services: cuirass: Run ‘remote-worker’ under its own user/group.

The ‘--user’ option was added to ‘cuirass remote-worker’ in Cuirass commit 3a6abc17f904f38098d3ab08e9d82de2e821d348 (Nov. 2023). * gnu/services/cuirass.scm (%cuirass-remote-worker-accounts): New variable. (cuirass-remote-worker-shepherd-service): Pass ‘--user’. (cuirass-remote-worker-service-type): Add ACCOUNT-SERVICE-TYPE extension. Change-Id: I075ea02b6972adcad0a75e330073e85c4dacbbc5
2025-10-02 02:15:12 +00:00 · 2024-10-14 23:12:25 +02:00 · 2024-10-14 23:12:25 +02:00 · e7a445571d
commit e7a445571d
parent cf46aa7192
1 changed files with 16 additions and 0 deletions
--- a/gnu/services/cuirass.scm
+++ b/gnu/services/cuirass.scm
@ -384,6 +384,19 @@
  (private-key      cuirass-remote-worker-configuration-private-key ;string
                    (default #f)))

+(define %cuirass-remote-worker-accounts
+  ;; User account and group for the 'cuirass remote-worker' process.
+  (list (user-group
+         (name "cuirass-worker")
+         (system? #t))
+        (user-account
+         (name "cuirass-worker")
+         (group name)
+         (system? #t)
+         (comment "Cuirass worker privilege separation user")
+         (home-directory "/var/empty")
+         (shell (file-append shadow "/sbin/nologin")))))
+
 (define (cuirass-remote-worker-shepherd-service config)
  "Return a <shepherd-service> for the Cuirass remote worker service with
 CONFIG."
@ -397,6 +410,7 @@ CONFIG."
           (start #~(make-forkexec-constructor
                     (list (string-append #$cuirass "/bin/cuirass")
                           "remote-worker"
+                           "--user=cuirass-worker" ;drop privileges early on
                           (string-append "--workers="
                                          #$(number->string workers))
                           #$@(if server
@ -444,6 +458,8 @@ CONFIG."
   (extensions
    (list (service-extension shepherd-root-service-type
                             cuirass-remote-worker-shepherd-service)
+          (service-extension account-service-type
+                             (const %cuirass-remote-worker-accounts))
          (service-extension rottlog-service-type
                             cuirass-remote-worker-log-rotations)))
   (description