02/02: services: syslog: Create log files as non-world-readable.

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

02/02: services: syslog: Create log files as non-world-readable.

From:	guix-commits
Subject:	02/02: services: syslog: Create log files as non-world-readable.
Date:	Mon, 6 Apr 2020 18:02:32 -0400 (EDT)

civodul pushed a commit to branch master
in repository guix.

commit d7113bb655ff80a868a9e624c913f9d23e6c63ad
Author: Ludovic Courtès <address@hidden>
AuthorDate: Mon Apr 6 23:50:27 2020 +0200

    services: syslog: Create log files as non-world-readable.
    
    Partly fixes <https://bugs.gnu.org/40405>.
    Reported by Diego Nicola Barbato <address@hidden>.
    
    * gnu/services/base.scm (syslog-service-type): Change 'start' method to
    set umask to #o137 before spawning syslogd.
    * gnu/tests/base.scm (run-basic-test)["/var/log/messages is not
    world-readable"]: New test.
---
 gnu/services/base.scm | 15 +++++++++++----
 gnu/tests/base.scm    |  8 ++++++++
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index a0179c0..f802005 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1436,10 +1436,17 @@ Service Switch}, for an example."
       (documentation "Run the syslog daemon (syslogd).")
       (provision '(syslogd))
       (requirement '(user-processes))
-      (start #~(make-forkexec-constructor
-                (list #$(syslog-configuration-syslogd config)
-                      "--rcfile" #$(syslog-configuration-config-file config))
-                #:pid-file "/var/run/syslog.pid"))
+      (start #~(let ((spawn (make-forkexec-constructor
+                             (list #$(syslog-configuration-syslogd config)
+                                   "--rcfile"
+                                   #$(syslog-configuration-config-file config))
+                             #:pid-file "/var/run/syslog.pid")))
+                 (lambda ()
+                   ;; Set the umask such that file permissions are #o640.
+                   (let ((mask (umask #o137))
+                         (pid  (spawn)))
+                     (umask mask)
+                     pid))))
       (stop #~(make-kill-destructor))))))
 
 ;; Snippet adapted from the GNU inetutils manual.
diff --git a/gnu/tests/base.scm b/gnu/tests/base.scm
index 37b83dc..fe63cec 100644
--- a/gnu/tests/base.scm
+++ b/gnu/tests/base.scm
@@ -195,6 +195,14 @@ info --version")
                      (pk 'services services)
                      '(root #$@(operating-system-shepherd-service-names os)))))
 
+          (test-equal "/var/log/messages is not world-readable"
+            #o640                                ;<https://bugs.gnu.org/40405>
+            (begin
+              (wait-for-file "/var/log/messages" marionette
+                             #:read 'get-u8)
+              (marionette-eval '(stat:perms (lstat "/var/log/messages"))
+                               marionette)))
+
           (test-assert "homes"
             (let ((homes
                    '#$(map user-account-home-directory

[Prev in Thread]

Current Thread

[Next in Thread]

branch master updated (a4c4aaf -> d7113bb), guix-commits, 2020/04/06
- 02/02: services: syslog: Create log files as non-world-readable., guix-commits <=
- 01/02: channels: Call 'build-self.scm' procedure with a trivial build handler., guix-commits, 2020/04/06

Prev by Date: branch master updated: gnu: rust-bumpalo-3: Update to 3.2.1 [fixes RUSTSEC-2020-0006].
Next by Date: 01/02: channels: Call 'build-self.scm' procedure with a trivial build handler.
Previous by thread: branch master updated (a4c4aaf -> d7113bb)
Next by thread: 01/02: channels: Call 'build-self.scm' procedure with a trivial build handler.
Index(es):
- Date
- Thread