mirror of
https://codeberg.org/guix/guix.git
synced 2025-10-02 02:15:12 +00:00
services: cuirass: Run ‘remote-worker’ under its own user/group.
The ‘--user’ option was added to ‘cuirass remote-worker’ in Cuirass commit 3a6abc17f904f38098d3ab08e9d82de2e821d348 (Nov. 2023). * gnu/services/cuirass.scm (%cuirass-remote-worker-accounts): New variable. (cuirass-remote-worker-shepherd-service): Pass ‘--user’. (cuirass-remote-worker-service-type): Add ACCOUNT-SERVICE-TYPE extension. Change-Id: I075ea02b6972adcad0a75e330073e85c4dacbbc5
This commit is contained in:
Ludovic Courtès
parent
cf46aa7192
commit
e7a445571d
1 changed files with 16 additions and 0 deletions
|
|
@ -384,6 +384,19 @@
|
||||||
(private-key cuirass-remote-worker-configuration-private-key ;string
|
(private-key cuirass-remote-worker-configuration-private-key ;string
|
||||||
(default #f)))
|
(default #f)))
|
||||||
|
|
||||||
|
(define %cuirass-remote-worker-accounts
|
||||||
|
;; User account and group for the 'cuirass remote-worker' process.
|
||||||
|
(list (user-group
|
||||||
|
(name "cuirass-worker")
|
||||||
|
(system? #t))
|
||||||
|
(user-account
|
||||||
|
(name "cuirass-worker")
|
||||||
|
(group name)
|
||||||
|
(system? #t)
|
||||||
|
(comment "Cuirass worker privilege separation user")
|
||||||
|
(home-directory "/var/empty")
|
||||||
|
(shell (file-append shadow "/sbin/nologin")))))
|
||||||
|
|
||||||
(define (cuirass-remote-worker-shepherd-service config)
|
(define (cuirass-remote-worker-shepherd-service config)
|
||||||
"Return a <shepherd-service> for the Cuirass remote worker service with
|
"Return a <shepherd-service> for the Cuirass remote worker service with
|
||||||
CONFIG."
|
CONFIG."
|
||||||
|
|
@ -397,6 +410,7 @@ CONFIG."
|
||||||
(start #~(make-forkexec-constructor
|
(start #~(make-forkexec-constructor
|
||||||
(list (string-append #$cuirass "/bin/cuirass")
|
(list (string-append #$cuirass "/bin/cuirass")
|
||||||
"remote-worker"
|
"remote-worker"
|
||||||
|
"--user=cuirass-worker" ;drop privileges early on
|
||||||
(string-append "--workers="
|
(string-append "--workers="
|
||||||
#$(number->string workers))
|
#$(number->string workers))
|
||||||
#$@(if server
|
#$@(if server
|
||||||
|
|
@ -444,6 +458,8 @@ CONFIG."
|
||||||
(extensions
|
(extensions
|
||||||
(list (service-extension shepherd-root-service-type
|
(list (service-extension shepherd-root-service-type
|
||||||
cuirass-remote-worker-shepherd-service)
|
cuirass-remote-worker-shepherd-service)
|
||||||
|
(service-extension account-service-type
|
||||||
|
(const %cuirass-remote-worker-accounts))
|
||||||
(service-extension rottlog-service-type
|
(service-extension rottlog-service-type
|
||||||
cuirass-remote-worker-log-rotations)))
|
cuirass-remote-worker-log-rotations)))
|
||||||
(description
|
(description
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue