services: Warn about unprivileged privileged-programs.

* gnu/services.scm (privileged-program->activation-gexp): Warn when a privileged-program appears to lack all possible privilege. Change-Id: I68ed8cb2cff88b11b090cf99a2cc7d6264b888e0
2025-01-12 06:06:53 -05:00 · 2024-09-01 02:00:00 +02:00 · 2024-09-01 02:00:00 +02:00 · 9c88f217be
commit 9c88f217be
parent 3578fc58d2
1 changed files with 20 additions and 17 deletions
--- a/gnu/services.scm
+++ b/gnu/services.scm
@ -893,23 +893,26 @@ (define-deprecated (etc-service files)
 (define (privileged-program->activation-gexp programs)
  "Return an activation gexp for privileged-program from PROGRAMS."
-  (let ((programs (map (lambda (program)
+  (let ((programs
-                         ;; FIXME This is really ugly, I didn't managed to use
+         (map (lambda (program)
-                         ;; "inherit"
+                ;; FIXME This is really ugly, I didn't manage to use "inherit".
-                         (let ((program-name (privileged-program-program program))
+                (let ((program-name (privileged-program-program program))
-                               (setuid?      (privileged-program-setuid? program))
+                      (setuid?      (privileged-program-setuid? program))
-                               (setgid?      (privileged-program-setgid? program))
+                      (setgid?      (privileged-program-setgid? program))
-                               (user         (privileged-program-user program))
+                      (user         (privileged-program-user program))
-                               (group        (privileged-program-group program))
+                      (group        (privileged-program-group program))
-                               (capabilities (privileged-program-capabilities program)))
+                      (capabilities (privileged-program-capabilities program)))
-                           #~(privileged-program
+                  (unless (or setuid? setgid? capabilities)
-                              (setuid? #$setuid?)
+                    (warning
-                              (setgid? #$setgid?)
+                     (G_ "so-called privileged-program ~s lacks any privilege~%")
-                              (user    #$user)
+                     program-name))
-                              (group   #$group)
+                  #~(privileged-program (setuid? #$setuid?)
-                              (capabilities #$capabilities)
+                                        (setgid? #$setgid?)
-                              (program #$program-name))))
+                                        (user    #$user)
-                       programs)))
+                                        (group   #$group)
                                        (capabilities #$capabilities)
                                        (program #$program-name))))
              programs)))
    (with-imported-modules (source-module-closure
                            '((gnu system privilege)))
      #~(begin