Ludovic Courtès schreef op zo 17-04-2022 om 23:04 [+0200]: > [...] >   >  (define (ipfs-binary config) > -  (file-append (ipfs-configuration-package config) "/bin/ipfs")) > +  (define command > +    (file-append (ipfs-configuration-package config) "/bin/ipfs")) > + > +  (least-authority-wrapper > +   command > +   #:name "ipfs" > +   #:mappings (list %ipfs-home-mapping) > +   #:namespaces (delq 'net %namespaces))) To simplify things later, could #:user "ipfs" and #:group "ipfs" be added to the least-authority wrapper (and implemented in the 'least- authority procedre)? Then ... > + (define (exec-command . args) > + ;; Exec the given ifps command with the right authority. > + #~(let ((pid (primitive-fork))) > + (if (zero? pid) > + (dynamic-wind > + (const #t) > + (lambda () > + ;; Run ipfs init and ipfs config from a container, > + ;; in case the IPFS daemon was compromised at some point > + ;; and ~/.ipfs is now a symlink to somewhere outside > + ;; %ipfs-home. > + (let ((pw (getpwnam "ipfs"))) > + (setgroups '#()) > + (setgid (passwd:gid pw)) > + (setuid (passwd:uid pw)) > + (environ #$%ipfs-environment) > + (execl #$(ipfs-binary config) #$@args))) > + (lambda () > + (primitive-exit 127))) > + (waitpid pid)))) would become simpler as it wouldn't need to fork, exec, waitpid and dynamic-wind. Alternatively, if associating a user and group with a pola wrapper is problematic (*), what do you think of defining a 'system*/with-capabilities' or 'invoke/with-capabilities' in a central location? Greetings, Maxime.