[bug#73925] add access control to daemon socket in shepherd service
Commit Message
Passing "--disable-chroot" to guix-daemon makes it possible for the
build users to be taken over by anybody who can start a build: they need
only cause a builder to put a setuid binary in /tmp. That being said,
there are some situations where it currently can't be avoided, like on
Hurd. It would also probably be good to have the ability to harden a
guix daemon in general by restricting access to it. For example,
there's no reason that the ntpd user needs access to the guix daemon
(note that this is distinct from access to the *store*, which is of
course always world-readable).
The attached patch implements that restriction for users of
guix-service-type by limiting access to /var/guix/daemon-socket in
accordance with the user-supplied permissions, user, and group.
Example usage:
------------------------------------
;; Limit access to the guix-daemon socket to members of the "users"
;; group
(modify-services %desktop-services
(guix-service-type config =>
(guix-configuration
(inherit config)
(socket-directory-perms #o750)
(socket-directory-group "users"))))
------------------------------------
- reepca
Comments
Hi,
Reepca Russelstein <reepca@russelstein.xyz> skribis:
> From b5163889efb544cfe83cd2bcb3ebd3a957c95a18 Mon Sep 17 00:00:00 2001
> Message-ID: <b5163889efb544cfe83cd2bcb3ebd3a957c95a18.1729465936.git.reepca@russelstein.xyz>
> From: Reepca Russelstein <reepca@russelstein.xyz>
> Date: Sat, 19 Oct 2024 22:43:27 -0500
> Subject: [PATCH] services: guix-configuration: add access control to daemon
> socket.
>
> * gnu/services/base.scm
> (guix-configuration-socket-directory-{perms,group,user}): new fields.
> (guix-shepherd-service): use them.
> * doc/guix.texi: document them.
>
> Change-Id: Ic228377b25a83692b0c637dafbd03c4609e332fc
That’s a welcome addition.
> +@item @code{socket-directory-perms} (default: @code{#o755})
s/perms/permissions/
> +Permissions to set for the directory @file{/var/guix/daemon-socket}.
> +This, together with @code{socket-directory-group} and
> +@code{socket-directory-user}, determines who can connect to the guix
> +daemon via its unix socket. TCP socket operation is unaffected by
> +these.
s/guix daemon/build daemon/ and s/unix/Unix/
> +@item @code{socket-directory-group} (default: @code{#f})
> +Group to set for the directory @file{/var/guix/daemon-socket}, or
> +@code{#f} to keep its group as root.
> +
> +@item @code{socket-directory-user} (default: @code{#f})
> +User to set for the directory @file{/var/guix/daemon-socket}, or
> +@code{#f} to keep its user as root.
Maybe group them together:
@item @code{socket-directory-user} (default: @code{#f})
@itemx @code{socket-directory-group} (default: @code{#f})
User and group owning the @file{/var/guix/daemon-socket} directory.
…
> - (guix build-group build-accounts authorize-key? authorized-keys
> - use-substitutes? substitute-urls max-silent-time timeout
> - log-compression discover? extra-options log-file
> - http-proxy tmpdir chroot-directories environment)
> + (guix build-group build-accounts authorize-key? authorized-keys
Please avoid reindenting.
> + ;; Ensure that a fresh directory is used, in case the old
> + ;; one was more permissive and processes have a file
> + ;; descriptor referencing it hanging around, ready to use
> + ;; with openat.
> + (false-if-exception
> + (delete-file-recursively "/var/guix/daemon-socket"))
> + (let ((perms #$(logand socket-directory-perms
> + (lognot #o022))))
> + (mkdir "/var/guix/daemon-socket" perms)
> + ;; Override umask
> + (chmod "/var/guix/daemon-socket" perms))
Speaking of ‘openat’, maybe use ‘mkdir-p/perms’ instead of doing it in
two steps?
Apart from that it LGTM.
Could you send an updated patch?
Thanks,
Ludo’.
From b5163889efb544cfe83cd2bcb3ebd3a957c95a18 Mon Sep 17 00:00:00 2001
Message-ID: <b5163889efb544cfe83cd2bcb3ebd3a957c95a18.1729465936.git.reepca@russelstein.xyz>
From: Reepca Russelstein <reepca@russelstein.xyz>
Date: Sat, 19 Oct 2024 22:43:27 -0500
Subject: [PATCH] services: guix-configuration: add access control to daemon
socket.
