System log files are world readable

DoneSubmitted by Diego Nicola Barbato.
Details
3 participants
  • Bengt Richter
  • Diego Nicola Barbato
  • Ludovic Courtès
Owner
unassigned
Severity
normal
D
D
Diego Nicola Barbato wrote on 3 Apr 2020 15:19
Download
(address . bug-guix@gnu.org)
87v9mg1zbt.fsf@GlaDOS.home
Download
Hey Guix,
On Guix System the log files (in /var/log) generated by syslogd arecurrently (commit 151f3d4) world readable. They should probably only bereadable by root (for the same reason that dmesg can only be run byroot).
It isn't possible to set the umask with fork-exec-constructor, is it?Otherwise that might have been a simple solution.
Regards,
Diego
D
D
Diego Nicola Barbato wrote on 3 Apr 2020 15:34
Download
(address . 40405@debbugs.gnu.org)
87r1x41yna.fsf@GlaDOS.home
Download
Diego Nicola Barbato <dnbarbato@posteo.de> writes:
Toggle quote (8 lines)> Hey Guix,>> On Guix System the log files (in /var/log) generated by syslogd are> currently (commit 151f3d4) world readable. They should probably only be> readable by root (for the same reason that dmesg can only be run by> root).>> It isn't possible to set the umask with fork-exec-constructor, is it?
^^^^^^^^^^^^^^^^^^^^^That should be 'make-forkexec-constructor'. Sorry for the noise.
Toggle quote (5 lines)> Otherwise that might have been a simple solution.>> Regards,>> Diego
L
L
Ludovic Courtès wrote on 5 Apr 2020 23:32
Download
control message for bug #40405
(address . control@debbugs.gnu.org)
87blo5hb45.fsf@gnu.org
Download
tags 40405 + securityquit
L
L
Ludovic Courtès wrote on 6 Apr 2020 00:12
Download
Re: bug#40405: System log files are world readable
(name . Diego Nicola Barbato)(address . dnbarbato@posteo.de)(address . 40405@debbugs.gnu.org)
874ktxh99k.fsf@gnu.org
Download
Hi,
Diego Nicola Barbato <dnbarbato@posteo.de> skribis:
Toggle quote (8 lines)> On Guix System the log files (in /var/log) generated by syslogd are> currently (commit 151f3d4) world readable. They should probably only be> readable by root (for the same reason that dmesg can only be run by> root).>> It isn't possible to set the umask with fork-exec-constructor, is it?> Otherwise that might have been a simple solution.
That would be a nice solution to implement in the Shepherd. If you feellike giving it a try, that would be great!
In the meantime, the patch below fixes the syslogd problem. Alsoattached is a patch for the accounting database, though that one isquestionable.
Thoughts?
Thanks,Ludo’.
Download
Toggle diff (53 lines)diff --git a/gnu/services.scm b/gnu/services.scmindex 7941cd3af0..d631e8dd32 100644--- a/gnu/services.scm+++ b/gnu/services.scm@@ -528,15 +528,20 @@ ACTIVATION-SCRIPT-TYPE." (use-modules (gnu build activation) (guix build utils)) + (define (ensure-file-exists file)+ (let ((port (open-file file "a0")))+ (chmod port #o640)+ (close-port port)))+ ;; Make sure the user accounting database exists. If it ;; does not exist, 'setutxent' does not create it and ;; thus there is no accounting at all.- (close-port (open-file "/var/run/utmpx" "a0"))+ (ensure-file-exists "/var/run/utmpx") ;; Same for 'wtmp', which is populated by mingetty et ;; al. (mkdir-p "/var/log")- (close-port (open-file "/var/log/wtmp" "a0"))+ (ensure-file-exists "/var/log/wtmp") ;; Set up /run/current-system. Among other things this ;; sets up locales, which the activation snippetsdiff --git a/gnu/services/base.scm b/gnu/services/base.scmindex 8d9a563e2b..e59b6fea80 100644--- a/gnu/services/base.scm+++ b/gnu/services/base.scm@@ -1436,10 +1436,17 @@ Service Switch}, for an example." (documentation "Run the syslog daemon (syslogd).") (provision '(syslogd)) (requirement '(user-processes))- (start #~(make-forkexec-constructor- (list #$(syslog-configuration-syslogd config)- "--rcfile" #$(syslog-configuration-config-file config))- #:pid-file "/var/run/syslog.pid"))+ (start #~(let ((fork (make-forkexec-constructor+ (list #$(syslog-configuration-syslogd config)+ "--rcfile"+ #$(syslog-configuration-config-file config))+ #:pid-file "/var/run/syslog.pid")))+ (lambda ()+ ;; Set the umask such that file permissions are #o640.+ (let ((mask (umask #o137))+ (pid (fork)))+ (umask mask)+ pid)))) (stop #~(make-kill-destructor)))))) ;; Snippet adapted from the GNU inetutils manual.
