Message ID | 20220301072927.26525-1-attila@lendvai.name |
---|---|
State | Accepted |
Headers | show |
Series | [bug#54205,v2] Factor out a public FORK-AND-CALL. | expand |
Context | Check | Description |
---|---|---|
cbaines/applying patch | fail | View Laminar job |
cbaines/issue | success | View issue |
Am Dienstag, dem 01.03.2022 um 08:29 +0100 schrieb Attila Lendvai: > This enables service implementations to easily inject code that is > run before their service is started. One such example is calling > setrlimit from a start action to set NOFILE (the open files limit), > before the service is exec'ed and inherits this value from the parent > process, i.e. from Shepherd. In general, I think such capabilities should be added to exec-command, rather than resorting to a lambda. It takes a little while to realize that call-in-fork, fork-and-call or whatever you want to name it is in fact not pure evil; mainly because shepherd could in its stead already invoke any lambda you throw at it. That being said, one should always be aware that this child process runs with the full permissions of shepherd, which you normally don't want to do for a service. > [...] > +(define* (fork-and-call thunk) > + "Call THUNK in a fork." > ;; Install the SIGCHLD handler if this is the first fork+exec- > command call. This docstring, as well as the procedure name only describe what is done with thunk in the crudest terms. What's more, I don't think it makes too much sense to restrict ourselves to thunks if we already run arbitrary code anyway. In my opinion, it ought to be > +(define* (fork+apply proc . args) > + "Spawn a process that calls PROC with ARGS and return its PID." > (unless %sigchld-handler-installed? > (sigaction SIGCHLD handle-SIGCHLD SA_NOCLDSTOP) > @@ -916,17 +906,34 @@ its PID." > ;; process. > (unblock-signals %precious-signals) > > - (exec-command command > - #:user user > - #:group group > - #:supplementary-groups supplementary- > groups > - #:log-file log-file > - #:directory directory > - #:file-creation-mask file-creation-mask > - #:create-session? create-session? > - #:environment-variables environment- > variables)) > + (apply proc args)) > pid)))) WDYT? > +(define* (fork+exec-command command > + #:key > + (user #f) > + (group #f) > + (supplementary-groups '()) > + (log-file #f) > + (directory (default-service-directory)) > + (file-creation-mask #f) > + (create-session? #t) > + (environment-variables > + (default-environment-variables))) > + "Spawn a process that executed COMMAND as per 'exec-command', and > return > +its PID." This is just copypasta from a previous mistake, but s/executed/executes/. Cheers
> In general, I think such capabilities should be added to exec-command, > rather than resorting to a lambda. It takes a little while to realize > that call-in-fork, fork-and-call or whatever you want to name it is in > fact not pure evil; mainly because shepherd could in its stead already > invoke any lambda you throw at it. That being said, one should always > be aware that this child process runs with the full permissions of > shepherd, which you normally don't want to do for a service. does the above mean that you're concerned about the security implications? if so, then i don't understand, because Guile already allows calling/accessing private functions/symbols, and thus this change doesn't really increase the (already enormous) attack surface in the guile codebase. it does increase the shoot-oneself-in-the-foot-surface a little bit, though. it's worth pointing out, though, that trusting a channel, and adding a shepherd service defined by it to the machine's config, is essentially giving root access to the channel author. and this is already the case, prior to my change. BTW, can i not already simply pass 0, or "root" as #:user to EXEC-COMMAND? > In my opinion, it ought to be > > > +(define* (fork+apply proc . args) > [...] > > WDYT? makes sense, i'll update the patch... but given the feedback from the two of you, should i? i think i'll abandon this, and implement Maxime's #:rlimits suggestion. i'm not sure how much better that will be, but at least it won't make future threading harder, and allows me to make progress with my project. if anyone prefers the FORK+APPLY version, then do speak up! -- • attila lendvai • PGP: 963F 5D5F 45C7 DFCD 0A39 -- “An atheist doesn't have to be someone who thinks he has a proof that there can't be a god. He only has to be someone who believes that the evidence on the God question is at a similar level to the evidence on the werewolf question.” — John McCarthy (1927–2011), father of Lisp
Am Dienstag, dem 01.03.2022 um 13:04 +0000 schrieb Attila Lendvai: > > In general, I think such capabilities should be added to exec- > > command, rather than resorting to a lambda. It takes a little while > > to realize that call-in-fork, fork-and-call or whatever you want to > > name it is in fact not pure evil; mainly because shepherd could in > > its stead already invoke any lambda you throw at it. That being > > said, one should always be aware that this child process runs with > > the full permissions of shepherd, which you normally don't want to > > do for a service. > > > does the above mean that you're concerned about the security > implications? if so, then i don't understand, because Guile already > allows calling/accessing private functions/symbols, and thus this > change doesn't really increase the (already enormous) attack surface > in the guile codebase. This attack surface is less enormous if you consider the average case of a shepherd service in which the arguments to fork+exec-command are already evaluated by the time the procedure is call and thus both "sane" within and without the fork. Most of the time people are not too conscious about the fact that shepherd can already run arbitrary Guile code as part of actions and you typically only use that to its fullest extent when you're trying to do something real