services: syslog: Create log files as non-world-readable.

Partly fixes <https://bugs.gnu.org/40405>. Reported by Diego Nicola Barbato <dnbarbato@posteo.de>. * gnu/services/base.scm (syslog-service-type): Change 'start' method to set umask to #o137 before spawning syslogd. * gnu/tests/base.scm (run-basic-test)["/var/log/messages is not world-readable"]: New test.
author: Ludovic Courtès <ludo@gnu.org> 2020-04-06 23:50:27 +0200
committer: Ludovic Courtès <ludo@gnu.org> 2020-04-06 23:56:24 +0200
commit: d7113bb655ff80a868a9e624c913f9d23e6c63ad (patch)
tree: 1c1f31c9cdbd52650ad5b4e7dab67f0355c2ad28
parent: 42a87136f0c99c0f1956e053d92f23bf096bddb6 (diff)
download: patches-d7113bb655ff80a868a9e624c913f9d23e6c63ad.tar
patches-d7113bb655ff80a868a9e624c913f9d23e6c63ad.tar.gz
2 files changed, 19 insertions, 4 deletions
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index a0179c0259..f802005e3c 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1436,10 +1436,17 @@ Service Switch}, for an example."
       (documentation "Run the syslog daemon (syslogd).")
       (provision '(syslogd))
       (requirement '(user-processes))
-      (start #~(make-forkexec-constructor
-                (list #$(syslog-configuration-syslogd config)
-                      "--rcfile" #$(syslog-configuration-config-file config))
-                #:pid-file "/var/run/syslog.pid"))
+      (start #~(let ((spawn (make-forkexec-constructor
+                             (list #$(syslog-configuration-syslogd config)
+                                   "--rcfile"
+                                   #$(syslog-configuration-config-file config))
+                             #:pid-file "/var/run/syslog.pid")))
+                 (lambda ()
+                   ;; Set the umask such that file permissions are #o640.
+                   (let ((mask (umask #o137))
+                         (pid  (spawn)))
+                     (umask mask)
+                     pid))))
       (stop #~(make-kill-destructor))))))
 
 ;; Snippet adapted from the GNU inetutils manual.
diff --git a/gnu/tests/base.scm b/gnu/tests/base.scm
index 37b83dc7ec..fe63cecbd0 100644
--- a/gnu/tests/base.scm
+++ b/gnu/tests/base.scm
@@ -195,6 +195,14 @@ info --version")
                      (pk 'services services)
                      '(root #$@(operating-system-shepherd-service-names os)))))
 
+          (test-equal "/var/log/messages is not world-readable"
+            #o640                                ;<https://bugs.gnu.org/40405>
+            (begin
+              (wait-for-file "/var/log/messages" marionette
+                             #:read 'get-u8)
+              (marionette-eval '(stat:perms (lstat "/var/log/messages"))
+                               marionette)))
+
           (test-assert "homes"
             (let ((homes
                    '#$(map user-account-home-directory
author	Ludovic Courtès <ludo@gnu.org>	2020-04-06 23:50:27 +0200
committer	Ludovic Courtès <ludo@gnu.org>	2020-04-06 23:56:24 +0200
commit	d7113bb655ff80a868a9e624c913f9d23e6c63ad (patch)
tree	1c1f31c9cdbd52650ad5b4e7dab67f0355c2ad28
parent	42a87136f0c99c0f1956e053d92f23bf096bddb6 (diff)
download	patches-d7113bb655ff80a868a9e624c913f9d23e6c63ad.tar patches-d7113bb655ff80a868a9e624c913f9d23e6c63ad.tar.gz