mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2025-01-11 21:59:08 -05:00
services: syslog: Create log files as non-world-readable.
Partly fixes <https://bugs.gnu.org/40405>. Reported by Diego Nicola Barbato <dnbarbato@posteo.de>. * gnu/services/base.scm (syslog-service-type): Change 'start' method to set umask to #o137 before spawning syslogd. * gnu/tests/base.scm (run-basic-test)["/var/log/messages is not world-readable"]: New test.
This commit is contained in:
parent
42a87136f0
commit
d7113bb655
2 changed files with 19 additions and 4 deletions
|
@ -1436,10 +1436,17 @@ (define syslog-service-type
|
||||||
(documentation "Run the syslog daemon (syslogd).")
|
(documentation "Run the syslog daemon (syslogd).")
|
||||||
(provision '(syslogd))
|
(provision '(syslogd))
|
||||||
(requirement '(user-processes))
|
(requirement '(user-processes))
|
||||||
(start #~(make-forkexec-constructor
|
(start #~(let ((spawn (make-forkexec-constructor
|
||||||
(list #$(syslog-configuration-syslogd config)
|
(list #$(syslog-configuration-syslogd config)
|
||||||
"--rcfile" #$(syslog-configuration-config-file config))
|
"--rcfile"
|
||||||
#:pid-file "/var/run/syslog.pid"))
|
#$(syslog-configuration-config-file config))
|
||||||
|
#:pid-file "/var/run/syslog.pid")))
|
||||||
|
(lambda ()
|
||||||
|
;; Set the umask such that file permissions are #o640.
|
||||||
|
(let ((mask (umask #o137))
|
||||||
|
(pid (spawn)))
|
||||||
|
(umask mask)
|
||||||
|
pid))))
|
||||||
(stop #~(make-kill-destructor))))))
|
(stop #~(make-kill-destructor))))))
|
||||||
|
|
||||||
;; Snippet adapted from the GNU inetutils manual.
|
;; Snippet adapted from the GNU inetutils manual.
|
||||||
|
|
|
@ -195,6 +195,14 @@ (define marionette
|
||||||
(pk 'services services)
|
(pk 'services services)
|
||||||
'(root #$@(operating-system-shepherd-service-names os)))))
|
'(root #$@(operating-system-shepherd-service-names os)))))
|
||||||
|
|
||||||
|
(test-equal "/var/log/messages is not world-readable"
|
||||||
|
#o640 ;<https://bugs.gnu.org/40405>
|
||||||
|
(begin
|
||||||
|
(wait-for-file "/var/log/messages" marionette
|
||||||
|
#:read 'get-u8)
|
||||||
|
(marionette-eval '(stat:perms (lstat "/var/log/messages"))
|
||||||
|
marionette)))
|
||||||
|
|
||||||
(test-assert "homes"
|
(test-assert "homes"
|
||||||
(let ((homes
|
(let ((homes
|
||||||
'#$(map user-account-home-directory
|
'#$(map user-account-home-directory
|
||||||
|
|
Loading…
Reference in a new issue