From b5163889efb544cfe83cd2bcb3ebd3a957c95a18 Mon Sep 17 00:00:00 2001
Message-ID: <b5163889efb544cfe83cd2bcb3ebd3a957c95a18.1729465936.git.reepca@russelstein.xyz>
From: Reepca Russelstein <reepca@russelstein.xyz>
Date: Sat, 19 Oct 2024 22:43:27 -0500
Subject: [PATCH] services: guix-configuration: add access control to daemon
socket.
* gnu/services/base.scm
(guix-configuration-socket-directory-{perms,group,user}): new fields.
(guix-shepherd-service): use them.
* doc/guix.texi: document them.
Change-Id: Ic228377b25a83692b0c637dafbd03c4609e332fc
---
doc/guix.texi | 15 +++++++++++++++
gnu/services/base.scm | 43 ++++++++++++++++++++++++++++++++++++-------
2 files changed, 51 insertions(+), 7 deletions(-)
@@ -19775,6 +19775,21 @@ Base Services
Environment variables to be set before starting the daemon, as a list of
@code{key=value} strings.
+@item @code{socket-directory-perms} (default: @code{#o755})
+Permissions to set for the directory @file{/var/guix/daemon-socket}.
+This, together with @code{socket-directory-group} and
+@code{socket-directory-user}, determines who can connect to the guix
+daemon via its unix socket. TCP socket operation is unaffected by
+these.
+
+@item @code{socket-directory-group} (default: @code{#f})
+Group to set for the directory @file{/var/guix/daemon-socket}, or
+@code{#f} to keep its group as root.
+
+@item @code{socket-directory-user} (default: @code{#f})
+User to set for the directory @file{/var/guix/daemon-socket}, or
+@code{#f} to keep its user as root.
+
@end table
@end deftp
@@ -1880,7 +1880,13 @@ (define-record-type* <guix-configuration>
(build-machines guix-configuration-build-machines ;list of gexps | '()
(default '()))
(environment guix-configuration-environment ;list of strings
- (default '())))
+ (default '()))
+ (socket-directory-perms guix-configuration-socket-directory-perms
+ (default #o755))
+ (socket-directory-group guix-configuration-socket-directory-group
+ (default #f))
+ (socket-directory-user guix-configuration-socket-directory-user
+ (default #f)))
(define %default-guix-configuration
(guix-configuration))
@@ -1941,10 +1947,12 @@ (define (guix-shepherd-service config)
glibc-utf8-locales)))
(match-record config <guix-configuration>
- (guix build-group build-accounts authorize-key? authorized-keys
- use-substitutes? substitute-urls max-silent-time timeout
- log-compression discover? extra-options log-file
- http-proxy tmpdir chroot-directories environment)
+ (guix build-group build-accounts authorize-key? authorized-keys
+ use-substitutes? substitute-urls max-silent-time timeout
+ log-compression discover? extra-options log-file
+ http-proxy tmpdir chroot-directories environment
+ socket-directory-perms socket-directory-group
+ socket-directory-user)
(list (shepherd-service
(documentation "Run the Guix daemon.")
(provision '(guix-daemon))
@@ -1954,11 +1962,13 @@ (define (guix-shepherd-service config)
shepherd-discover-action))
(modules '((srfi srfi-1)
(ice-9 match)
- (gnu build shepherd)))
+ (gnu build shepherd)
+ (guix build utils)))
(start
(with-imported-modules `(((guix config) => ,(make-config.scm))
,@(source-module-closure
- '((gnu build shepherd))
+ '((gnu build shepherd)
+ (guix build utils))
#:select? not-config?))
#~(lambda args
(define proxy
@@ -1969,7 +1979,26 @@ (define (guix-shepherd-service config)
(define discover?
(or (getenv "discover") #$discover?))
+ (mkdir-p "/var/guix")
+ ;; Ensure that a fresh directory is used, in case the old
+ ;; one was more permissive and processes have a file
+ ;; descriptor referencing it hanging around, ready to use
+ ;; with openat.
+ (false-if-exception
+ (delete-file-recursively "/var/guix/daemon-socket"))
+ (let ((perms #$(logand socket-directory-perms
+ (lognot #o022))))
+ (mkdir "/var/guix/daemon-socket" perms)
+ ;; Override umask
+ (chmod "/var/guix/daemon-socket" perms))
+
+ (let* ((user #$socket-directory-user)
+ (uid (if user (passwd:uid (getpwnam user)) -1))
+ (group #$socket-directory-group)
+ (gid (if group (group:gid (getgrnam group)) -1)))
+ (chown "/var/guix/daemon-socket" uid gid))
+
;; Start the guix-daemon from a container, when supported,
;; to solve an installation issue. See the comment below for
;; more details.
--
2.45.2