#40405 System log files are world readable

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

From: Diego Nicola Barbato <dnbarbato@posteo.de>

To: bug-guix@gnu.org

Subject: System log files are world readable

Date: Fri, 03 Apr 2020 15:19:34 +0200

Hey Guix,

On Guix System the log files (in /var/log) generated by syslogd are
currently (commit 151f3d4) world readable.  They should probably only be
readable by root (for the same reason that dmesg can only be run by
root).

It isn't possible to set the umask with fork-exec-constructor, is it?
Otherwise that might have been a simple solution.

Regards,

Diego

Message #8 received at 40405@debbugs.gnu.org (full text, mbox, reply):

From: Diego Nicola Barbato <dnbarbato@posteo.de>

To: 40405@debbugs.gnu.org

Subject: Re: bug#40405: System log files are world readable

Date: Fri, 03 Apr 2020 15:34:17 +0200

Diego Nicola Barbato <dnbarbato@posteo.de> writes:

> Hey Guix,
>
> On Guix System the log files (in /var/log) generated by syslogd are
> currently (commit 151f3d4) world readable.  They should probably only be
> readable by root (for the same reason that dmesg can only be run by
> root).
>
> It isn't possible to set the umask with fork-exec-constructor, is it?
                                          ^^^^^^^^^^^^^^^^^^^^^
That should be 'make-forkexec-constructor'.  Sorry for the noise.

> Otherwise that might have been a simple solution.
>
> Regards,
>
> Diego

Message #13 received at 40405@debbugs.gnu.org (full text, mbox, reply):

From: Ludovic Courtès <ludo@gnu.org>

To: Diego Nicola Barbato <dnbarbato@posteo.de>

Cc: 40405@debbugs.gnu.org

Subject: Re: bug#40405: System log files are world readable

Date: Mon, 06 Apr 2020 00:12:39 +0200

[Message part 1 (text/plain, inline)]

Hi,

Diego Nicola Barbato <dnbarbato@posteo.de> skribis:

> On Guix System the log files (in /var/log) generated by syslogd are
> currently (commit 151f3d4) world readable.  They should probably only be
> readable by root (for the same reason that dmesg can only be run by
> root).
>
> It isn't possible to set the umask with fork-exec-constructor, is it?
> Otherwise that might have been a simple solution.

That would be a nice solution to implement in the Shepherd.  If you feel
like giving it a try, that would be great!

In the meantime, the patch below fixes the syslogd problem.  Also
attached is a patch for the accounting database, though that one is
questionable.

Thoughts?

Thanks,
Ludo’.

[Message part 2 (text/x-patch, inline)]

diff --git a/gnu/services.scm b/gnu/services.scm
index 7941cd3af0..d631e8dd32 100644
--- a/gnu/services.scm
+++ b/gnu/services.scm
@@ -528,15 +528,20 @@ ACTIVATION-SCRIPT-TYPE."
                       (use-modules (gnu build activation)
                                    (guix build utils))
 
+                      (define (ensure-file-exists file)
+                        (let ((port (open-file file "a0")))
+                          (chmod port #o640)
+                          (close-port port)))
+
                       ;; Make sure the user accounting database exists.  If it
                       ;; does not exist, 'setutxent' does not create it and
                       ;; thus there is no accounting at all.
-                      (close-port (open-file "/var/run/utmpx" "a0"))
+                      (ensure-file-exists "/var/run/utmpx")
 
                       ;; Same for 'wtmp', which is populated by mingetty et
                       ;; al.
                       (mkdir-p "/var/log")
-                      (close-port (open-file "/var/log/wtmp" "a0"))
+                      (ensure-file-exists "/var/log/wtmp")
 
