520bac7ed0
This addresses a potential security issue, where a compromised service could trick the activation code in changing the permissions, owner and group of arbitrary files. However, this patch is currently only a partial fix, due to a TOCTTOU (time-of-check to time-of-use) race, which can be fixed once guile has bindings to openat and friends. Fixes: <https://lists.gnu.org/archive/html/guix-devel/2021-01/msg00388.html> * gnu/build/activation.scm: new procedure 'mkdir-p/perms'. * gnu/services/authentication.scm (%nslcd-activation, nslcd-service-type): use new procedure. * gnu/services/cups.scm (%cups-activation): likewise. * gnu/services/dbus.scm (dbus-activation): likewise. * gnu/services/dns.scm (knot-activation): likewise. Signed-off-by: Ludovic Courtès <ludo@gnu.org> |
||
---|---|---|
.. | ||
admin.scm | ||
audio.scm | ||
auditd.scm | ||
authentication.scm | ||
avahi.scm | ||
base.scm | ||
certbot.scm | ||
cgit.scm | ||
configuration.scm | ||
cuirass.scm | ||
cups.scm | ||
databases.scm | ||
dbus.scm | ||
desktop.scm | ||
dict.scm | ||
dns.scm | ||
docker.scm | ||
file-sharing.scm | ||
games.scm | ||
ganeti.scm | ||
getmail.scm | ||
guix.scm | ||
herd.scm | ||
hurd.scm | ||
kerberos.scm | ||
linux.scm | ||
lirc.scm | ||
mail.scm | ||
mcron.scm | ||
messaging.scm | ||
monitoring.scm | ||
networking.scm | ||
nfs.scm | ||
nix.scm | ||
pam-mount.scm | ||
pm.scm | ||
rsync.scm | ||
science.scm | ||
sddm.scm | ||
security-token.scm | ||
shepherd.scm | ||
sound.scm | ||
spice.scm | ||
ssh.scm | ||
syncthing.scm | ||
sysctl.scm | ||
telephony.scm | ||
version-control.scm | ||
virtualization.scm | ||
vpn.scm | ||
web.scm | ||
xorg.scm |