L
L
Ludovic Courtès wrote on 7 Apr 2020 00:07
Download
(name . Diego Nicola Barbato)(address . dnbarbato@posteo.de)(address . 40405@debbugs.gnu.org)
87blo4clpp.fsf@gnu.org
Download
Hi,
Ludovic Courtès <ludo@gnu.org> skribis:
Toggle quote (4 lines)> In the meantime, the patch below fixes the syslogd problem. Also> attached is a patch for the accounting database, though that one is> questionable.
I pushed the syslog bits along with a test as commitd7113bb655ff80a868a9e624c913f9d23e6c63ad. (I think alreadyworld-readable files will remain world-readable though?)
The main remaining issue here is log files created by‘fork+exec-command’. We’ll have to address that in the Shepherd proper,I think.
Ludo’.
B
B
Bengt Richter wrote on 7 Apr 2020 02:49
Download
(name . Ludovic Courtès)(address . ludo@gnu.org)
20200407004958.GA8760@LionPure
Download
Hi Ludo,
On +2020-04-07 00:07:14 +0200, Ludovic Courtès wrote:
Toggle quote (13 lines)> Hi,> > Ludovic Courtès <ludo@gnu.org> skribis:> > > In the meantime, the patch below fixes the syslogd problem. Also> > attached is a patch for the accounting database, though that one is> > questionable.> > I pushed the syslog bits along with a test as commit> d7113bb655ff80a868a9e624c913f9d23e6c63ad. (I think already> world-readable files will remain world-readable though?)>
Could build daemons do some kind of maintenance rebuild to chmod them?And maybe be scheduled to monitor new files for other mistakes as well?
Meanwhile, could a superuser chmod them without affecting hashes?(curious as to whether permission bits escape hashing).
Toggle quote (9 lines)> The main remaining issue here is log files created by> ‘fork+exec-command’. We’ll have to address that in the Shepherd proper,> I think.> > Ludo’.> > >
-- Regards,Bengt Richter
L
L
Ludovic Courtès wrote on 7 Apr 2020 09:30
Download
(name . Bengt Richter)(address . bokr@bokr.com)
87zhbnbvmy.fsf@gnu.org
Download
Hi,
Bengt Richter <bokr@bokr.com> skribis:
Toggle quote (17 lines)> On +2020-04-07 00:07:14 +0200, Ludovic Courtès wrote:>> Hi,>> >> Ludovic Courtès <ludo@gnu.org> skribis:>> >> > In the meantime, the patch below fixes the syslogd problem. Also>> > attached is a patch for the accounting database, though that one is>> > questionable.>> >> I pushed the syslog bits along with a test as commit>> d7113bb655ff80a868a9e624c913f9d23e6c63ad. (I think already>> world-readable files will remain world-readable though?)>>>> Could build daemons do some kind of maintenance rebuild to chmod them?> And maybe be scheduled to monitor new files for other mistakes as well?
Yes, we could do that, I just haven’t checked if this is necessary orthought about how to do it.
Toggle quote (2 lines)> Meanwhile, could a superuser chmod them without affecting hashes?
Definitely. (There’s no “hashing” involved for /var/log.)
Ludo’.