                       ;; Set up /run/current-system.  Among other things this
                       ;; sets up locales, which the activation snippets
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 8d9a563e2b..e59b6fea80 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1436,10 +1436,17 @@ Service Switch}, for an example."
       (documentation "Run the syslog daemon (syslogd).")
       (provision '(syslogd))
       (requirement '(user-processes))
-      (start #~(make-forkexec-constructor
-                (list #$(syslog-configuration-syslogd config)
-                      "--rcfile" #$(syslog-configuration-config-file config))
-                #:pid-file "/var/run/syslog.pid"))
+      (start #~(let ((fork (make-forkexec-constructor
+                            (list #$(syslog-configuration-syslogd config)
+                                  "--rcfile"
+                                  #$(syslog-configuration-config-file config))
+                            #:pid-file "/var/run/syslog.pid")))
+                 (lambda ()
+                   ;; Set the umask such that file permissions are #o640.
+                   (let ((mask (umask #o137))
+                         (pid  (fork)))
+                     (umask mask)
+                     pid))))
       (stop #~(make-kill-destructor))))))
 
 ;; Snippet adapted from the GNU inetutils manual.

Message #16 received at 40405@debbugs.gnu.org (full text, mbox, reply):

From: Ludovic Courtès <ludo@gnu.org>

To: Diego Nicola Barbato <dnbarbato@posteo.de>

Cc: 40405@debbugs.gnu.org

Subject: Re: bug#40405: System log files are world readable

Date: Tue, 07 Apr 2020 00:07:14 +0200

Hi,

Ludovic Courtès <ludo@gnu.org> skribis:

> In the meantime, the patch below fixes the syslogd problem.  Also
> attached is a patch for the accounting database, though that one is
> questionable.

I pushed the syslog bits along with a test as commit
d7113bb655ff80a868a9e624c913f9d23e6c63ad.  (I think already
world-readable files will remain world-readable though?)

The main remaining issue here is log files created by
‘fork+exec-command’.  We’ll have to address that in the Shepherd proper,
I think.

Ludo’.

Message #19 received at 40405@debbugs.gnu.org (full text, mbox, reply):

From: Bengt Richter <bokr@bokr.com>

To: Ludovic Courtès <ludo@gnu.org>

Cc: 40405@debbugs.gnu.org, Diego Nicola Barbato <dnbarbato@posteo.de>

Subject: Re: bug#40405: System log files are world readable

Date: Tue, 7 Apr 2020 02:49:58 +0200

Hi Ludo,

On +2020-04-07 00:07:14 +0200, Ludovic Courtès wrote:
> Hi,
> 
> Ludovic Courtès <ludo@gnu.org> skribis:
> 
> > In the meantime, the patch below fixes the syslogd problem.  Also
> > attached is a patch for the accounting database, though that one is
> > questionable.
> 
> I pushed the syslog bits along with a test as commit
> d7113bb655ff80a868a9e624c913f9d23e6c63ad.  (I think already
> world-readable files will remain world-readable though?)
>

Could build daemons do some kind of maintenance rebuild to chmod them?
And maybe be scheduled to monitor new files for other mistakes as well?

Meanwhile, could a superuser chmod them without affecting hashes?
(curious as to whether permission bits escape hashing).

> The main remaining issue here is log files created by
> ‘fork+exec-command’.  We’ll have to address that in the Shepherd proper,
> I think.
> 
> Ludo’.
> 
> 
> 

-- 
Regards,
Bengt Richter

Message #22 received at 40405@debbugs.gnu.org (full text, mbox, reply):

From: Ludovic Courtès <ludo@gnu.org>

To: Bengt Richter <bokr@bokr.com>

Cc: 40405@debbugs.gnu.org, Diego Nicola Barbato <dnbarbato@posteo.de>

Subject: Re: bug#40405: System log files are world readable

Date: Tue, 07 Apr 2020 09:30:29 +0200

Hi,

Bengt Richter <bokr@bokr.com> skribis:

> On +2020-04-07 00:07:14 +0200, Ludovic Courtès wrote:
>> Hi,
>> 
>> Ludovic Courtès <ludo@gnu.org> skribis:
>> 
>> > In the meantime, the patch below fixes the syslogd problem.  Also
>> > attached is a patch for the accounting database, though that one is
>> > questionable.
>> 
>> I pushed the syslog bits along with a test as commit
>> d7113bb655ff80a868a9e624c913f9d23e6c63ad.  (I think already
>> world-readable files will remain world-readable though?)
>>
>
> Could build daemons do some kind of maintenance rebuild to chmod them?
> And maybe be scheduled to monitor new files for other mistakes as well?

