mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2025-01-11 21:59:08 -05:00
services: Warn about unprivileged privileged-programs.
* gnu/services.scm (privileged-program->activation-gexp): Warn when a privileged-program appears to lack all possible privilege. Change-Id: I68ed8cb2cff88b11b090cf99a2cc7d6264b888e0
This commit is contained in:
parent
3578fc58d2
commit
9c88f217be
1 changed files with 20 additions and 17 deletions
|
@ -893,23 +893,26 @@ (define-deprecated (etc-service files)
|
|||
|
||||
(define (privileged-program->activation-gexp programs)
|
||||
"Return an activation gexp for privileged-program from PROGRAMS."
|
||||
(let ((programs (map (lambda (program)
|
||||
;; FIXME This is really ugly, I didn't managed to use
|
||||
;; "inherit"
|
||||
(let ((program-name (privileged-program-program program))
|
||||
(setuid? (privileged-program-setuid? program))
|
||||
(setgid? (privileged-program-setgid? program))
|
||||
(user (privileged-program-user program))
|
||||
(group (privileged-program-group program))
|
||||
(capabilities (privileged-program-capabilities program)))
|
||||
#~(privileged-program
|
||||
(setuid? #$setuid?)
|
||||
(setgid? #$setgid?)
|
||||
(user #$user)
|
||||
(group #$group)
|
||||
(capabilities #$capabilities)
|
||||
(program #$program-name))))
|
||||
programs)))
|
||||
(let ((programs
|
||||
(map (lambda (program)
|
||||
;; FIXME This is really ugly, I didn't manage to use "inherit".
|
||||
(let ((program-name (privileged-program-program program))
|
||||
(setuid? (privileged-program-setuid? program))
|
||||
(setgid? (privileged-program-setgid? program))
|
||||
(user (privileged-program-user program))
|
||||
(group (privileged-program-group program))
|
||||
(capabilities (privileged-program-capabilities program)))
|
||||
(unless (or setuid? setgid? capabilities)
|
||||
(warning
|
||||
(G_ "so-called privileged-program ~s lacks any privilege~%")
|
||||
program-name))
|
||||
#~(privileged-program (setuid? #$setuid?)
|
||||
(setgid? #$setgid?)
|
||||
(user #$user)
|
||||
(group #$group)
|
||||
(capabilities #$capabilities)
|
||||
(program #$program-name))))
|
||||
programs)))
|
||||
(with-imported-modules (source-module-closure
|
||||
'((gnu system privilege)))
|
||||
#~(begin
|
||||
|
|
Loading…
Reference in a new issue