D
D
Diego Nicola Barbato wrote on 8 Apr 2020 14:32
Download
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 40405@debbugs.gnu.org)
87pnciximi.fsf@GlaDOS.home
Download
Hey,
Ludovic Courtès <ludo@gnu.org> writes:
Toggle quote (15 lines)> Hi,>> Diego Nicola Barbato <dnbarbato@posteo.de> skribis:>>> On Guix System the log files (in /var/log) generated by syslogd are>> currently (commit 151f3d4) world readable. They should probably only be>> readable by root (for the same reason that dmesg can only be run by>> root).>>>> It isn't possible to set the umask with fork-exec-constructor, is it?>> Otherwise that might have been a simple solution.>> That would be a nice solution to implement in the Shepherd. If you feel> like giving it a try, that would be great!
I've attached two patches for the Shepherd. The first one makes surethat 'exec-command' creates log files with mode #o640 (I thought aboutmaking it a parameter instead of hard coding it, but I doubt it would bevery useful). The second one makes it possible to set the umask with'exec-command', 'fork+exec-command', and 'make-forkexec-constructor'. Iwasn't quite sure how to avoid a collision with the procedure umask(would `((@ (guile) umask) umask)' have been ok?) so I named theparameter file-creation-mask.
I haven't tested the changes. What would be a straight forward way todo that on Guix? Looking at the documentation it doesn't seem possibleto swap out the shepherd package of the %shepherd-root-service with'modify-services'.
[...]
Regards,
Diego
Download
From 43c9ded791ce5b480504ce3528ee34578168f90e Mon Sep 17 00:00:00 2001From: Diego Nicola Barbato <dnbarbato@posteo.de>Date: Tue, 7 Apr 2020 13:58:28 +0200Subject: [PATCH 1/2] service: Create log files as non-world-readable.
* modules/shepherd/service.scm (exec-command): Create log-file with file permissions #o640.--- modules/shepherd/service.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Toggle diff (15 lines)diff --git a/modules/shepherd/service.scm b/modules/shepherd/service.scmindex fc82cc4..9a4a5d9 100644--- a/modules/shepherd/service.scm+++ b/modules/shepherd/service.scm@@ -808,7 +808,7 @@ false." ;; Redirect stout and stderr to use LOG-FILE. (catch-system-error (close-fdes 1)) (catch-system-error (close-fdes 2))- (dup2 (open-fdes log-file (logior O_CREAT O_WRONLY O_APPEND)) 1)+ (dup2 (open-fdes log-file (logior O_CREAT O_WRONLY O_APPEND) #o640) 1) (dup2 1 2)) (lambda (key . args) (format (current-error-port)-- 2.26.0
Download
From e491436967a912e6e7372f582b3bf5c9784b8209 Mon Sep 17 00:00:00 2001From: Diego Nicola Barbato <dnbarbato@posteo.de>Date: Tue, 7 Apr 2020 13:38:47 +0200Subject: [PATCH 2/2] service: Add #:file-creation-mask to 'make-forkexec-constructor'.
* modules/shepherd/service.scm (exec-command): Add #:file-creation-mask parameter and honor it. (fork+exec-command): Add #:file-creation-mask parameter and pass it to exec-command. (make-forkexec-constructor): Add #:file-creation-mask parameter and pass it to fork+exec-command.* doc/shepherd.texi (Service De- and Constructors): Adjust accordingly.--- doc/shepherd.texi | 9 +++++++-- modules/shepherd/service.scm | 22 ++++++++++++++++------ 2 files changed, 23 insertions(+), 8 deletions(-)
Toggle diff (114 lines)diff --git a/doc/shepherd.texi b/doc/shepherd.texiindex 3e61f5d..659eb82 100644--- a/doc/shepherd.texi+++ b/doc/shepherd.texi@@ -896,10 +896,12 @@ execution of the @var{command} was successful, @code{#t} if not. [#:pid-file #f] [#:pid-file-timeout %pid-file-timeout] @ [#:log-file #f] @ [#:directory (default-service-directory)] @+ [#:file-creation-mask #f] @ [#:environment-variables (default-environment-variables)] Return a procedure that forks a child process, closes all file descriptors except the standard output and standard error descriptors, sets-the current directory to @var{directory}, changes the environment to+the current directory to @var{directory}, sets the umask to+@var{file-creation-mask} unless it is @code{#f}, changes the environment to @var{environment-variables} (using the @code{environ} procedure), sets the current user to @var{user} and the current group to @var{group} unless they are @code{#f}, and executes @var{command} (a list of strings.) The result of@@ -935,13 +937,16 @@ procedures. [#:group #f] @ [#:log-file #f] @ [#:directory (default-service-directory)] @+ [#:file-creation-mask #f] @ [#:environment-variables (default-environment-variables)] @deffnx {procedure} fork+exec-command @var{command} @ [#:user #f] @ [#:group #f] @ [#:directory (default-service-directory)] @+ [#:file-creation-mask #f] @ [#:environment-variables (default-environment-variables)]-Run @var{command} as the current process from @var{directory}, and