* gnu/services/base.scm
(guix-configuration-socket-directory-{perms,group,user}): new fields.
(guix-shepherd-service): use them.
* doc/guix.texi: document them.
Change-Id: Ic228377b25a83692b0c637dafbd03c4609e332fc
---
doc/guix.texi | 15 +++++++++++++++
gnu/services/base.scm | 43 ++++++++++++++++++++++++++++++++++++-------
2 files changed, 51 insertions(+), 7 deletions(-)
@@ -19775,6 +19775,21 @@ Base Services
Environment variables to be set before starting the daemon, as a list of
@code{key=value} strings.
+@item @code{socket-directory-perms} (default: @code{#o755})
+Permissions to set for the directory @file{/var/guix/daemon-socket}.
+This, together with @code{socket-directory-group} and
+@code{socket-directory-user}, determines who can connect to the guix
+daemon via its unix socket. TCP socket operation is unaffected by
+these.
+
+@item @code{socket-directory-group} (default: @code{#f})
+Group to set for the directory @file{/var/guix/daemon-socket}, or
+@code{#f} to keep its group as root.
+
+@item @code{socket-directory-user} (default: @code{#f})
+User to set for the directory @file{/var/guix/daemon-socket}, or
+@code{#f} to keep its user as root.
+
@end table
@end deftp
@@ -1880,7 +1880,13 @@ (define-record-type* <guix-configuration>
(build-machines guix-configuration-build-machines ;list of gexps | '()
(default '()))
(environment guix-configuration-environment ;list of strings
- (default '())))
+ (default '()))
+ (socket-directory-perms guix-configuration-socket-directory-perms
+ (default #o755))
+ (socket-directory-group guix-configuration-socket-directory-group
+ (default #f))
+ (socket-directory-user guix-configuration-socket-directory-user
+ (default #f)))
(define %default-guix-configuration
(guix-configuration))
@@ -1941,10 +1947,12 @@ (define (guix-shepherd-service config)
glibc-utf8-locales)))
(match-record config <guix-configuration>
- (guix build-group build-accounts authorize-key? authorized-keys
- use-substitutes? substitute-urls max-silent-time timeout
- log-compression discover? extra-options log-file
- http-proxy tmpdir chroot-directories environment)
+ (guix build-group build-accounts authorize-key? authorized-keys
+ use-substitutes? substitute-urls max-silent-time timeout
+ log-compression discover? extra-options log-file
+ http-proxy tmpdir chroot-directories environment
+ socket-directory-perms socket-directory-group
+ socket-directory-user)
(list (shepherd-service
(documentation "Run the Guix daemon.")
(provision '(guix-daemon))
@@ -1954,11 +1962,13 @@ (define (guix-shepherd-service config)
shepherd-discover-action))
(modules '((srfi srfi-1)
(ice-9 match)
- (gnu build shepherd)))
+ (gnu build shepherd)
+ (guix build utils)))
(start
(with-imported-modules `(((guix config) => ,(make-config.scm))
,@(source-module-closure
- '((gnu build shepherd))
+ '((gnu build shepherd)
+ (guix build utils))
#:select? not-config?))
#~(lambda args
(define proxy
@@ -1969,7 +1979,26 @@ (define (guix-shepherd-service config)
(define discover?
(or (getenv "discover") #$discover?))
+ (mkdir-p "/var/guix")
+ ;; Ensure that a fresh directory is used, in case the old
+ ;; one was more permissive and processes have a file
+ ;; descriptor referencing it hanging around, ready to use
+ ;; with openat.
+ (false-if-exception
+ (delete-file-recursively "/var/guix/daemon-socket"))
+ (let ((perms #$(logand socket-directory-perms
+ (lognot #o022))))
+ (mkdir "/var/guix/daemon-socket" perms)
+ ;; Override umask
+ (chmod "/var/guix/daemon-socket" perms))
+
+ (let* ((user #$socket-directory-user)
+ (uid (if user (passwd:uid (getpwnam user)) -1))
+ (group #$socket-directory-group)
+ (gid (if group (group:gid (getgrnam group)) -1)))
+ (chown "/var/guix/daemon-socket" uid gid))
+
;; Start the guix-daemon from a container, when supported,
;; to solve an installation issue. See the comment below for
;; more details.
--
2.45.2