[bug#54997] [PATCH 09/12] services: ipfs: Use 'least-authority-wrapper'.

[Maxime Devos]

Ludovic Courtès schreef op zo 17-04-2022 om 23:04 [+0200]:
> [...]
>  
>  (define (ipfs-binary config)
> -  (file-append (ipfs-configuration-package config) "/bin/ipfs"))
> +  (define command
> +    (file-append (ipfs-configuration-package config) "/bin/ipfs"))
> +
> +  (least-authority-wrapper
> +   command
> +   #:name "ipfs"
> +   #:mappings (list %ipfs-home-mapping)
> +   #:namespaces (delq 'net %namespaces)))

To simplify things later, could #:user "ipfs" and #:group "ipfs" be
added to the least-authority wrapper (and implemented in the 'least-
authority procedre)?  Then ...

> +  (define (exec-command . args)
> +    ;; Exec the given ifps command with the right authority.
> +    #~(let ((pid (primitive-fork)))
> +        (if (zero? pid)
> +            (dynamic-wind
> +              (const #t)
> +              (lambda ()
> +                ;; Run ipfs init and ipfs config from a container,
> +                ;; in case the IPFS daemon was compromised at some
point
> +                ;; and ~/.ipfs is now a symlink to somewhere outside
> +                ;; %ipfs-home.
> +                (let ((pw (getpwnam "ipfs")))
> +                  (setgroups '#())
> +                  (setgid (passwd:gid pw))
> +                  (setuid (passwd:uid pw))
> +                  (environ #$%ipfs-environment)
> +                  (execl #$(ipfs-binary config) #$@args)))
> +              (lambda ()
> +                (primitive-exit 127)))
> +            (waitpid pid))))

would become simpler as it wouldn't need to fork, exec, waitpid and
dynamic-wind.  Alternatively, if associating a user and group with a
pola wrapper is problematic (*), what do you think of defining a
'system*/with-capabilities' or 'invoke/with-capabilities' in a central
location?

Greetings,
Maxime.

signature.asc
Description: This is a digitally signed message part