me
/
guix
Archived
1
0
Fork 0
This repository has been archived on 2024-08-07. You can view files and clone it, but cannot push or open issues/pull-requests.
guix/gnu/services
Maxime Devos 520bac7ed0
services: Prevent following symlinks during activation.
This addresses a potential security issue, where a compromised
service could trick the activation code in changing the permissions,
owner and group of arbitrary files.  However, this patch is
currently only a partial fix, due to a TOCTTOU (time-of-check to
time-of-use) race, which can be fixed once guile has bindings
to openat and friends.

Fixes: <https://lists.gnu.org/archive/html/guix-devel/2021-01/msg00388.html>

* gnu/build/activation.scm: new procedure 'mkdir-p/perms'.
* gnu/services/authentication.scm
  (%nslcd-activation, nslcd-service-type): use new procedure.
* gnu/services/cups.scm (%cups-activation): likewise.
* gnu/services/dbus.scm (dbus-activation): likewise.
* gnu/services/dns.scm (knot-activation): likewise.

Signed-off-by: Ludovic Courtès <ludo@gnu.org>
2021-03-10 18:01:47 +01:00
..
admin.scm
audio.scm
auditd.scm
authentication.scm services: Prevent following symlinks during activation. 2021-03-10 18:01:47 +01:00
avahi.scm
base.scm services: shepherd: 'shepherd-service-type' requires documentation. 2021-01-13 22:24:18 +01:00
certbot.scm
cgit.scm
configuration.scm
cuirass.scm services: cuirass: Remove simple cuirass configuration. 2021-03-10 09:05:02 +01:00
cups.scm services: Prevent following symlinks during activation. 2021-03-10 18:01:47 +01:00
databases.scm services: postgresql-roles: Fix race condition. 2021-02-23 11:00:18 +01:00
dbus.scm services: Prevent following symlinks during activation. 2021-03-10 18:01:47 +01:00
desktop.scm
dict.scm
dns.scm services: Prevent following symlinks during activation. 2021-03-10 18:01:47 +01:00
docker.scm
file-sharing.scm services: Add transmission-daemon service. 2021-02-12 15:11:36 +08:00
games.scm
ganeti.scm
getmail.scm
guix.scm services: guix-build-coordinator: Add dynamic auth with file record. 2021-03-05 09:29:58 +00:00
herd.scm
hurd.scm
kerberos.scm
linux.scm gnu: Remove 'file-systems requirement from kernel-module-loader. 2021-02-08 03:34:40 +01:00
lirc.scm
mail.scm
mcron.scm
messaging.scm
monitoring.scm
networking.scm services: tor: Add control-socket? option. 2021-02-22 10:03:02 -05:00
nfs.scm gnu: services: Fix the NFS service. 2021-02-05 17:19:10 -05:00
nix.scm
pam-mount.scm
pm.scm
rsync.scm
science.scm
sddm.scm
security-token.scm
shepherd.scm services: shepherd: Make 'assert-valid-graph' public. 2021-03-03 14:19:26 +01:00
sound.scm
spice.scm
ssh.scm
syncthing.scm services: Add syncthing service. 2021-01-12 14:40:36 +03:00
sysctl.scm
telephony.scm
version-control.scm
virtualization.scm services: qemu-binfmt: 'guix-support?' defaults to #t. 2021-01-16 22:38:17 +01:00
vpn.scm services: wireguard: New service. 2021-02-17 10:32:15 +01:00
web.scm services: Add Agate Gemini service. 2021-02-15 13:35:04 +01:00
xorg.scm services: Add 'xorg-server-service-type'. 2021-02-11 17:01:43 +08:00