[bug#54997] [PATCH 00/12] Add "least authority" program wrapper

[Ludovic Courtès]

Maxime Devos <maximedevos@telenet.be> skribis:

> Ludovic Courtès schreef op zo 17-04-2022 om 23:04 [+0200]:
>> [...]
>>  
>>  (define (ipfs-binary config)
>> -  (file-append (ipfs-configuration-package config) "/bin/ipfs"))
>> +  (define command
>> +    (file-append (ipfs-configuration-package config) "/bin/ipfs"))
>> +
>> +  (least-authority-wrapper
>> +   command
>> +   #:name "ipfs"
>> +   #:mappings (list %ipfs-home-mapping)
>> +   #:namespaces (delq 'net %namespaces)))
>
> To simplify things later, could #:user "ipfs" and #:group "ipfs" be
> added to the least-authority wrapper (and implemented in the 'least-
> authority procedre)?  Then ...

To me it’s setuid/setgid is beyond the scope of
‘least-authority-wrapper’.  And indeed, this place is the only one that
needs it.

> would become simpler as it wouldn't need to fork, exec, waitpid and
> dynamic-wind.  Alternatively, if associating a user and group with a
> pola wrapper is problematic (*), what do you think of defining a
> 'system*/with-capabilities' or 'invoke/with-capabilities' in a central
> location?

I’m not sure what these procedures would do.

I think we should build the house one brick at a time; this is the first
brick but I’m sure there’ll be others as we gain more experience and
clearer use cases.

Ludo’.