with+Run @var{command} as the current process from @var{directory}, with+@var{file-creation-mask} if it's true, and with @var{environment-variables} (a list of strings like @code{"PATH=/bin"}.) File descriptors 1 and 2 are kept as is or redirected to @var{log-file} if it's true, whereas file descriptor 0diff --git a/modules/shepherd/service.scm b/modules/shepherd/service.scmindex 9a4a5d9..d90b55b 100644--- a/modules/shepherd/service.scm+++ b/modules/shepherd/service.scm@@ -771,12 +771,14 @@ daemon writing FILE is running in a separate PID namespace." (group #f) (log-file #f) (directory (default-service-directory))+ (file-creation-mask #f) (environment-variables (default-environment-variables)))- "Run COMMAND as the current process from DIRECTORY, and with-ENVIRONMENT-VARIABLES (a list of strings like \"PATH=/bin\".) File-descriptors 1 and 2 are kept as is or redirected to LOG-FILE if it's true,-whereas file descriptor 0 (standard input) points to /dev/null; all other file-descriptors are closed prior to yielding control to COMMAND.+ "Run COMMAND as the current process from DIRECTORY, with FILE-CREATION-MASK+if it's true, and with ENVIRONMENT-VARIABLES (a list of strings like+\"PATH=/bin\"). File descriptors 1 and 2 are kept as is or redirected to+LOG-FILE if it's true, whereas file descriptor 0 (standard input) points to+/dev/null; all other file descriptors are closed prior to yielding control to+COMMAND. By default, COMMAND is run as the current user. If the USER keyword argument is present and not false, change to USER immediately before@@ -840,6 +842,9 @@ false." (print-exception (current-error-port) #f key args) (primitive-exit 1)))) + (when file-creation-mask+ (umask file-creation-mask))+ ;; As the last action, close file descriptors. Doing it last makes ;; "error in the finalization thread: Bad file descriptor" issues ;; unlikely on 2.2.@@ -871,6 +876,7 @@ false." (group #f) (log-file #f) (directory (default-service-directory))+ (file-creation-mask #f) (environment-variables (default-environment-variables))) "Spawn a process that executed COMMAND as per 'exec-command', and return@@ -886,6 +892,7 @@ its PID." #:group group #:log-file log-file #:directory directory+ #:file-creation-mask file-creation-mask #:environment-variables environment-variables) pid))) @@ -903,7 +910,8 @@ its PID." (case-lambda* "Return a procedure that forks a child process, closes all file descriptors except the standard output and standard error descriptors, sets-the current directory to @var{directory}, changes the environment to+the current directory to @var{directory}, sets the umask to+@var{file-creation-mask} unless it is @code{#f}, changes the environment to @var{environment-variables} (using the @code{environ} procedure), sets the current user to @var{user} and the current group to @var{group} unless they are @code{#f}, and executes @var{command} (a list of strings.) The result of@@ -918,6 +926,7 @@ start." (user #f) (group #f) (directory (default-service-directory))+ (file-creation-mask #f) (environment-variables (default-environment-variables)) (pid-file #f) (pid-file-timeout %pid-file-timeout)@@ -944,6 +953,7 @@ start." #:group group #:log-file log-file #:directory directory+ #:file-creation-mask file-creation-mask #:environment-variables environment-variables))) (if pid-file-- 2.26.0
L
L
Ludovic Courtès wrote on 8 Apr 2020 21:49
Download
(name . Diego Nicola Barbato)(address . dnbarbato@posteo.de)(address . 40405@debbugs.gnu.org)
877dyp69mz.fsf@gnu.org
Download
Diego Nicola Barbato <dnbarbato@posteo.de> skribis:
Toggle quote (26 lines)> Ludovic Courtès <ludo@gnu.org> writes:>>> Hi,>>>> Diego Nicola Barbato <dnbarbato@posteo.de> skribis:>>>>> On Guix System the log files (in /var/log) generated by syslogd are>>> currently (commit 151f3d4) world readable. They should probably only be>>> readable by root (for the same reason that dmesg can only be run by>>> root).>>>>>> It isn't possible to set the umask with fork-exec-constructor, is it?>>> Otherwise that might have been a simple solution.>>>> That would be a nice solution to implement in the Shepherd. If you feel>> like giving it a try, that would be great!>> I've attached two patches for the Shepherd. The first one makes sure> that 'exec-command' creates log files with mode #o640 (I thought about> making it a parameter instead of hard coding it, but I doubt it would be> very useful). The second one makes it possible to set the umask with> 'exec-command', 'fork+exec-command', and 'make-forkexec-constructor'. I> wasn't quite sure how to avoid a collision with the procedure umask> (would `((@ (guile) umask) umask)' have been ok?) so I named the> parameter file-creation-mask.