Yes, we could do that, I just haven’t checked if this is necessary or
thought about how to do it.

> Meanwhile, could a superuser chmod them without affecting hashes?

Definitely.  (There’s no “hashing” involved for /var/log.)

Ludo’.

Message #25 received at 40405@debbugs.gnu.org (full text, mbox, reply):

From: Diego Nicola Barbato <dnbarbato@posteo.de>

To: Ludovic Courtès <ludo@gnu.org>

Cc: 40405@debbugs.gnu.org

Subject: Re: bug#40405: System log files are world readable

Date: Wed, 08 Apr 2020 14:32:53 +0200

[Message part 1 (text/plain, inline)]

Hey,

Ludovic Courtès <ludo@gnu.org> writes:

> Hi,
>
> Diego Nicola Barbato <dnbarbato@posteo.de> skribis:
>
>> On Guix System the log files (in /var/log) generated by syslogd are
>> currently (commit 151f3d4) world readable.  They should probably only be
>> readable by root (for the same reason that dmesg can only be run by
>> root).
>>
>> It isn't possible to set the umask with fork-exec-constructor, is it?
>> Otherwise that might have been a simple solution.
>
> That would be a nice solution to implement in the Shepherd.  If you feel
> like giving it a try, that would be great!

I've attached two patches for the Shepherd.  The first one makes sure
that 'exec-command' creates log files with mode #o640 (I thought about
making it a parameter instead of hard coding it, but I doubt it would be
very useful).  The second one makes it possible to set the umask with
'exec-command', 'fork+exec-command', and 'make-forkexec-constructor'.  I
wasn't quite sure how to avoid a collision with the procedure umask
(would `((@ (guile) umask) umask)' have been ok?) so I named the
parameter file-creation-mask.

I haven't tested the changes.  What would be a straight forward way to
do that on Guix?  Looking at the documentation it doesn't seem possible
to swap out the shepherd package of the %shepherd-root-service with
'modify-services'. 

[...]

Regards,

Diego

[0001-service-Create-log-files-as-non-world-readable.patch (text/x-patch, inline)]

From 43c9ded791ce5b480504ce3528ee34578168f90e Mon Sep 17 00:00:00 2001
From: Diego Nicola Barbato <dnbarbato@posteo.de>
Date: Tue, 7 Apr 2020 13:58:28 +0200
Subject: [PATCH 1/2] service: Create log files as non-world-readable.

* modules/shepherd/service.scm (exec-command): Create log-file with file
  permissions #o640.
---
 modules/shepherd/service.scm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/shepherd/service.scm b/modules/shepherd/service.scm
index fc82cc4..9a4a5d9 100644
--- a/modules/shepherd/service.scm
+++ b/modules/shepherd/service.scm
@@ -808,7 +808,7 @@ false."
              ;; Redirect stout and stderr to use LOG-FILE.
              (catch-system-error (close-fdes 1))
              (catch-system-error (close-fdes 2))
-             (dup2 (open-fdes log-file (logior O_CREAT O_WRONLY O_APPEND)) 1)
+             (dup2 (open-fdes log-file (logior O_CREAT O_WRONLY O_APPEND) #o640) 1)
              (dup2 1 2))
            (lambda (key . args)
              (format (current-error-port)
-- 
2.26.0

[0002-service-Add-file-creation-mask-to-make-forkexec-cons.patch (text/x-patch, inline)]

From e491436967a912e6e7372f582b3bf5c9784b8209 Mon Sep 17 00:00:00 2001
From: Diego Nicola Barbato <dnbarbato@posteo.de>
Date: Tue, 7 Apr 2020 13:38:47 +0200
Subject: [PATCH 2/2] service: Add #:file-creation-mask to
 'make-forkexec-constructor'.

