aboutsummaryrefslogtreecommitdiff
path: root/gnu/services
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2020-04-06 23:50:27 +0200
committerLudovic Courtès <ludo@gnu.org>2020-04-06 23:56:24 +0200
commitd7113bb655ff80a868a9e624c913f9d23e6c63ad (patch)
tree1c1f31c9cdbd52650ad5b4e7dab67f0355c2ad28 /gnu/services
parent42a87136f0c99c0f1956e053d92f23bf096bddb6 (diff)
downloadguix-d7113bb655ff80a868a9e624c913f9d23e6c63ad.tar
guix-d7113bb655ff80a868a9e624c913f9d23e6c63ad.tar.gz
services: syslog: Create log files as non-world-readable.
Partly fixes <https://bugs.gnu.org/40405>. Reported by Diego Nicola Barbato <dnbarbato@posteo.de>. * gnu/services/base.scm (syslog-service-type): Change 'start' method to set umask to #o137 before spawning syslogd. * gnu/tests/base.scm (run-basic-test)["/var/log/messages is not world-readable"]: New test.
Diffstat (limited to 'gnu/services')
-rw-r--r--gnu/services/base.scm15
1 files changed, 11 insertions, 4 deletions
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index a0179c0259..f802005e3c 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1436,10 +1436,17 @@ Service Switch}, for an example."
(documentation "Run the syslog daemon (syslogd).")
(provision '(syslogd))
(requirement '(user-processes))
- (start #~(make-forkexec-constructor
- (list #$(syslog-configuration-syslogd config)
- "--rcfile" #$(syslog-configuration-config-file config))
- #:pid-file "/var/run/syslog.pid"))
+ (start #~(let ((spawn (make-forkexec-constructor
+ (list #$(syslog-configuration-syslogd config)
+ "--rcfile"
+ #$(syslog-configuration-config-file config))
+ #:pid-file "/var/run/syslog.pid")))
+ (lambda ()
+ ;; Set the umask such that file permissions are #o640.
+ (let ((mask (umask #o137))
+ (pid (spawn)))
+ (umask mask)
+ pid))))
(stop #~(make-kill-destructor))))))
;; Snippet adapted from the GNU inetutils manual.