Sounds good to me.
Toggle quote (5 lines)> I haven't tested the changes. What would be a straight forward way to> do that on Guix? Looking at the documentation it doesn't seem possible> to swap out the shepherd package of the %shepherd-root-service with> 'modify-services'.
Both patches LGTM, but you could add a couple of tests in the Shepherditself before testing it on Guix.
The tests/*.sh are simple shell scripts. You could perhaps create a newone there, run shepherd with a toy service that uses #:log-file andcreates files, and then ensure that the log file is #o640 and that#:file-creation-mask is honored.
Does that make sense?
Then, to test it on Guix, you can run “make dist” in the Shepherd andchange the ‘shepherd’ package so that its ‘source’ points to thattarball. You run ‘guix system vm gnu/system/examples/bare-bones.tmpl’,boot that, and ensure everything’s OK.
Thanks!
Ludo’.
L
L
Ludovic Courtès wrote on 19 Apr 2020 16:28
Download
(name . Diego Nicola Barbato)(address . dnbarbato@posteo.de)(address . 40405-done@debbugs.gnu.org)
87a73735yv.fsf@gnu.org
Download
Hi Diego,
Diego Nicola Barbato <dnbarbato@posteo.de> skribis:
Toggle quote (8 lines)>>From 43c9ded791ce5b480504ce3528ee34578168f90e Mon Sep 17 00:00:00 2001> From: Diego Nicola Barbato <dnbarbato@posteo.de>> Date: Tue, 7 Apr 2020 13:58:28 +0200> Subject: [PATCH 1/2] service: Create log files as non-world-readable.>> * modules/shepherd/service.scm (exec-command): Create log-file with file> permissions #o640.
[...]
Toggle quote (14 lines)>>From e491436967a912e6e7372f582b3bf5c9784b8209 Mon Sep 17 00:00:00 2001> From: Diego Nicola Barbato <dnbarbato@posteo.de>> Date: Tue, 7 Apr 2020 13:38:47 +0200> Subject: [PATCH 2/2] service: Add #:file-creation-mask to> 'make-forkexec-constructor'.>> * modules/shepherd/service.scm (exec-command): Add #:file-creation-mask> parameter and honor it.> (fork+exec-command): Add #:file-creation-mask parameter and pass it to> exec-command.> (make-forkexec-constructor): Add #:file-creation-mask parameter and pass it> to fork+exec-command.> * doc/shepherd.texi (Service De- and Constructors): Adjust accordingly.
I went ahead and pushed these two patches.
We’ll need to test current Shepherd master on Guix, but I feel we’veaccumulated enough improvements for a 0.7.1 release.
Thanks,Ludo’.
