diff options
| author | Ludovic Courtès <ludo@gnu.org> | 2024-10-14 23:12:25 +0200 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2024-11-03 22:48:36 +0100 |
| commit | e7a445571d0e45be96894bc6b298b67ceb2f3989 (patch) | |
| tree | d5162c6ab480a7ede1e59af641b21ebb01107e2d /gnu/services | |
| parent | cf46aa7192d72a450dc0132c6360ca55595b3139 (diff) | |
| download | guix-e7a445571d0e45be96894bc6b298b67ceb2f3989.tar guix-e7a445571d0e45be96894bc6b298b67ceb2f3989.tar.gz | |
services: cuirass: Run ‘remote-worker’ under its own user/group.
The ‘--user’ option was added to ‘cuirass remote-worker’ in Cuirass
commit 3a6abc17f904f38098d3ab08e9d82de2e821d348 (Nov. 2023).
* gnu/services/cuirass.scm (%cuirass-remote-worker-accounts): New
variable.
(cuirass-remote-worker-shepherd-service): Pass ‘--user’.
(cuirass-remote-worker-service-type): Add ACCOUNT-SERVICE-TYPE
extension.
Change-Id: I075ea02b6972adcad0a75e330073e85c4dacbbc5
Diffstat (limited to 'gnu/services')
| -rw-r--r-- | gnu/services/cuirass.scm | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/gnu/services/cuirass.scm b/gnu/services/cuirass.scm index f68b4dc5a2..187766bc99 100644 --- a/gnu/services/cuirass.scm +++ b/gnu/services/cuirass.scm @@ -384,6 +384,19 @@ (private-key cuirass-remote-worker-configuration-private-key ;string (default #f))) +(define %cuirass-remote-worker-accounts + ;; User account and group for the 'cuirass remote-worker' process. + (list (user-group + (name "cuirass-worker") + (system? #t)) + (user-account + (name "cuirass-worker") + (group name) + (system? #t) + (comment "Cuirass worker privilege separation user") + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin"))))) + (define (cuirass-remote-worker-shepherd-service config) "Return a <shepherd-service> for the Cuirass remote worker service with CONFIG." @@ -397,6 +410,7 @@ CONFIG." (start #~(make-forkexec-constructor (list (string-append #$cuirass "/bin/cuirass") "remote-worker" + "--user=cuirass-worker" ;drop privileges early on (string-append "--workers=" #$(number->string workers)) #$@(if server @@ -444,6 +458,8 @@ CONFIG." (extensions (list (service-extension shepherd-root-service-type cuirass-remote-worker-shepherd-service) + (service-extension account-service-type + (const %cuirass-remote-worker-accounts)) (service-extension rottlog-service-type cuirass-remote-worker-log-rotations))) (description |