guix-play/services at e4150032027455ccf920e2f407754e93ca052dec - guix-play - SDF GIT Society

futurile/guix-play

History

Maxime Devos 520bac7ed0

services: Prevent following symlinks during activation.

This addresses a potential security issue, where a compromised
service could trick the activation code in changing the permissions,
owner and group of arbitrary files.  However, this patch is
currently only a partial fix, due to a TOCTTOU (time-of-check to
time-of-use) race, which can be fixed once guile has bindings
to openat and friends.

Fixes: <https://lists.gnu.org/archive/html/guix-devel/2021-01/msg00388.html>

* gnu/build/activation.scm: new procedure 'mkdir-p/perms'.
* gnu/services/authentication.scm
  (%nslcd-activation, nslcd-service-type): use new procedure.
* gnu/services/cups.scm (%cups-activation): likewise.
* gnu/services/dbus.scm (dbus-activation): likewise.
* gnu/services/dns.scm (knot-activation): likewise.

Signed-off-by: Ludovic Courtès <ludo@gnu.org>

2021-03-10 18:01:47 +01:00

..

admin.scm

services: unattended-upgrade: Log output of the 'guix' commands.

2020-08-24 23:23:57 +02:00

audio.scm

services: mpd: Make /var/run/mpd/USER user-owned.

2020-12-06 23:18:08 +01:00

auditd.scm

services: auditd: Provide default configuration directory.

2020-07-27 12:06:36 +02:00

authentication.scm

services: Prevent following symlinks during activation.

2021-03-10 18:01:47 +01:00

avahi.scm

services: avahi: Depend on 'user-processes'.

2020-12-09 14:13:32 +01:00

base.scm

services: shepherd: 'shepherd-service-type' requires documentation.

2021-01-13 22:24:18 +01:00

certbot.scm

services: certbot: Support registration without email.

2020-09-13 23:34:23 +02:00

cgit.scm

services: cgit: Fix typo.

2019-05-25 15:58:03 +05:30

configuration.scm

services: configuration: Add '%location'.

2019-03-10 21:32:38 +03:00

cuirass.scm

services: cuirass: Remove simple cuirass configuration.

2021-03-10 09:05:02 +01:00

cups.scm

services: Prevent following symlinks during activation.

2021-03-10 18:01:47 +01:00

databases.scm

services: postgresql-roles: Fix race condition.

2021-02-23 11:00:18 +01:00

dbus.scm

services: Prevent following symlinks during activation.

2021-03-10 18:01:47 +01:00

desktop.scm

services: lxqt-desktop: Delete unbound lxqt-desktop-service.

2020-10-20 00:27:30 +03:00

dict.scm

services: dicod: Reduce irony.

2020-09-21 00:31:15 +02:00

dns.scm

services: Prevent following symlinks during activation.

2021-03-10 18:01:47 +01:00

docker.scm

services: docker: Fix missing containerd-shim binary.

2020-10-17 00:43:24 +03:00

file-sharing.scm

services: Add transmission-daemon service.

2021-02-12 15:11:36 +08:00

games.scm

…

ganeti.scm

gnu: ganeti-luxid-service-type: Fix typo.

2020-10-28 21:10:54 -07:00

getmail.scm

services: getmail: Fix spelling of "address".

2020-01-30 15:27:31 -08:00

guix.scm

services: guix-build-coordinator: Add dynamic auth with file record.

2021-03-05 09:29:58 +00:00

herd.scm

services: herd: Add restart-service.

2020-03-03 15:00:32 +01:00

hurd.scm

services: hurd: Remove deprecated 'hurd-getty-service' wrapper.

2020-06-13 10:04:51 +02:00

kerberos.scm

…

linux.scm

gnu: Remove 'file-systems requirement from kernel-module-loader.

2021-02-08 03:34:40 +01:00

lirc.scm

…

mail.scm

services: Add radicale-service-type.

2020-12-27 19:32:09 +01:00

mcron.scm

services: mcron: Validate jobs even in the presence of #:user.

2020-08-26 15:30:04 +02:00

messaging.scm

services: bitlbee: Support libpurple plugins.

2020-09-15 14:40:20 +02:00

monitoring.scm

prometheus-node-exporter: Support extra options.

2020-12-07 09:08:33 +00:00

networking.scm

services: tor: Add control-socket? option.

2021-02-22 10:03:02 -05:00

nfs.scm

gnu: services: Fix the NFS service.

2021-02-05 17:19:10 -05:00

nix.scm

services: nix: Move nix.conf generation to etc-service-type.

2020-12-06 17:48:48 +08:00

pam-mount.scm

services: Add pam-mount.

2019-11-28 13:30:53 +01:00

pm.scm

gnu: tlp: Update to 1.3.0.

2020-02-02 10:42:16 +01:00

rsync.scm

…

science.scm

services: science.scm: Add missing copyright headers.

2020-12-09 12:55:02 +02:00

sddm.scm

services: SDDM: Wait for elogind before starting.

2020-11-18 22:31:32 +01:00

security-token.scm

gnu: htop: Update to 3.0.3.

2020-12-13 00:35:49 +01:00

shepherd.scm

services: shepherd: Make 'assert-valid-graph' public.

2021-03-03 14:19:26 +01:00

sound.scm

services: Do not use symbolic links in PulseAudio variables.

2020-05-06 22:49:55 +02:00

spice.scm

services: Don't use the deprecated 'make-forkexec-constructor' call.

2020-04-21 00:06:40 +02:00

ssh.scm

Revert "services: openssh: Warn about 'password-authentication?' default."

2020-12-11 19:06:53 +01:00

syncthing.scm

services: Add syncthing service.

2021-01-12 14:40:36 +03:00

sysctl.scm

services: sysctl: Make service one-shot.

2019-11-20 21:23:19 +02:00

telephony.scm

services: murmur: Add missing newline in murmur-configuration.

2020-04-02 20:55:15 +02:00

version-control.scm

services: gitolite: Install the rc file as gitolite's user.

2020-10-05 19:41:23 +02:00

virtualization.scm

services: qemu-binfmt: 'guix-support?' defaults to #t.

2021-01-16 22:38:17 +01:00

vpn.scm

services: wireguard: New service.

2021-02-17 10:32:15 +01:00

web.scm

services: Add Agate Gemini service.

2021-02-15 13:35:04 +01:00

xorg.scm

services: Add 'xorg-server-service-type'.

2021-02-11 17:01:43 +08:00