* modules/shepherd/service.scm (exec-command): Add #:file-creation-mask
  parameter and honor it.
  (fork+exec-command): Add #:file-creation-mask parameter and pass it to
  exec-command.
  (make-forkexec-constructor): Add #:file-creation-mask parameter and pass it
  to fork+exec-command.
* doc/shepherd.texi (Service De- and Constructors): Adjust accordingly.
---
 doc/shepherd.texi            |  9 +++++++--
 modules/shepherd/service.scm | 22 ++++++++++++++++------
 2 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/doc/shepherd.texi b/doc/shepherd.texi
index 3e61f5d..659eb82 100644
--- a/doc/shepherd.texi
+++ b/doc/shepherd.texi
@@ -896,10 +896,12 @@ execution of the @var{command} was successful, @code{#t} if not.
   [#:pid-file #f] [#:pid-file-timeout %pid-file-timeout] @
   [#:log-file #f] @
   [#:directory (default-service-directory)] @
+  [#:file-creation-mask #f] @
   [#:environment-variables (default-environment-variables)]
 Return a procedure that forks a child process, closes all file
 descriptors except the standard output and standard error descriptors, sets
-the current directory to @var{directory}, changes the environment to
+the current directory to @var{directory}, sets the umask to
+@var{file-creation-mask} unless it is @code{#f}, changes the environment to
 @var{environment-variables} (using the @code{environ} procedure), sets the
 current user to @var{user} and the current group to @var{group} unless they
 are @code{#f}, and executes @var{command} (a list of strings.)  The result of
@@ -935,13 +937,16 @@ procedures.
   [#:group #f] @
   [#:log-file #f] @
   [#:directory (default-service-directory)] @
+  [#:file-creation-mask #f] @
   [#:environment-variables (default-environment-variables)]
 @deffnx {procedure} fork+exec-command @var{command} @
   [#:user #f] @
   [#:group #f] @
   [#:directory (default-service-directory)] @
+  [#:file-creation-mask #f] @
   [#:environment-variables (default-environment-variables)]
-Run @var{command} as the current process from @var{directory}, and with
+Run @var{command} as the current process from @var{directory}, with
+@var{file-creation-mask} if it's true, and with
 @var{environment-variables} (a list of strings like @code{"PATH=/bin"}.)
 File descriptors 1 and 2 are kept as is or redirected to @var{log-file}
 if it's true, whereas file descriptor 0
diff --git a/modules/shepherd/service.scm b/modules/shepherd/service.scm
index 9a4a5d9..d90b55b 100644
--- a/modules/shepherd/service.scm
+++ b/modules/shepherd/service.scm
@@ -771,12 +771,14 @@ daemon writing FILE is running in a separate PID namespace."
                        (group #f)
                        (log-file #f)
                        (directory (default-service-directory))
+                       (file-creation-mask #f)
                        (environment-variables (default-environment-variables)))
-  "Run COMMAND as the current process from DIRECTORY, and with
-ENVIRONMENT-VARIABLES (a list of strings like \"PATH=/bin\".)  File
-descriptors 1 and 2 are kept as is or redirected to LOG-FILE if it's true,
-whereas file descriptor 0 (standard input) points to /dev/null; all other file
-descriptors are closed prior to yielding control to COMMAND.
+  "Run COMMAND as the current process from DIRECTORY, with FILE-CREATION-MASK
+if it's true, and with ENVIRONMENT-VARIABLES (a list of strings like
+\"PATH=/bin\").  File descriptors 1 and 2 are kept as is or redirected to
+LOG-FILE if it's true, whereas file descriptor 0 (standard input) points to
+/dev/null; all other file descriptors are closed prior to yielding control to
+COMMAND.
 
 By default, COMMAND is run as the current user.  If the USER keyword
 argument is present and not false, change to USER immediately before
@@ -840,6 +842,9 @@ false."
            (print-exception (current-error-port) #f key args)
            (primitive-exit 1))))
 
+     (when file-creation-mask
+       (umask file-creation-mask))
+
      ;; As the last action, close file descriptors.  Doing it last makes
      ;; "error in the finalization thread: Bad file descriptor" issues
      ;; unlikely on 2.2.
@@ -871,6 +876,7 @@ false."
                             (group #f)
                             (log-file #f)
                             (directory (default-service-directory))
+                            (file-creation-mask #f)
                             (environment-variables
                              (default-environment-variables)))
   "Spawn a process that executed COMMAND as per 'exec-command', and return
@@ -886,6 +892,7 @@ its PID."
                       #:group group
                       #:log-file log-file
                       #:directory directory
+                      #:file-creation-mask file-creation-mask
                       #:environment-variables environment-variables)
         pid)))
 
@@ -903,7 +910,8 @@ its PID."
     (case-lambda*
      "Return a procedure that forks a child process, closes all file
 descriptors except the standard output and standard error descriptors, sets
-the current directory to @var{directory}, changes the environment to
+the current directory to @var{directory}, sets the umask to
+@var{file-creation-mask} unless it is @code{#f}, changes the environment to
 @var{environment-variables} (using the @code{environ} procedure), sets the
 current user to @var{user} and the current group to @var{group} unless they
 are @code{#f}, and executes @var{command} (a list of strings.)  The result of
@@ -918,6 +926,7 @@ start."
                (user #f)
                (group #f)
                (directory (default-service-directory))
+               (file-creation-mask #f)
                (environment-variables (default-environment-variables))
                (pid-file #f)
                (pid-file-timeout %pid-file-timeout)
@@ -944,6 +953,7 @@ start."
                                         #:group group
                                         #:log-file log-file
                                         #:directory directory
+                                        #:file-creation-mask file-creation-mask
                                         #:environment-variables
                                         environment-variables)))
             (if pid-file
-- 
2.26.0

Message #28 received at 40405@debbugs.gnu.org (full text, mbox, reply):

From: Ludovic Courtès <ludo@gnu.org>

To: Diego Nicola Barbato <dnbarbato@posteo.de>

Cc: 40405@debbugs.gnu.org

Subject: Re: bug#40405: System log files are world readable

Date: Wed, 08 Apr 2020 21:49:08 +0200

Diego Nicola Barbato <dnbarbato@posteo.de> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Hi,
>>
>> Diego Nicola Barbato <dnbarbato@posteo.de> skribis:
>>
>>> On Guix System the log files (in /var/log) generated by syslogd are
>>> currently (commit 151f3d4) world readable.  They should probably only be
>>> readable by root (for the same reason that dmesg can only be run by
>>> root).
>>>
>>> It isn't possible to set the umask with fork-exec-constructor, is it?
>>> Otherwise that might have been a simple solution.
>>
>> That would be a nice solution to implement in the Shepherd.  If you feel
>> like giving it a try, that would be great!
>
> I've attached two patches for the Shepherd.  The first one makes sure
> that 'exec-command' creates log files with mode #o640 (I thought about
> making it a parameter instead of hard coding it, but I doubt it would be
> very useful).  The second one makes it possible to set the umask with
> 'exec-command', 'fork+exec-command', and 'make-forkexec-constructor'.  I
> wasn't quite sure how to avoid a collision with the procedure umask
> (would `((@ (guile) umask) umask)' have been ok?) so I named the
> parameter file-creation-mask.

Sounds good to me.

