guix-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[shepherd] 02/02: support: ‘mkdir-p’ sets permissions when directory alr

From: Ludovic Courtès
Subject: [shepherd] 02/02: support: ‘mkdir-p’ sets permissions when directory already exists.
Date: Tue, 19 Dec 2023 17:26:09 -0500 (EST) 
civodul pushed a commit to branch main
in repository shepherd.

commit 9dfeb4ecd6429135f5fb8ceb6d43ae7054fbc193
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Tue Dec 19 23:21:03 2023 +0100

    support: ‘mkdir-p’ sets permissions when directory already exists.
    
    Previously, when DIR already exists, ‘mkdir-p’ would leave its
    permissions unchanged.
    
    * modules/shepherd/support.scm (mkdir-p): When COMPONENTS is empty and
    MODE is true, call ‘chmod’.
    * tests/systemd.sh: Create $service_socket_dir with 0755.
    * NEWS: Update.
---
 NEWS                         | 4 ++++
 modules/shepherd/support.scm | 7 +++++--
 tests/systemd.sh             | 5 +++++
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 46803d5..184f5d6 100644
--- a/NEWS
+++ b/NEWS
@@ -30,6 +30,10 @@ root) with permissions 755.  This is now fixed, with 
ownership set according
 to #:socket-owner and #:socket-group of the endpoint, and permissions on the
 socket set to 666.
 
+Likewise, #:socket-directory-permissions was previously ignored when the
+socket’s directory already existed prior to creating the endpoint, potentially
+leading to unexpectedly wide access to the socket.  This is now fixed.
+
 ** New #:respawn-delay parameter to ‘service’
    (<https://issues.guix.gnu.org/64665>)
 
diff --git a/modules/shepherd/support.scm b/modules/shepherd/support.scm
index 75e25df..0b3de7c 100644
--- a/modules/shepherd/support.scm
+++ b/modules/shepherd/support.scm
@@ -225,7 +225,8 @@ output port, and PROC's result is returned."
         (catch-system-error (delete-file template))))))
 
 (define* (mkdir-p dir #:optional mode)  ;copied from Guix
-  "Create directory DIR and all its ancestors."
+  "Create directory DIR and all its ancestors.  Ensure DIR itself has the
+given MODE."
   (define absolute?
     (string-prefix? "/" dir))
 
@@ -254,7 +255,9 @@ output port, and PROC's result is returned."
                        (and st (eq? 'directory (stat:type st)))))
                  (loop tail path)
                  (apply throw args))))))
-      (() #t))))
+      (()
+       (when mode
+         (chmod dir mode))))))
 
 (define-syntax-rule (with-directory-excursion dir body ...) ;copied from Guix
   "Run BODY with DIR as the process's current directory."
diff --git a/tests/systemd.sh b/tests/systemd.sh
index 8a3b706..42a5af0 100644
--- a/tests/systemd.sh
+++ b/tests/systemd.sh
@@ -28,6 +28,11 @@ service_socket="$service_socket_dir/socket"
 
 herd="herd -s $socket"
 
+# Create the socket directory with permissions other than those specified in
+# the endpoint.
+mkdir -p "$service_socket_dir"
+chmod 755 "$service_socket_dir"
+
 trap "cat $log || true; rm -r $service_socket_dir $socket $conf $log;
       test -f $pid && kill \`cat $pid\` || true; rm -f $pid" EXIT
reply via email to
[Prev in Thread] Current Thread [Next in Thread]