clever. > it does increase the shoot-oneself-in-the-foot-surface a little bit, > though. > > it's worth pointing out, though, that trusting a channel, and adding > a shepherd service defined by it to the machine's config, is > essentially giving root access to the channel author. and this is > already the case, prior to my change. > > BTW, can i not already simply pass 0, or "root" as #:user to EXEC- > COMMAND? Only if you're already root, i.e. this won't work for user shepherds, which can't become root (easily). On the other hand, I did get my user shepherd to launch pkexec commands, so that's that. > > > In my opinion, it ought to be > > > > > +(define* (fork+apply proc . args) > > [...] > > > > WDYT? > > makes sense, i'll update the patch... but given the feedback from the > two of you, should i? > > i think i'll abandon this, and implement Maxime's #:rlimits > suggestion. > > i'm not sure how much better that will be, but at least it won't make > future threading harder, and allows me to make progress with my > project. > > if anyone prefers the FORK+APPLY version, then do speak up! FWIW Maxime's complaint would also hold w.r.t. fork+exec-command, which would then be implemented in terms of fork+apply, so assuming that fork+exec-command still exists after the switch to multiple threads, we'd have to patch at least one location either way. fork+apply could make it so that less hacks are required overall to make all forking behaviour inside shepherd services as intended, but that's so far only a theoretical claim with no evidence to back it up. I think the real question is what you are trying to achieve here. If you only want to add rlimits, that's an exec-command thing. If you instead wanted to spawn a Guile function within a sandbox (rather than a completely new command), that would require something along the lines of fork+apply at least under the hood. With the things you've described, I don't think it makes sense (yet) to export fork+apply, but it might still make sense to refactor fork+exec-command under the hood. Cheers
Liliana Marie Prikler <liliana.prikler@ist.tugraz.at> writes: > Am Dienstag, dem 01.03.2022 um 13:04 +0000 schrieb Attila Lendvai: >> > In general, I think such capabilities should be added to exec- >> > command, rather than resorting to a lambda. It takes a little while >> > to realize that call-in-fork, fork-and-call or whatever you want to >> > name it is in fact not pure evil; mainly because shepherd could in >> > its stead already invoke any lambda you throw at it. That being >> > said, one should always be aware that this child process runs with >> > the full permissions of shepherd, which you normally don't want to >> > do for a service. >> >> >> does the above mean that you're concerned about the security >> implications? if so, then i don't understand, because Guile already >> allows calling/accessing private functions/symbols, and thus this >> change doesn't really increase the (already enormous) attack surface >> in the guile codebase. > This attack surface is less enormous if you consider the average case > of a shepherd service in which the arguments to fork+exec-command are > already evaluated by the time the procedure is call and thus both > "sane" within and without the fork. Most of the time people are not > too conscious about the fact that shepherd can already run arbitrary > Guile code as part of actions and you typically only use that to its > fullest extent when you're trying to do something real clever. In general this would be improved if we move Guix in general, and the Shepherd services in particular, to an object capability based security model. It's on my TODO to lay out a sketch for how this could happen, assuming there's support for it in the community (which I don't expect to go one way or another until a plan is laid out to talk about).
diff --git a/modules/shepherd/service.scm b/modules/shepherd/service.scm index ad8608b..8d5e30f 100644 --- a/modules/shepherd/service.scm +++ b/modules/shepherd/service.scm @@ -79,6 +79,7 @@ make-forkexec-constructor make-kill-destructor exec-command + fork-and-call fork+exec-command default-pid-file-timeout read-pid-file @@ -883,19 +884,8 @@ false." ;; Signals that the shepherd process handles. (list SIGCHLD SIGINT SIGHUP SIGTERM)) -(define* (fork+exec-command command - #:key - (user #f) - (group #f) - (supplementary-groups '()) - (log-file #f) - (directory (default-service-directory)) - (file-creation-mask #f) - (create-session? #t) - (environment-variables - (default-environment-variables))) - "Spawn a process that executed COMMAND as per 'exec-command', and return -its PID." +(define* (fork-and-call thunk) + "Call THUNK in a fork." ;; Install the SIGCHLD handler if this is the first fork+exec-command call. (unless %sigchld-handler-installed? (sigaction SIGCHLD handle-SIGCHLD SA_NOCLDSTOP) @@ -916,17 +906,34 @@ its PID." ;; process. (unblock-signals %precious-signals) - (exec-command command - #:user user - #:group group - #:supplementary-groups supplementary-groups - #:log-file log-file - #:directory directory - #:file-creation-mask file-creation-mask - #:create-session? create-session? - #:environment-variables environment-variables)) + (thunk)) pid)))) +(define* (fork+exec-command command + #:key + (user #f) + (group #f) + (supplementary-groups '()) + (log-file #f) + (directory (default-service-directory)) + (file-creation-mask #f) + (create-session? #t) + (environment-variables + (default-environment-variables))) + "Spawn a process that executed COMMAND as per 'exec-command', and return +its PID." + (fork-and-call + (lambda () + (exec-command command + #:user user + #:group group + #:supplementary-groups supplementary-groups + #:log-file log-file + #:directory directory + #:file-creation-mask file-creation-mask + #:create-session? create-session? + #:environment-variables environment-variables)))) + (define* (make-forkexec-constructor command #:key (user #f)