aboutsummaryrefslogtreecommitdiff
path: root/gnu/services/certbot.scm
diff options
context:
space:
mode:
authorMaxime Devos <maximedevos@telenet.be>2021-02-14 12:57:32 +0100
committerLudovic Courtès <ludo@gnu.org>2021-03-10 18:01:47 +0100
commit520bac7ed00a949a0391ad680de65a1498105c2b (patch)
tree15d2267b31ca62c0ef8b201aa700726aa310fa34 /gnu/services/certbot.scm
parent1a1d0fe505da18c1f43996fb7eb3652e42250d0a (diff)
downloadguix-520bac7ed00a949a0391ad680de65a1498105c2b.tar
guix-520bac7ed00a949a0391ad680de65a1498105c2b.tar.gz
services: Prevent following symlinks during activation.
This addresses a potential security issue, where a compromised service could trick the activation code in changing the permissions, owner and group of arbitrary files. However, this patch is currently only a partial fix, due to a TOCTTOU (time-of-check to time-of-use) race, which can be fixed once guile has bindings to openat and friends. Fixes: <https://lists.gnu.org/archive/html/guix-devel/2021-01/msg00388.html> * gnu/build/activation.scm: new procedure 'mkdir-p/perms'. * gnu/services/authentication.scm (%nslcd-activation, nslcd-service-type): use new procedure. * gnu/services/cups.scm (%cups-activation): likewise. * gnu/services/dbus.scm (dbus-activation): likewise. * gnu/services/dns.scm (knot-activation): likewise. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Diffstat (limited to 'gnu/services/certbot.scm')
0 files changed, 0 insertions, 0 deletions