services: syslog: Create log files as non-world-readable.
Partly fixes <https://bugs.gnu.org/40405>. Reported by Diego Nicola Barbato <dnbarbato@posteo.de>. * gnu/services/base.scm (syslog-service-type): Change 'start' method to set umask to #o137 before spawning syslogd. * gnu/tests/base.scm (run-basic-test)["/var/log/messages is not world-readable"]: New test.
This commit is contained in:
Ludovic Courtès
parent
42a87136f0
commit
d7113bb655
@ -1436,10 +1436,17 @@ Service Switch}, for an example."
|
||||
(documentation "Run the syslog daemon (syslogd).")
|
||||
(provision '(syslogd))
|
||||
(requirement '(user-processes))
|
||||
(start #~(make-forkexec-constructor
|
||||
(list #$(syslog-configuration-syslogd config)
|
||||
"--rcfile" #$(syslog-configuration-config-file config))
|
||||
#:pid-file "/var/run/syslog.pid"))
|
||||
(start #~(let ((spawn (make-forkexec-constructor
|
||||
(list #$(syslog-configuration-syslogd config)
|
||||
"--rcfile"
|
||||
#$(syslog-configuration-config-file config))
|
||||
#:pid-file "/var/run/syslog.pid")))
|
||||
(lambda ()
|
||||
;; Set the umask such that file permissions are #o640.
|
||||
(let ((mask (umask #o137))
|
||||
(pid (spawn)))
|
||||
(umask mask)
|
||||
pid))))
|
||||
(stop #~(make-kill-destructor))))))
|
||||
|
||||
;; Snippet adapted from the GNU inetutils manual.
|
||||
|
||||
@ -195,6 +195,14 @@ info --version")
|
||||
(pk 'services services)
|
||||
'(root #$@(operating-system-shepherd-service-names os)))))
|
||||
|
||||
(test-equal "/var/log/messages is not world-readable"
|
||||
#o640 ;<https://bugs.gnu.org/40405>
|
||||
(begin
|
||||
(wait-for-file "/var/log/messages" marionette
|
||||
#:read 'get-u8)
|
||||
(marionette-eval '(stat:perms (lstat "/var/log/messages"))
|
||||
marionette)))
|
||||
|
||||
(test-assert "homes"
|
||||
(let ((homes
|
||||
'#$(map user-account-home-directory
|
||||
|
||||
Loading…
Reference in New Issue
Block a user