Closed
L
L
Ludovic Courtès wrote on 22 Apr 2020 22:04
Download
(address . 40405-done@debbugs.gnu.org)(address . dnbarbato@posteo.de)
878sinthh4.fsf@gnu.org
Download
Hi,
Ludovic Courtès <ludo@gnu.org> skribis:
Toggle quote (28 lines)> Diego Nicola Barbato <dnbarbato@posteo.de> skribis:>>>>From 43c9ded791ce5b480504ce3528ee34578168f90e Mon Sep 17 00:00:00 2001>> From: Diego Nicola Barbato <dnbarbato@posteo.de>>> Date: Tue, 7 Apr 2020 13:58:28 +0200>> Subject: [PATCH 1/2] service: Create log files as non-world-readable.>>>> * modules/shepherd/service.scm (exec-command): Create log-file with file>> permissions #o640.>> [...]>>>>From e491436967a912e6e7372f582b3bf5c9784b8209 Mon Sep 17 00:00:00 2001>> From: Diego Nicola Barbato <dnbarbato@posteo.de>>> Date: Tue, 7 Apr 2020 13:38:47 +0200>> Subject: [PATCH 2/2] service: Add #:file-creation-mask to>> 'make-forkexec-constructor'.>>>> * modules/shepherd/service.scm (exec-command): Add #:file-creation-mask>> parameter and honor it.>> (fork+exec-command): Add #:file-creation-mask parameter and pass it to>> exec-command.>> (make-forkexec-constructor): Add #:file-creation-mask parameter and pass it>> to fork+exec-command.>> * doc/shepherd.texi (Service De- and Constructors): Adjust accordingly.>> I went ahead and pushed these two patches.
These patches are in Shepherd 0.8.0, which was pushed in Guix mastercommit e3358a831e7d5d9e8dc614340e49ea5aeb11a7ff, so we’re done!
Ludo’.
Closed
D
D
Diego Nicola Barbato wrote on 28 Apr 2020 15:11
Download
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 40405-done@debbugs.gnu.org)
87y2qfhi0c.fsf@GlaDOS.home
Download
Hi,
Ludovic Courtès <ludo@gnu.org> writes:
Toggle quote (35 lines)> Hi,>> Ludovic Courtès <ludo@gnu.org> skribis:>>> Diego Nicola Barbato <dnbarbato@posteo.de> skribis:>>>>>>From 43c9ded791ce5b480504ce3528ee34578168f90e Mon Sep 17 00:00:00 2001>>> From: Diego Nicola Barbato <dnbarbato@posteo.de>>>> Date: Tue, 7 Apr 2020 13:58:28 +0200>>> Subject: [PATCH 1/2] service: Create log files as non-world-readable.>>>>>> * modules/shepherd/service.scm (exec-command): Create log-file with file>>> permissions #o640.>>>> [...]>>>>>>From e491436967a912e6e7372f582b3bf5c9784b8209 Mon Sep 17 00:00:00 2001>>> From: Diego Nicola Barbato <dnbarbato@posteo.de>>>> Date: Tue, 7 Apr 2020 13:38:47 +0200>>> Subject: [PATCH 2/2] service: Add #:file-creation-mask to>>> 'make-forkexec-constructor'.>>>>>> * modules/shepherd/service.scm (exec-command): Add #:file-creation-mask>>> parameter and honor it.>>> (fork+exec-command): Add #:file-creation-mask parameter and pass it to>>> exec-command.>>> (make-forkexec-constructor): Add #:file-creation-mask parameter and pass it>>> to fork+exec-command.>>> * doc/shepherd.texi (Service De- and Constructors): Adjust accordingly.>>>> I went ahead and pushed these two patches.>> These patches are in Shepherd 0.8.0, which was pushed in Guix master> commit e3358a831e7d5d9e8dc614340e49ea5aeb11a7ff, so we’re done!
Great! Now we can simplify the 'start' method of'syslogd-service-type'.
I did eventually write a test script, which I've attached in case wewant to add it to the Shepherd. I'm sorry it took so long that I missedthe new Shepherd release.
Regards,
Diego
Download
From 2e7a0795b3a7080376238ab604c50d2c180f8730 Mon Sep 17 00:00:00 2001From: Diego Nicola Barbato <dnbarbato@posteo.de>Date: Mon, 27 Apr 2020 16:57:36 +0200Subject: [PATCH] tests: Test #:file-creation-mask option of 'make-forkexec-constructor'.
