let ((var-log-audit "/var/log/audit")) >> + (umask #o077) >> + (mkdir-p var-log-audit))))) >> + > This would also apply umask 077 to /var and /var/log if those don't > already exist. Hm, it seems that 'gnu/services.scm: (activation-script)' ensures the existence of /var/log before the auditd activation gexp is running. So, the reasoning behind your remark is that we can not guarantee the existence of /var/log in every case? What cases might that be? I will take care of it anyway for the sake of robustness, but i am curious. > More importantly, code executed after that will also > inherit the umask, which I don't think is the intended consequence. I was under the impression that every activation script is run it its own process. But that is not the case. This changes things, more care is needed. Patch will follow later.
Liliana Marie Prikler schreef op vr 18-03-2022 om 23:36 [+0100]: > > +(define (auditd-activation config) > > + (with-imported-modules '((guix build utils)) > > + #~(begin > > + (use-modules (guix build utils)) > > + (let ((var-log-audit "/var/log/audit")) > > + (umask #o077) > > + (mkdir-p var-log-audit))))) > > + > This would also apply umask 077 to /var and /var/log if those don't > already exist. More importantly, code executed after that will also > inherit the umask, which I don't think is the intended consequence. More concretely, the procedure 'mkdir-p/perms' would address the umask issue, but not the potential ‘oops too restrictive permissions for /var and /var/log' issue. Additionally, as var-log-audit is only used in a single place, you could simplify to #~(begin (use-modules ...) (mkdir-p/perms "/var/log/audit")) here. Greetings, Maxime.
On 3/20/22 12:09 AM, Maxime Devos wrote: > Liliana Marie Prikler schreef op vr 18-03-2022 om 23:36 [+0100]: >>> +(define (auditd-activation config) >>> + (with-imported-modules '((guix build utils)) >>> + #~(begin >>> + (use-modules (guix build utils)) >>> + (let ((var-log-audit "/var/log/audit")) >>> + (umask #o077) >>> + (mkdir-p var-log-audit))))) >>> + >> This would also apply umask 077 to /var and /var/log if those don't >> already exist. More importantly, code executed after that will also >> inherit the umask, which I don't think is the intended consequence. > > More concretely, the procedure 'mkdir-p/perms' would address the umask > issue, but not the potential ‘oops too restrictive permissions for /var > and /var/log' issue. Ok, i can assume that a future version of 'mkdir-p/perms' will handle the umask. Should the activation now handle potential permission problems from past activations and auditd starts? Can you try to explain in more detail please? BR
Am Dienstag, dem 22.03.2022 um 17:50 +0100 schrieb fesoj000: > On 3/20/22 12:09 AM, Maxime Devos wrote: > > Liliana Marie Prikler schreef op vr 18-03-2022 om 23:36 [+0100]: > > > > +(define (auditd-activation config) > > > > + (with-imported-modules '((guix build utils)) > > > > + #~(begin > > > > + (use-modules (guix build utils)) > > > > + (let ((var-log-audit "/var/log/audit")) > > > > + (umask #o077) > > > > + (mkdir-p var-log-audit))))) > > > > + > > > This would also apply umask 077 to /var and /var/log if those > > > don't already exist. More importantly, code executed after that > > > will also inherit the umask, which I don't think is the intended > > > consequence. > > > > More concretely, the procedure 'mkdir-p/perms' would address the > > umask issue, but not the potential ‘oops too restrictive > > permissions for /var and /var/log' issue. > Ok, i can assume that a future version of 'mkdir-p/perms' will handle > the umask. > > Should the activation now handle potential permission problems from > past activations and auditd starts? Can you try to explain in more > detail please? My personal solution would be to use (mkdir-p "/var/log") followed by (mkdir "/var/log/audit" #o700). Cheers
diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm index abde811f51..602a6c5a48 100644 --- a/gnu/services/auditd.scm +++ b/gnu/services/auditd.scm @@ -31,10 +31,10 @@ (define-module (gnu services auditd) %default-auditd-configuration-directory)) (define auditd.conf - (plain-file "auditd.conf" "log_file = /var/log/audit.log\nlog_format = \ -ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \ -syslog\nadmin_space_left_action = ignore\ndisk_full_action = \ -ignore\ndisk_error_action = syslog\n")) + (plain-file "auditd.conf" "\ +space_left = 5% +space_left_action = syslog +")) (define %default-auditd-configuration-directory (computed-file "auditd" @@ -50,6 +50,14 @@ (define-record-type* <auditd-configuration> (default audit)) (configuration-directory auditd-configuration-configuration-directory)) ; file-like +(define (auditd-activation config) + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + (let ((var-log-audit "/var/log/audit")) + (umask #o077) + (mkdir-p var-log-audit))))) + (define (auditd-shepherd-service config) (let* ((audit (auditd-configuration-audit config)) (configuration-directory (auditd-configuration-configuration-directory config))) @@ -67,7 +75,9 @@ (define auditd-service-type (extensions (list (service-extension shepherd-root-service-type - auditd-shepherd-service))) + auditd-shepherd-service) + (service-extension activation-service-type + auditd-activation))) (default-value (auditd-configuration (configuration-directory %default-auditd-configuration-directory)))))