From patchwork Thu May 18 01:56:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Maxim Cournoyer X-Patchwork-Id: 50086 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 06C5F27BBE9; Thu, 18 May 2023 02:57:32 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id E4FB227BBEA for ; Thu, 18 May 2023 02:57:29 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pzSt9-0004C8-Il; Wed, 17 May 2023 21:57:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pzSt4-0004Bm-IX for guix-patches@gnu.org; Wed, 17 May 2023 21:57:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pzSt4-0007Lk-8k for guix-patches@gnu.org; Wed, 17 May 2023 21:57:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pzSt3-0000Ao-Ol for guix-patches@gnu.org; Wed, 17 May 2023 21:57:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#63561] [PATCH 1/2] services: rsync: Use make-inetd-constructor. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 18 May 2023 01:57:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 63561 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 63561@debbugs.gnu.org Cc: Maxim Cournoyer X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.1684375004634 (code B ref -1); Thu, 18 May 2023 01:57:01 +0000 Received: (at submit) by debbugs.gnu.org; 18 May 2023 01:56:44 +0000 Received: from localhost ([127.0.0.1]:51543 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzSsi-0000A0-RG for submit@debbugs.gnu.org; Wed, 17 May 2023 21:56:44 -0400 Received: from lists.gnu.org ([209.51.188.17]:43272) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzSsh-00009r-Fi for submit@debbugs.gnu.org; Wed, 17 May 2023 21:56:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pzSsh-0004B1-7o for guix-patches@gnu.org; Wed, 17 May 2023 21:56:39 -0400 Received: from mail-qk1-x733.google.com ([2607:f8b0:4864:20::733]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pzSsf-0007DB-AN for guix-patches@gnu.org; Wed, 17 May 2023 21:56:39 -0400 Received: by mail-qk1-x733.google.com with SMTP id af79cd13be357-757741ca000so167221785a.2 for ; Wed, 17 May 2023 18:56:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684374996; x=1686966996; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=spwB68lZPmrnWw/mMtQAPlC3piN7aW+NpIqurj0ZnBE=; b=KYGPD6yxh45forOMddmQKysgB11HJYlaL9F7cKOKd/15uFLWpm71ETy5ByJNW/M7HQ g2lifQ9532JOQ5Z+e6+ym8YGYAPbjKLUzGLbwMbdfUHod6YTDbXQTi1uLw+lwFpW/aUz MyA6ByCbYeCnMAwo+rfInx5dXU/wUN8TPatr9uqB+JRPDhFlS44bXQ0Q93Ofl6q++SW8 7DL2qttRwJC8hx0/b0DSriC/1P11aZ/QVlo/v0WyEmBoCGNYp5B8FDxa7xiCAuiealzY vz4K+FpdNJ4ZHmd8kL8pgfKvcJvGlv2Vqv8yxnL4a1kU/jCdiqu8IL+f802obLBSG+ff olZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684374996; x=1686966996; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=spwB68lZPmrnWw/mMtQAPlC3piN7aW+NpIqurj0ZnBE=; b=eqaJQSDTUNd9JxU3p/Nzlri22RDQs7nvZFF4219UTL6GCdWS9T/IfjCdTn376jo/Ig bj4mUif0364mmWc92u90Sp/CkdcZZGliYgboXMMUkH2WBZtSFRxdNH7NSfVfJImJcrW1 8jI/PrCdYzj30ydMVjBfTvF45pbze7V1kQlKf6nOR72K4fX27XxVosJw+M4fcn9NTqF8 nPwBeHgVabKyeYy+kag5mEs2xo03ZOVAwch6QmqFC9Qqtxx0r2Owqi5u8IUcEpSQCsAU 6GQVkcY5um6J455jlo/w/hcbxli31k1tZ+/t4w2YK+tM31bCQZnN9qnnFuVXkVzt1L4K P/ew== X-Gm-Message-State: AC+VfDyfRLL2Va04tYYL4BMQwOn89GXnDFHkz+Ia+f03s5fD5xfFHpG3 haAPSB+h6rfBnhaqWQs0DoTt0HYAvyrKrA== X-Google-Smtp-Source: ACHHUZ4wlWDnbpjLfnbsmzG/UCcMfPAqpEXbRdFfG9u78ec4+ogjQutRBltTLNp0dVAIzlwyHOgpAA== X-Received: by 2002:ac8:5b0d:0:b0:3f3:9526:42fe with SMTP id m13-20020ac85b0d000000b003f3952642femr3339613qtw.28.1684374995937; Wed, 17 May 2023 18:56:35 -0700 (PDT) Received: from localhost.localdomain (dsl-150-33.b2b2c.ca. [66.158.150.33]) by smtp.gmail.com with ESMTPSA id gc11-20020a05622a59cb00b003f38b4167e5sm138672qtb.2.2023.05.17.18.56.