* tests/file-creation-mask.sh: New file.--- tests/file-creation-mask.sh | 79 +++++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 tests/file-creation-mask.sh
Toggle diff (87 lines)diff --git a/tests/file-creation-mask.sh b/tests/file-creation-mask.shnew file mode 100644index 0000000..9f5f10a--- /dev/null+++ b/tests/file-creation-mask.sh@@ -0,0 +1,79 @@+# GNU Shepherd --- Test the #:file-creation-mask option of 'make-forkexec-constructor'.+# Copyright © 2020 Diego N. Barbato <dnbarbato@posteo.de>+#+# This file is part of the GNU Shepherd.+#+# The GNU Shepherd is free software; you can redistribute it and/or modify it+# under the terms of the GNU General Public License as published by+# the Free Software Foundation; either version 3 of the License, or (at+# your option) any later version.+#+# The GNU Shepherd is distributed in the hope that it will be useful, but+# WITHOUT ANY WARRANTY; without even the implied warranty of+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the+# GNU General Public License for more details.+#+# You should have received a copy of the GNU General Public License+# along with the GNU Shepherd. If not, see <http://www.gnu.org/licenses/>.++shepherd --version+herd --version++socket="t-socket-$$"+conf="t-conf-$$"+log="t-log-$$"+pid="t-pid-$$"+service_log="t-service-log-$$"+service_new_file="t-service-new-file-$$"++herd="herd -s $socket"++trap "cat $log || true;+ rm -f $socket $conf $log $service_log $service_new_file;+ test -f $pid && kill \`cat $pid\` || true; rm -f $pid" EXIT++function wait_for_file+{+ i=0+ while ! test -f "$1" && test $i -lt 20+ do+ sleep 0.3+ i=`expr $i + 1`+ done+ test -f "$1"+}++cat > "$conf"<<EOF+(define %command+ '("$SHELL" "-c" "touch $PWD/$service_new_file; echo foo"))++(register-services+ (make <service>+ #:provides '(test)+ #:start (make-forkexec-constructor %command+ #:log-file "$PWD/$service_log"+ ;; Set the umask such that file+ ;; permissions are #o600.+ #:file-creation-mask #o177)+ #:stop (make-kill-destructor)+ #:respawn? #f))+EOF++rm -f "$pid"+shepherd -I -s "$socket" -c "$conf" -l "$log" --pid="$pid" &++# Wait till it's ready.+wait_for_file "$pid"++# Start the service.+$herd start test++# Make sure the log file is created with the right permissions independently+# of the value of #:file-creation-mask.+wait_for_file "$service_log"+test `stat -c %a "$service_log"` -eq 640++# Make sure the service creates files with the right permissions as determined+# by the value of #:file-creation-mask.+wait_for_file "$service_new_file"+test `stat -c %a "$service_new_file"` -eq 600-- 2.26.0
Closed
L
L
Ludovic Courtès wrote on 28 Apr 2020 22:57
Download
(name . Diego Nicola Barbato)(address . dnbarbato@posteo.de)(address . 40405-done@debbugs.gnu.org)
87h7x3tjjx.fsf@gnu.org
Download
Hello,
Diego Nicola Barbato <dnbarbato@posteo.de> skribis:
Toggle quote (3 lines)> Great! Now we can simplify the 'start' method of> 'syslogd-service-type'.
Oh right, do you want to take care of it?
Toggle quote (4 lines)> I did eventually write a test script, which I've attached in case we> want to add it to the Shepherd. I'm sorry it took so long that I missed> the new Shepherd release.
No problem. I figured it was okay to add it without a test, but havinga test is always better so I’ve happily pushed your patch. Thank you!
Ludo’.
Closed
D
D
Diego Nicola Barbato wrote on 29 Apr 2020 12:02
Download
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 40405@debbugs.gnu.org)
87d07qhaoy.fsf@GlaDOS.home
Download
Hi,
Ludovic Courtès <ludo@gnu.org> writes:
Toggle quote (9 lines)> Hello,>> Diego Nicola Barbato <dnbarbato@posteo.de> skribis:>>> Great! Now we can simplify the 'start' method of>> 'syslogd-service-type'.>> Oh right, do you want to take care of it?
I already did: https://debbugs.gnu.org/40937
[...]
Regards,
Diego
?
Your may also send email to 40405@debbugs.gnu.org to comment.