diff mbox series

[bug#54997,12/12] services: quassel: Use 'least-authority-wrapper'.

Message ID 20220417210453.27884-12-ludo@gnu.org
State Accepted
Headers show
Series Add "least authority" program wrapper | expand

Checks

Context Check Description
cbaines/comparison success View comparision
cbaines/git branch success View Git branch
cbaines/applying patch success View Laminar job
cbaines/issue success View issue

Commit Message

Ludovic Courtès April 17, 2022, 9:04 p.m. UTC 
* gnu/services/messaging.scm (quassel-shepherd-service): Use
'least-authority-wrapper' instead of
'make-forkexec-constructor/container'.
---
 gnu/services/messaging.scm | 42 ++++++++++++++++++++------------------
 1 file changed, 22 insertions(+), 20 deletions(-)

Comments

M April 18, 2022, 9:12 a.m. UTC | #1 
Ludovic Courtès schreef op zo 17-04-2022 om 23:04 [+0200]:
> +                     ;; XXX: The daemon needs to live in the main user
> +                     ;; namespace, as root, so it can access /var/lib/quassel
> +                     ;; owned by "quasselcore".

The previous code did not have this comment, was the old code broken or
is this a limitation of least-authority-wrapper?

Greetings,
Maxime.
Ludovic Courtès April 19, 2022, 9:59 p.m. UTC | #2 
Hi Maxime,

Maxime Devos <maximedevos@telenet.be> skribis:

> Ludovic Courtès schreef op zo 17-04-2022 om 23:04 [+0200]:
>> +                     ;; XXX: The daemon needs to live in the main user
>> +                     ;; namespace, as root, so it can access /var/lib/quassel
>> +                     ;; owned by "quasselcore".
>
> The previous code did not have this comment, was the old code broken or
> is this a limitation of least-authority-wrapper?

It’s just that ‘make-forkexec-constructor/container’ does it by default:

--8<---------------cut here---------------start------------->8---
(define (default-namespaces args)
  ;; Most daemons are here to talk to the network, and most of them expect to
  ;; run under a non-zero UID.
  (fold delq %namespaces '(net user)))
--8<---------------cut here---------------end--------------->8---

‘least-authority-wrapper’ is stricter by defaulting to ‘%namespaces’.

Ludo’.
diff mbox series

Patch

diff --git a/gnu/services/messaging.scm b/gnu/services/messaging.scm
index 7fdd8cf285..05bf6e784b 100644
--- a/gnu/services/messaging.scm
+++ b/gnu/services/messaging.scm
@@ -939,29 +939,31 @@  (define-record-type* <quassel-configuration>
 (define quassel-shepherd-service
   (match-lambda
     (($ <quassel-configuration> quassel interface port loglevel)
-     (with-imported-modules (source-module-closure
-                              '((gnu build shepherd)
-                                (gnu system file-systems)))
+     (let ((quassel (least-authority-wrapper
+                     (file-append quassel "/bin/quasselcore")
+                     #:name "quasselcore"
+                     #:mappings (list (file-system-mapping
+                                       (source "/var/lib/quassel")
+                                       (target source)
+                                       (writable? #t))
+                                      (file-system-mapping
+                                       (source "/var/log/quassel")
+                                       (target source)
+                                       (writable? #t)))
+                     ;; XXX: The daemon needs to live in the main user
+                     ;; namespace, as root, so it can access /var/lib/quassel
+                     ;; owned by "quasselcore".
+                     #:namespaces (fold delq %namespaces '(net user)))))
        (list (shepherd-service
                (provision '(quassel))
                (requirement '(user-processes networking))
-               (modules '((gnu build shepherd)
-                          (gnu system file-systems)))
-               (start #~(make-forkexec-constructor/container
-                          (list #$(file-append quassel "/bin/quasselcore")
-                                "--configdir=/var/lib/quassel"
-                                "--logfile=/var/log/quassel/core.log"
-                                (string-append "--loglevel=" #$loglevel)
-                                (string-append "--port=" (number->string #$port))
-                                (string-append "--listen=" #$interface))
-                          #:mappings (list (file-system-mapping
-                                             (source "/var/lib/quassel")
-                                             (target source)
-                                             (writable? #t))
-                                           (file-system-mapping
-                                             (source "/var/log/quassel")
-                                             (target source)
-                                             (writable? #t)))))
+               (start #~(make-forkexec-constructor
+                         (list #$quassel
+                               "--configdir=/var/lib/quassel"
+                               "--logfile=/var/log/quassel/core.log"
+                               (string-append "--loglevel=" #$loglevel)
+                               (string-append "--port=" (number->string #$port))
+                               (string-append "--listen=" #$interface))))
                (stop  #~(make-kill-destructor))))))))
 
 (define %quassel-account