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 May 2023 18:56:35 -0700 (PDT) From: Maxim Cournoyer Date: Wed, 17 May 2023 21:56:17 -0400 Message-Id: X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Received-SPF: pass client-ip=2607:f8b0:4864:20::733; envelope-from=maxim.cournoyer@gmail.com; helo=mail-qk1-x733.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/services/rsync.scm (rsync-shepherd-service): Use make-inetd-constructor if available in start slot. * gnu/tests/rsync.scm (run-rsync-test): Delete "PID file" test. --- gnu/services/rsync.scm | 44 ++++++++++++++++++++++++++++++++++-------- gnu/tests/rsync.scm | 6 ------ 2 files changed, 36 insertions(+), 14 deletions(-) base-commit: 9c161c1f0def13676002ce34625ba023857b9ab2 diff --git a/gnu/services/rsync.scm b/gnu/services/rsync.scm index aeb4275031..826b757b1c 100644 --- a/gnu/services/rsync.scm +++ b/gnu/services/rsync.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2017 Oleg Pykhalov ;;; Copyright © 2021, 2023 Ludovic Courtès +;;; Copyright © 2023 Maxim Cournoyer ;;; ;;; This file is part of GNU Guix. ;;; @@ -221,23 +222,50 @@ (define (rsync-config-file config) (define (rsync-shepherd-service config) "Return a for rsync with CONFIG." + + ;; XXX: Predicates copied from (gnu services ssh). + (define inetd-style? + #~(and (defined? 'make-inetd-constructor) + (not (string=? (@ (shepherd config) Version) "0.9.0")))) + + (define ipv6-support? + #~(catch 'system-error + (lambda () + (let ((sock (socket AF_INET6 SOCK_STREAM 0))) + (close-port sock) + #t)) + (const #f))) + (let* ((rsync (rsync-configuration-package config)) (pid-file (rsync-configuration-pid-file config)) (port-number (rsync-configuration-port-number config)) (user (rsync-configuration-user config)) (group (rsync-configuration-group config)) - (config-file (rsync-config-file config))) + (config-file (rsync-config-file config)) + (rsync-command #~(list (string-append #$rsync "/bin/rsync") + "--config" #$config-file "--daemon"))) (list (shepherd-service (provision '(rsync)) (documentation "Run rsync daemon.") (actions (list (shepherd-configuration-action config-file))) - (start #~(make-forkexec-constructor - (list (string-append #$rsync "/bin/rsync") - "--config" #$config-file - "--daemon") - #:pid-file #$pid-file - #:user #$user - #:group #$group)) + (start #~(if #$inetd-style? + (make-inetd-constructor + #$rsync-command + (cons (endpoint + (make-socket-address AF_INET INADDR_ANY + #$port-number)) + (if #$ipv6-support? + (list + (endpoint + (make-socket-address AF_INET6 IN6ADDR_ANY + #$port-number))) + '())) + #:user #$user + #:group #$group) + (make-forkexec-constructor #$rsync-command + #:pid-file #$pid-file + #:user #$user + #:group #$group))) (stop #~(make-kill-destructor)))))) (define rsync-service-type diff --git a/gnu/tests/rsync.scm b/gnu/tests/rsync.scm index ea53a157bb..182e5f76ff 100644 --- a/gnu/tests/rsync.scm +++ b/gnu/tests/rsync.scm @@ -70,12 +70,6 @@ (define* (run-rsync-test rsync-os #:optional (rsync-port 873)) (start-service 'rsync)) marionette)) - ;; Make sure the PID file is created. - (test-assert "PID file" - (marionette-eval - '(file-exists? "/var/run/rsyncd/rsyncd.pid") - marionette)) - (test-assert "Test file copied to share" (marionette-eval '(begin From patchwork Thu May 18 01:56:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxim Cournoyer X-Patchwork-Id: 50085 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 0E3F427BBEC; Thu, 18 May 2023 02:57:31 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id D31DC27BBE9 for ; Thu, 18 May 2023 02:57:29 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pzStE-0004Cf-Jz; Wed, 17 May 2023 21:57:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pzSt5-0004Bw-06 for guix-patches@gnu.org; Wed, 17 May 2023 21:57:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pzSt4-0007Lx-Nk for guix-patches@gnu.org; Wed, 17 May 2023 21:57:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pzSt4-0000B3-Iw for guix-patches@gnu.org; Wed, 17 May 2023 21:57:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#63562] [PATCH 2/2] services: rsync: Use least authority wrapper. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 18 May 2023 01:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 63562 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 63562@debbugs.gnu.org Cc: Maxim Cournoyer X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.1684375005641 (code B ref -1); Thu, 18 May 2023 01:57:02 +0000 Received: (at submit) by debbugs.gnu.org; 18 May 2023 01:56:45 +0000 Received: from localhost ([127.0.0.1]:51545 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzSsm-0000AC-Ia for submit@debbugs.gnu.org; Wed, 17 May 2023 21:56:45 -0400 Received: from lists.gnu.org ([209.51.188.17]:43276) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pzSsi-00009y-Kc for submit@debbugs.gnu.org; Wed, 17 May 2023 21:56:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pzSsi-0004B9-D0 for guix-patches@gnu.org; Wed, 17 May 2023 21:56:40 -0400 Received: from mail-qt1-x834.google.com ([2607:f8b0:4864:20::834]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pzSsg-0007DR-IK for guix-patches@gnu.org; Wed, 17 May 2023 21:56:40 -0400 Received: by mail-qt1-x834.google.com with SMTP id d75a77b69052e-3f38a7c5d45so3700611cf.0 for ; Wed, 17 May 2023 18:56:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684374997; x=1686966997; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=T8kLQ0JawpOqBVrtrIcrFDG8Fmd+mkEpr10o75CfZsM=; b=G+9JkqwMeDWAVOBYeH1bbI41AAK9v8EQaspMNXoG8vq6kYpmmB2b/2/mmjBRA9t0lH 2r70wLBz3KVr+Pmv4uZp1oXYR10Bi10bxPcRayDlt9qwVWDgN41uVWk7o7n7prZh1Tjr 4cnmegvZK804inllTTe3D7rLod1+kfS7r/gdFccIcEja7Z9JggCRVLODMmpAFUw+HTpp 3UcQVVpDEvUS2M8tVJjorQI19Ny6StKsYL2OnpyRijctBeJitJziKfcm6gkqnyE6saVZ 3g3iNwGtvuHDCZSsR2zvKDtAXOt9eh57m6MTpJ1+lOPtTUsH5/edoaMsBkyZ0jmcG4jo e9Kw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684374997; x=1686966997; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=T8kLQ0JawpOqBVrtrIcrFDG8Fmd+mkEpr10o75CfZsM=; b=mBSiWkNzfwEIaQd4JibSdkCiMf9QE6QmEQH7rzBqzSQlG3AF6GGnxBRbCXmzk6GPZy cD8A6wmIhuScbPJPUNI4aR/5UFFFHWvtj+jV+vX3hE3FEXHRSPa+EGZOdb5j2aTUfsYF ZMSgkFTk6CBbE3cQHe0VPUKTm3dbzdhxevdV6pNrZZ2EbrsW1VV2CHrtIiETXHRjTApp BwQgTbsHGZ0ch07Xza1g1ge1X6powQROL0n6nfwJKfbbgbvhjMVWFnN5jEjXc1WLQoe1 +Td+j9YAhMHO1MEiDbVCN3b+4cn1CUGPXRyuDgTr0smGBWJoVUMoNDi0oNF/9S0xsh3z lUmw== X-Gm-Message-State: AC+VfDzRYtDk0CVZ/hItXacqD3AxTNUZuNGUHVVXEvzFJwuybIQdEYf4 J/ZsMw2fVSYqlahvyxlf6U/P1kSerZgaQw== X-Google-Smtp-Source: ACHHUZ5YYqCJ6CHVTqj1OsY61vdeDmYmNbM/ZdyZQtKmeQNjJ3yCwP/zqebFLY8g7yKXnnYC0pE4YA== X-Received: by 2002:a05:622a:12:b0:3ef:33da:e25 with SMTP id x18-20020a05622a001200b003ef33da0e25mr2613909qtw.22.1684374997139; Wed, 17 May 2023 18:56:37 -0700 (PDT) Received: from localhost.localdomain (dsl-150-33.b2b2c.ca. [66.158.150.33]) by smtp.gmail.com with ESMTPSA id gc11-20020a05622a59cb00b003f38b4167e5sm138672qtb.2.2023.05.17.18.56.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 May 2023 18:56:36 -0700 (PDT) From: Maxim Cournoyer Date: Wed, 17 May 2023 21:56:18 -0400 Message-Id: <8f60f8bfcbf58ab39308f799319f25b9851871a7.1684374978.git.maxim.cournoyer@gmail.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Received-SPF: pass client-ip=2607:f8b0:4864:20::834; envelope-from=maxim.cournoyer@gmail.com; helo=mail-qt1-x834.