[feature request] [shepherd] Specifying POSIX capabilities on services

  • Done
  • quality assurance status badge
Details
One participant
  • Maxim Cournoyer
Owner
unassigned
Submitted by
Maxim Cournoyer
Severity
wishlist
M
M
Maxim Cournoyer wrote on 25 Jul 2023 23:04
(name . bug-guix)(address . bug-guix@gnu.org)
878rb31z51.fsf@gmail.com
Hello,

It'd be useful to be able to specify POSIX capabilities a Shepherd
service should have, for example for an unprivileged process to be able
to bind to ports lower than 1024.

This came up while reviewing #63082, which patch 10/16 (now dropped
because of loss of functionality) suggested to let the user/group change
be effected by Shepherd instead of by MPD itself (see:

I know that NixOS has some mechanism to do that; I think it was a simple
shell script wrapper setting the capabilities, but that's all I
remember.

--
Thanks,
Maxim
M
M
Maxim Cournoyer wrote 4 days ago
(address . 64862-done@debbugs.gnu.org)(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)
87y11p6l2a.fsf@gmail.com
Hello,

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

Toggle quote (15 lines)
> Hello,
>
> It'd be useful to be able to specify POSIX capabilities a Shepherd
> service should have, for example for an unprivileged process to be able
> to bind to ports lower than 1024.
>
> This came up while reviewing #63082, which patch 10/16 (now dropped
> because of loss of functionality) suggested to let the user/group change
> be effected by Shepherd instead of by MPD itself (see:
> https://issues.guix.gnu.org/63082#98).
>
> I know that NixOS has some mechanism to do that; I think it was a simple
> shell script wrapper setting the capabilities, but that's all I
> remember.

I believe that's now possible since commit 71f0676a29 ("privilege: Add
POSIX capabilities(7) support."). Thank you, Tobias!

Closing.

--
Thanks,
Maxim
Closed
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 64862@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 64862
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch