On Tue, Aug 30, 2022 at 1:10 PM Thompson, David
<dthomps...@worcester.edu> wrote:
>
> Hi Guix,
>
> Issue 56444 (https://issues.guix.gnu.org/56444) was caused by the
> activate-users+groups procedure in (gnu build activation) unconditionally
> setting all user home directory permission bits to 700. The fix for that bug
> was to set the bits for a particular user to 750 in a service activation
> script. The fix is quite imperfect, however, because during system
> reconfiguration the bits are temporarily reset back to 700 by
> activate-users+groups, breaking Guix's promise of atomicity. The proper fix
> would be to add something like a 'home-directory-permission-bits' field to
> <user-account>, which defaults to 700, and have activate-users+groups use
> that value. This way, there will no longer be an unknown amount of time
> where the bits are reset and potentially breaking some service during that
> time.
FInally got around to writing a patch for this!
- Dave
From 013ad524971dc6ea810fe3b92042c039cecd2f8a Mon Sep 17 00:00:00 2001
From: David Thompson <dthomps...@worcester.edu>
Date: Sat, 14 Jan 2023 10:53:16 -0500
Subject: [PATCH 1/2] gnu: system: Add home-directory-permissions field to
<user-account>.
* gnu/system/accounts.scm (<user-account>)[home-directory-permissions]: New
field.
(user-account-home-directory-permissions): New accessor.
* gnu/build/activation.scm (activate-users+groups): Use home directory
permission bits from the user account object.
* doc/guix.texi (User Accounts): Document new field.
---
doc/guix.texi | 4 ++++
gnu/build/activation.scm | 6 +++---
gnu/system/accounts.scm | 3 +++
3 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index c07ec89b2f..52548c3dfa 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17337,6 +17337,10 @@ administrator's choice; reconfiguring does @emph{not} change their name.
@item @code{home-directory}
This is the name of the home directory for the account.
+@item @code{home-directory-permissions} (default: @code{#o700})
+The permission bits for the home directory. By default, full access is
+granted to the user account and all other access is denied.
+
@item @code{create-home-directory?} (default: @code{#t})
Indicates whether the home directory of this account should be created
if it does not exist yet.
diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm
index eea2233563..fd043ca131 100644
--- a/gnu/build/activation.scm
+++ b/gnu/build/activation.scm
@@ -162,14 +162,14 @@ (define (activate-users+groups users groups)
group records) are all available."
(define (make-home-directory user)
(let ((home (user-account-home-directory user))
+ (home-permissions (user-account-home-directory-permissions user))
(pwd (getpwnam (user-account-name user))))
(mkdir-p home)
;; Always set ownership and permissions for home directories of system
- ;; accounts. If a service needs looser permissions on its home
- ;; directories, it can always chmod it in an activation snippet.
+ ;; accounts.
(chown home (passwd:uid pwd) (passwd:gid pwd))
- (chmod home #o700)))
+ (chmod home home-permissions)))
(define system-accounts
(filter (lambda (user)
diff --git a/gnu/system/accounts.scm b/gnu/system/accounts.scm
index 586cff1842..dd6930c619 100644
--- a/gnu/system/accounts.scm
+++ b/gnu/system/accounts.scm
@@ -28,6 +28,7 @@ (define-module (gnu system accounts)
user-account-supplementary-groups
user-account-comment
user-account-home-directory
+ user-account-home-directory-permissions
user-account-create-home-directory?
user-account-shell
user-account-system?
@@ -69,6 +70,8 @@ (define-record-type* <user-account>
(comment user-account-comment (default ""))
(home-directory user-account-home-directory (thunked)
(default (default-home-directory this-record)))
+ (home-directory-permissions user-account-home-directory-permissions
+ (default #o700))
(create-home-directory? user-account-create-home-directory? ;Boolean
(default #t))
(shell user-account-shell ; gexp
--
2.38.1
