(address . guix-patches@gnu.org)
87a5eyjqr0.fsf@russelstein.xyz
Passing "--disable-chroot" to guix-daemon makes it possible for the
build users to be taken over by anybody who can start a build: they need
only cause a builder to put a setuid binary in /tmp. That being said,
there are some situations where it currently can't be avoided, like on
Hurd. It would also probably be good to have the ability to harden a
guix daemon in general by restricting access to it. For example,
there's no reason that the ntpd user needs access to the guix daemon
(note that this is distinct from access to the *store*, which is of
course always world-readable).
The attached patch implements that restriction for users of
guix-service-type by limiting access to /var/guix/daemon-socket in
accordance with the user-supplied permissions, user, and group.
Example usage:
------------------------------------
;; Limit access to the guix-daemon socket to members of the "users"
;; group
(modify-services %desktop-services
(guix-service-type config =>
(guix-configuration
(inherit config)
(socket-directory-perms #o750)
(socket-directory-group "users"))))
------------------------------------
- reepca
-----BEGIN PGP SIGNATURE-----
iQFLBAEBCAA1FiEEdNapMPRLm4SepVYGwWaqSV9/GJwFAmcVktMXHHJlZXBjYUBy
dXNzZWxzdGVpbi54eXoACgkQwWaqSV9/GJxz2Qf/aj6zuGBzw6QM+DJ9asEi2LzL
Nk1Wwcosm8jUIzJHBzS4qpjh/1z5PVDVv1Pu5boXaAgCBMsllUAJQSF0R1gGmYHT
dvBMkNXHD1uz/eafOfX3ig3ypFmWw3np5jXul00oBoOIDnNMJRgUdTMAaahGB/el
a5WqLLiz45F5Dtrr/6jwLZ7nUOuHqT0SzwE0ET8t2dtKANQJN6RTQg382AJQlMcH
cmhHibcxiEpUnKhfdIZAQfkTILLJTMIuoS5TEsNyopXyjQ8bINP3NiRJxvbz5e+v
0+dpndwZY736/St3sHKMLxcPFKxoR1vY6S/INm+KBlUtqxIRO8kF8nb5RNjx9A==
=WBEf
-----END PGP SIGNATURE-----