services: Warn about unprivileged privileged-programs.

* gnu/services.scm (privileged-program->activation-gexp): Warn when a
privileged-program appears to lack all possible privilege.

Change-Id: I68ed8cb2cff88b11b090cf99a2cc7d6264b888e0
This commit is contained in:
Tobias Geerinckx-Rice 2024-09-01 02:00:00 +02:00
parent 3578fc58d2
commit 9c88f217be
No known key found for this signature in database
GPG Key ID: 0DB0FF884F556D79

View File

@ -893,23 +893,26 @@ FILES must be a list of name/file-like object pairs."
(define (privileged-program->activation-gexp programs)
"Return an activation gexp for privileged-program from PROGRAMS."
(let ((programs (map (lambda (program)
;; FIXME This is really ugly, I didn't managed to use
;; "inherit"
(let ((program-name (privileged-program-program program))
(setuid? (privileged-program-setuid? program))
(setgid? (privileged-program-setgid? program))
(user (privileged-program-user program))
(group (privileged-program-group program))
(capabilities (privileged-program-capabilities program)))
#~(privileged-program
(setuid? #$setuid?)
(setgid? #$setgid?)
(user #$user)
(group #$group)
(capabilities #$capabilities)
(program #$program-name))))
programs)))
(let ((programs
(map (lambda (program)
;; FIXME This is really ugly, I didn't manage to use "inherit".
(let ((program-name (privileged-program-program program))
(setuid? (privileged-program-setuid? program))
(setgid? (privileged-program-setgid? program))
(user (privileged-program-user program))
(group (privileged-program-group program))
(capabilities (privileged-program-capabilities program)))
(unless (or setuid? setgid? capabilities)
(warning
(G_ "so-called privileged-program ~s lacks any privilege~%")
program-name))
#~(privileged-program (setuid? #$setuid?)
(setgid? #$setgid?)
(user #$user)
(group #$group)
(capabilities #$capabilities)
(program #$program-name))))
programs)))
(with-imported-modules (source-module-closure
'((gnu system privilege)))
#~(begin