Ludovic Courtès <l...@gnu.org> writes:
> Hi Edouard, > > Edouard Klein <e...@rdklein.fr> skribis: > >>> I wonder to what extent the combination of ‘make-inetd-constructor’ and >>> ‘least-authority-wrapper’ would fit the bill for you? (This is currently >>> used for the bitlbee, dicod, and rsync services.) It seems to address >>> the main shortcomings listed in Section 1. > > [...] > >> It sure would be nice if shepherd could be used to manage those daemons, >> just to avoid having two concurrent systems doing the same kind of work, >> but I'd still need a way to monitor the /run/listen directory, and start >> and stop shepherd services on the fly. It is probably doable, but it >> is a huge refactor. > > To be clear, ‘least-authority-wrapper’ is already used for a handful of > services¹. I’m curious whether /run/listen is still necessary in that > context? > First, I made a typo, it's /srv/listen/ that needs monitoring, /run/listen is where the services can put sockets to communicate with the rest of the systme. Then, one of the point of listen is to allow access control on a a per-user, per-port basis: the permission of e.g. /srv/listen/tcp79 will decide who can fiddle with the finger server. It is the reason why one need something to monitor the directory and start/stop services based on its content > Ludo’. > > ¹ The first implementation of this idea was > <https://guix.gnu.org/en/blog/2017/running-system-services-in-containers/>.
