diff mbox series

[bug#67175,1/9] services: pagekite: Use ‘least-authority-wrapper’.

Message ID 52f588ecd8c438019142d9cb4766933407d42ee7.1699970930.git.ludo@gnu.org
State New
Headers show
Series Removing 'make-forkexec-constructor/container' | expand

Commit Message

Ludovic Courtès Nov. 14, 2023, 2:09 p.m. UTC 
* gnu/services/networking.scm (pagekite-shepherd-service): Define
‘config-file’ and ‘mappings’; define ‘pagekite’ in terms of
‘least-authority-wrapper’.  Remove now-unneeded ‘with-imported-modules’
form and ‘modules’ field.  Use ‘make-forkexec-constructor’ instead of
‘make-forkexec-constructor/container’.

Change-Id: I7c6c6266785f6a0f81a69d85f070779a0d6edd91
---
 gnu/services/networking.scm | 35 ++++++++++++++++++++---------------
 1 file changed, 20 insertions(+), 15 deletions(-)
diff mbox series

Patch

diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 0508a4282c..d3376f9acb 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -1918,29 +1918,34 @@  (define (pagekite-configuration-file config)
 (define (pagekite-shepherd-service config)
   (match-record config <pagekite-configuration>
     (package kitename kitesecret frontend kites extra-file)
-    (with-imported-modules (source-module-closure
-                            '((gnu build shepherd)
-                              (gnu system file-systems)))
+    (let* ((config-file (pagekite-configuration-file config))
+           (mappings (cons (file-system-mapping
+                            (source config-file)
+                            (target source))
+                           (if extra-file
+                               (list (file-system-mapping
+                                      (source extra-file)
+                                      (target source)))
+                               '())))
+           (pagekite (least-authority-wrapper
+                      (file-append package "/bin/pagekite")
+                      #:name "pagekite"
+                      #:mappings mappings
+                      ;; 'pagekite' changes user IDs to it needs to run in the
+                      ;; global user namespace.
+                      #:namespaces (fold delq %namespaces '(net user)))))
       (shepherd-service
        (documentation "Run the PageKite service.")
        (provision '(pagekite))
        (requirement '(networking))
-       (modules '((gnu build shepherd)
-                  (gnu system file-systems)))
-       (start #~(make-forkexec-constructor/container
-                 (list #$(file-append package "/bin/pagekite")
+       (start #~(make-forkexec-constructor
+                 (list #$pagekite
                        "--clean"
                        "--nullui"
                        "--nocrashreport"
                        "--runas=pagekite:pagekite"
-                       (string-append "--optfile="
-                                      #$(pagekite-configuration-file config)))
-                 #:log-file "/var/log/pagekite.log"
-                 #:mappings #$(if extra-file
-                                  #~(list (file-system-mapping
-                                           (source #$extra-file)
-                                           (target source)))
-                                  #~'())))
+                       (string-append "--optfile=" #$config-file))
+                 #:log-file "/var/log/pagekite.log"))
        ;; SIGTERM doesn't always work for some reason.
        (stop #~(make-kill-destructor SIGINT))))))