|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This addresses a potential security issue, where a compromised
service could trick the activation code in changing the permissions,
owner and group of arbitrary files. However, this patch is
currently only a partial fix, due to a TOCTTOU (time-of-check to
time-of-use) race, which can be fixed once guile has bindings
to openat and friends.
Fixes: <https://lists.gnu.org/archive/html/guix-devel/2021-01/msg00388.html>
* gnu/build/activation.scm: new procedure 'mkdir-p/perms'.
* gnu/services/authentication.scm
(%nslcd-activation, nslcd-service-type): use new procedure.
* gnu/services/cups.scm (%cups-activation): likewise.
* gnu/services/dbus.scm (dbus-activation): likewise.
* gnu/services/dns.scm (knot-activation): likewise.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* gnu/services/authentication.scm (nslcd-service-type, nslcd-configuration,
%nslcd-accounts): New variables.
(uglify-field-name, value->string, serialize-field, serialize-list,
ssl-option?, tls-reqcert-option?, deref-option?,
comma-separated-list-of-strings?, serialize-ignore-users-option, log-option?,
serialize-log-option, valid-map?, scope-option?, serialize-scope-option,
map-entry?, list-of-map-entries?, filter-entry?, list-of-filter-entries?,
serialize-filter-entry, serialize-list-of-filter-entries, serialize-map-entry,
serialize-list-of-map-entries, nslcd-config-file, nslcd-etc-service,
nslcd-shepherd-service, pam-ldap-pam-services, pam-ldap-pam-service,
generate-nslcd-documentation): New procedures.
* gnu/tests/ldap.scm: New file.
* gnu/local.mk (GNU_SYSTEM_MODULES): Add it.
* doc/guix.texi (LDAP Services): Document it.
|