This addresses a potential security issue, where a compromised
service could trick the activation code in changing the permissions,
owner and group of arbitrary files. However, this patch is
currently only a partial fix, due to a TOCTTOU (time-of-check to
time-of-use) race, which can be fixed once guile has bindings
to openat and friends.
Fixes: <https://lists.gnu.org/archive/html/guix-devel/2021-01/msg00388.html>
* gnu/build/activation.scm: new procedure 'mkdir-p/perms'.
* gnu/services/authentication.scm
(%nslcd-activation, nslcd-service-type): use new procedure.
* gnu/services/cups.scm (%cups-activation): likewise.
* gnu/services/dbus.scm (dbus-activation): likewise.
* gnu/services/dns.scm (knot-activation): likewise.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
* gnu/services/dns.scm (verify-knot-key-configuration): Fix the
order of memq arguments.
(verify-knot-keystore-configuration): Likewise.
(verify-knot-acl-configuration): Replace fold with every procedure.
Signed-off-by: 宋文武 <iyzsong@member.fsf.org>
This silences a warning from the service at startup.
* gnu/services/dns.scm (knot-resolver-shepherd-services)[start]: Use the "-n"
command-line option to kresd in place of the deprecated "-f 1".
Signed-off-by: Leo Famulari <leo@famulari.name>
* gnu/services/dbus.scm (polkit-service-type)[description]: New field.
* gnu/services/dict.scm (dicod-service-type)[description]: New field.
* gnu/services/dns.scm (knot-service-type)[description]: New field.
* gnu/services/networking.scm (dhcpd-service-type)[description]: New field.
* gnu/services/shepherd.scm (shepherd-root-service-type)[description]:
New field.
* gnu/services/xorg.scm (slim-service-type)[description]: New field.
(screen-locker-service-type)[description]: New field.
* gnu/system/pam.scm (pam-root-service-type)[description]: New field.
* gnu/system/shadow.scm (account-service-type)[description]: New field.
Introduce a new `addresses' field that translates to passing `--address='
multiple times to dnsmasq.
* gnu/services/dns.scm (<dnsmasq-configuration>): Add an addresses field.
(dnsmasq-shepherd-service): Match the addresses field and translate it to
multiple '--address=' flags.
* doc/guix.texi (DNS Services): Document it.
Signed-off-by: 宋文武 <iyzsong@member.fsf.org>
* gnu/services/dns.scm (<knot-resolver-configuration>): New record type.
(knot-resolver-activation, knot-resolver-shpherd-services): New procedures.
(%knot-resolver-accounts, %kresd.conf, knot-resolver-service-type): New
variables.
* doc/guix.texi (DNS Services): Document it.
The 'no-negcache?' option is mapped to the '--no-negcache' command-line
argument directly, but we're in the scheme world, where the general guideline
is to avoid double-negations in identifiers.
* gnu/services/dns.scm <dnsmasq-configuration>: Replace the 'no-negcache?'
field with 'negative-cache?'.
* doc/guix.texi (DNS Services)[Dnsmasq Service]: Adjust accordingly.
* gnu/services/dns.scm (dnsmasq-service-type): New variable.
(<dnsmasq-configuration>): New record type.
(dnsmasq-shepherd-service): New procedure.
* doc/guix.texi (DNS Services): Document it.