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/services/rsync.scm (rsync-shepherd-service) Wrap rsync command in a least-authority-wrapper. --- gnu/services/rsync.scm | 97 ++++++++++++++++++++++++++++-------------- 1 file changed, 65 insertions(+), 32 deletions(-) diff --git a/gnu/services/rsync.scm b/gnu/services/rsync.scm index 826b757b1c..42e4d0247e 100644 --- a/gnu/services/rsync.scm +++ b/gnu/services/rsync.scm @@ -19,16 +19,20 @@ ;;; along with GNU Guix. If not, see . (define-module (gnu services rsync) + #:use-module ((gnu build linux-container) #:select (%namespaces)) #:use-module (gnu services) #:use-module (gnu services base) #:use-module (gnu services shepherd) + #:autoload (gnu system file-systems) (file-system-mapping) #:use-module (gnu system shadow) - #:use-module (gnu packages rsync) #:use-module (gnu packages admin) + #:use-module (gnu packages linux) + #:use-module (gnu packages rsync) #:use-module (guix records) #:use-module (guix gexp) #:use-module (guix diagnostics) #:use-module (guix i18n) + #:use-module (guix least-authority) #:use-module (srfi srfi-1) #:use-module (srfi srfi-26) #:use-module (ice-9 match) @@ -236,37 +240,66 @@ (define (rsync-shepherd-service config) #t)) (const #f))) - (let* ((rsync (rsync-configuration-package config)) - (pid-file (rsync-configuration-pid-file config)) - (port-number (rsync-configuration-port-number config)) - (user (rsync-configuration-user config)) - (group (rsync-configuration-group config)) - (config-file (rsync-config-file config)) - (rsync-command #~(list (string-append #$rsync "/bin/rsync") - "--config" #$config-file "--daemon"))) - (list (shepherd-service - (provision '(rsync)) - (documentation "Run rsync daemon.") - (actions (list (shepherd-configuration-action config-file))) - (start #~(if #$inetd-style? - (make-inetd-constructor - #$rsync-command - (cons (endpoint - (make-socket-address AF_INET INADDR_ANY - #$port-number)) - (if #$ipv6-support? - (list - (endpoint - (make-socket-address AF_INET6 IN6ADDR_ANY - #$port-number))) - '())) - #:user #$user - #:group #$group) - (make-forkexec-constructor #$rsync-command - #:pid-file #$pid-file - #:user #$user - #:group #$group))) - (stop #~(make-kill-destructor)))))) + (define (module->file-system-mapping module) + "Return the record corresponding to MODULE, an + object." + (match-record module + (file-name read-only?) + (file-system-mapping + (source file-name) + (target source) + (writable? (not read-only?))))) + + (match-record config + (package log-file modules pid-file port-number user group) + ;; Run the rsync daemon in its own 'mnt' namespace, to guard against + ;; change to mount points it may be serving. + (let* ((config-file (rsync-config-file config)) + (rsync-command #~(list #$(least-authority-wrapper + (file-append rsync "/bin/rsync") + #:name "rsync" + #:namespaces (fold delq %namespaces + '(net user)) + #:mappings + (append (list (file-system-mapping + (source "/var/run/rsyncd") + (target source) + (writable? #t)) + (file-system-mapping + (source (dirname log-file)) + (target source) + (writable? #t)) + (file-system-mapping + (source config-file) + (target source))) + (map module->file-system-mapping + modules))) + "--config" #$config-file "--daemon"))) + (list (shepherd-service + (provision '(rsync)) + (documentation "Run rsync daemon.") + (actions (list (shepherd-configuration-action config-file))) + (start #~(if #$inetd-style? + (make-inetd-constructor + #$rsync-command + (cons (endpoint + (make-socket-address AF_INET INADDR_ANY + #$port-number)) + (if #$ipv6-support? + (list + (endpoint + (make-socket-address AF_INET6 IN6ADDR_ANY + #$port-number))) + '())) + #:user #$user + #:group #$group) + (make-forkexec-constructor #$rsync-command + #:pid-file #$pid-file + #:user #$user + #:group #$group))) + (stop #~(if #$inetd-style? + (make-inetd-destructor) + (make-kill-destructor)))))))) (define rsync-service-type (service-type