ryan77627/guix
1
0
Fork 0
mirror of https://git.in.rschanz.org/ryan77627/guix.git synced 2024-11-07 07:26:13 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

services: rsync: Use least authority wrapper.

Browse source 
* gnu/services/rsync.scm (rsync-shepherd-service) Wrap rsync command in a
least-authority-wrapper.

Reviewed-by: Ludovic Courtès <ludo@gnu.org>
This commit is contained in:
Maxim Cournoyer 2023-05-16 22:13:44 -04:00
parent 03e601da49
commit d43d8377c7
No known key found for this signature in database
GPG key ID: 1260E46482E63562
1 changed files with 65 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

97
gnu/services/rsync.scm
View file

@ -19,16 +19,20 @@
;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
(define-module (gnu services rsync)
#:use-module ((gnu build linux-container) #:select (%namespaces))
#:use-module (gnu services)
#:use-module (gnu services base)
#:use-module (gnu services shepherd)
#:autoload (gnu system file-systems) (file-system-mapping)
#:use-module (gnu system shadow)
#:use-module (gnu packages rsync)
#:use-module (gnu packages admin)
#:use-module (gnu packages linux)
#:use-module (gnu packages rsync)
#:use-module (guix records)
#:use-module (guix gexp)
#:use-module (guix diagnostics)
#:use-module (guix i18n)
#:use-module (guix least-authority)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-26)
#:use-module (ice-9 match)
@ -236,37 +240,66 @@ (define ipv6-support?
#t))
(const #f)))
(let* ((rsync (rsync-configuration-package config))
(pid-file (rsync-configuration-pid-file config))
(port-number (rsync-configuration-port-number config))
(user (rsync-configuration-user config))
(group (rsync-configuration-group config))
(config-file (rsync-config-file config))
(rsync-command #~(list (string-append #$rsync "/bin/rsync")
"--config" #$config-file "--daemon")))
(list (shepherd-service
(provision '(rsync))
(documentation "Run rsync daemon.")
(actions (list (shepherd-configuration-action config-file)))
(start #~(if #$inetd-style?
(make-inetd-constructor
#$rsync-command
(cons (endpoint
(make-socket-address AF_INET INADDR_ANY
#$port-number))
(if #$ipv6-support?
(list
(endpoint
(make-socket-address AF_INET6 IN6ADDR_ANY
#$port-number)))
'()))
#:user #$user
#:group #$group)
(make-forkexec-constructor #$rsync-command
#:pid-file #$pid-file
#:user #$user
#:group #$group)))
(stop #~(make-kill-destructor))))))
(define (module->file-system-mapping module)
"Return the <file-system-mapping> record corresponding to MODULE, an
<rsync-module> object."
(match-record module <rsync-module>
(file-name read-only?)
(file-system-mapping
(source file-name)
(target source)
(writable? (not read-only?)))))
(match-record config <rsync-configuration>
(package log-file modules pid-file port-number user group)
;; Run the rsync daemon in its own 'mnt' namespace, to guard against
;; change to mount points it may be serving.
(let* ((config-file (rsync-config-file config))
(rsync-command #~(list #$(least-authority-wrapper
(file-append rsync "/bin/rsync")
#:name "rsync"
#:namespaces (fold delq %namespaces
'(net user))
#:mappings
(append (list (file-system-mapping
(source "/var/run/rsyncd")
(target source)
(writable? #t))
(file-system-mapping
(source (dirname log-file))
(target source)
(writable? #t))
(file-system-mapping
(source config-file)
(target source)))
(map module->file-system-mapping
modules)))
"--config" #$config-file "--daemon")))
(list (shepherd-service
(provision '(rsync))
(documentation "Run rsync daemon.")
(actions (list (shepherd-configuration-action config-file)))
(start #~(if #$inetd-style?
(make-inetd-constructor
#$rsync-command
(cons (endpoint
(make-socket-address AF_INET INADDR_ANY
#$port-number))
(if #$ipv6-support?
(list
(endpoint
(make-socket-address AF_INET6 IN6ADDR_ANY
#$port-number)))
'()))
#:user #$user
#:group #$group)
(make-forkexec-constructor #$rsync-command
#:pid-file #$pid-file
#:user #$user
#:group #$group)))
(stop #~(if #$inetd-style?
(make-inetd-destructor)
(make-kill-destructor))))))))
(define rsync-service-type
(service-type