services: guix: Add access control to daemon socket.

* gnu/services/base.scm (guix-configuration-socket-directory-{permissions,group,user}): New fields. (guix-shepherd-service): Use them. * doc/guix.texi (Base Services): Document them. Change-Id: I8f4c2e20392ced47c09812e62903c87cc0f4a97a Signed-off-by: Ludovic Courtès <ludo@gnu.org>
2026-04-06 21:20:33 +02:00 · 2024-10-19 22:43:27 -05:00
parent e5d64e87d4
commit 6a8a6171a7
2 changed files with 46 additions and 4 deletions
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -19822,6 +19822,18 @@ A directory path where the @command{guix-daemon} will perform builds.
 Environment variables to be set before starting the daemon, as a list of
@code{key=value} strings.

+@item @code{socket-directory-permissions} (default: @code{#o755})
+Permissions to set for the directory @file{/var/guix/daemon-socket}.
+This, together with @code{socket-directory-group} and
+@code{socket-directory-user}, determines who can connect to the build
+daemon via its Unix socket.  TCP socket operation is unaffected by
+these.
+
+@item @code{socket-directory-user} (default: @code{#f})
+@itemx @code{socket-directory-group} (default: @code{#f})
+User and group owning the @file{/var/guix/daemon-socket} directory or
+@code{#f} to keep the user or group as root.
+
@end table
@end deftp

--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1888,7 +1888,14 @@ archive' public keys, with GUIX."
  (build-machines   guix-configuration-build-machines ;list of gexps | '()
                    (default '()))
  (environment      guix-configuration-environment  ;list of strings
-                    (default '())))
+                    (default '()))
+  (socket-directory-permissions
+   guix-configuration-socket-directory-permissions
+   (default #o755))
+  (socket-directory-group guix-configuration-socket-directory-group
+                          (default #f))
+  (socket-directory-user guix-configuration-socket-directory-user
+                         (default #f)))

 (define %default-guix-configuration
  (guix-configuration))
@@ -1952,7 +1959,9 @@ proxy of 'guix-daemon'...~%")
    (guix build-group build-accounts authorize-key? authorized-keys
          use-substitutes? substitute-urls max-silent-time timeout
          log-compression discover? extra-options log-file
-          http-proxy tmpdir chroot-directories environment)
+          http-proxy tmpdir chroot-directories environment
+          socket-directory-permissions socket-directory-group
+          socket-directory-user)
    (list (shepherd-service
           (documentation "Run the Guix daemon.")
           (provision '(guix-daemon))
@@ -1962,11 +1971,13 @@ proxy of 'guix-daemon'...~%")
                          shepherd-discover-action))
           (modules '((srfi srfi-1)
                      (ice-9 match)
-                      (gnu build shepherd)))
+                      (gnu build shepherd)
+                      (guix build utils)))
           (start
            (with-imported-modules `(((guix config) => ,(make-config.scm))
                                     ,@(source-module-closure
-                                        '((gnu build shepherd))
+                                        '((gnu build shepherd)
+                                          (guix build utils))
                                        #:select? not-config?))
              #~(lambda args
                  (define proxy
@@ -1977,6 +1988,25 @@ proxy of 'guix-daemon'...~%")
                  (define discover?
                    (or (getenv "discover") #$discover?))

+                  (mkdir-p "/var/guix")
+                  ;; Ensure that a fresh directory is used, in case the old
+                  ;; one was more permissive and processes have a file
+                  ;; descriptor referencing it hanging around, ready to use
+                  ;; with openat.
+                  (false-if-exception
+                   (delete-file-recursively "/var/guix/daemon-socket"))
+                  (let ((perms #$(logand socket-directory-permissions
+                                         (lognot #o022))))
+                    (mkdir "/var/guix/daemon-socket" perms)
+                    ;; Override umask
+                    (chmod "/var/guix/daemon-socket" perms))
+
+                  (let* ((user #$socket-directory-user)
+                         (uid (if user (passwd:uid (getpwnam user)) -1))
+                         (group #$socket-directory-group)
+                         (gid (if group (group:gid (getgrnam group)) -1)))
+                    (chown "/var/guix/daemon-socket" uid gid))
+
                  ;; Start the guix-daemon from a container, when supported,
                  ;; to solve an installation issue. See the comment below for
                  ;; more details.