> I haven't tested the changes.  What would be a straight forward way to
> do that on Guix?  Looking at the documentation it doesn't seem possible
> to swap out the shepherd package of the %shepherd-root-service with
> 'modify-services'. 

Both patches LGTM, but you could add a couple of tests in the Shepherd
itself before testing it on Guix.

The tests/*.sh are simple shell scripts.  You could perhaps create a new
one there, run shepherd with a toy service that uses #:log-file and
creates files, and then ensure that the log file is #o640 and that
#:file-creation-mask is honored.

Does that make sense?

Then, to test it on Guix, you can run “make dist” in the Shepherd and
change the ‘shepherd’ package so that its ‘source’ points to that
tarball.  You run ‘guix system vm gnu/system/examples/bare-bones.tmpl’,
boot that, and ensure everything’s OK.

Thanks!

Ludo’.

Message #33 received at 40405-done@debbugs.gnu.org (full text, mbox, reply):

From: Ludovic Courtès <ludo@gnu.org>

To: Diego Nicola Barbato <dnbarbato@posteo.de>

Cc: 40405-done@debbugs.gnu.org

Subject: Re: bug#40405: System log files are world readable

Date: Sun, 19 Apr 2020 16:28:24 +0200

Hi Diego,

Diego Nicola Barbato <dnbarbato@posteo.de> skribis:

>>From 43c9ded791ce5b480504ce3528ee34578168f90e Mon Sep 17 00:00:00 2001
> From: Diego Nicola Barbato <dnbarbato@posteo.de>
> Date: Tue, 7 Apr 2020 13:58:28 +0200
> Subject: [PATCH 1/2] service: Create log files as non-world-readable.
>
> * modules/shepherd/service.scm (exec-command): Create log-file with file
>   permissions #o640.

[...]

>>From e491436967a912e6e7372f582b3bf5c9784b8209 Mon Sep 17 00:00:00 2001
> From: Diego Nicola Barbato <dnbarbato@posteo.de>
> Date: Tue, 7 Apr 2020 13:38:47 +0200
> Subject: [PATCH 2/2] service: Add #:file-creation-mask to
>  'make-forkexec-constructor'.
>
> * modules/shepherd/service.scm (exec-command): Add #:file-creation-mask
>   parameter and honor it.
>   (fork+exec-command): Add #:file-creation-mask parameter and pass it to
>   exec-command.
>   (make-forkexec-constructor): Add #:file-creation-mask parameter and pass it
>   to fork+exec-command.
> * doc/shepherd.texi (Service De- and Constructors): Adjust accordingly.

I went ahead and pushed these two patches.

We’ll need to test current Shepherd master on Guix, but I feel we’ve
accumulated enough improvements for a 0.7.1 release.

Thanks,
Ludo’.

Message #36 received at 40405-done@debbugs.gnu.org (full text, mbox, reply):

From: Ludovic Courtès <ludo@gnu.org>

To: 40405-done@debbugs.gnu.org

Cc: dnbarbato@posteo.de

Subject: Re: bug#40405: System log files are world readable

Date: Wed, 22 Apr 2020 22:04:23 +0200

Hi,

Ludovic Courtès <ludo@gnu.org> skribis:

> Diego Nicola Barbato <dnbarbato@posteo.de> skribis:
>
>>>From 43c9ded791ce5b480504ce3528ee34578168f90e Mon Sep 17 00:00:00 2001
>> From: Diego Nicola Barbato <dnbarbato@posteo.de>
>> Date: Tue, 7 Apr 2020 13:58:28 +0200
>> Subject: [PATCH 1/2] service: Create log files as non-world-readable.
>>
>> * modules/shepherd/service.scm (exec-command): Create log-file with file
>>   permissions #o640.
>
> [...]
>
>>>From e491436967a912e6e7372f582b3bf5c9784b8209 Mon Sep 17 00:00:00 2001
>> From: Diego Nicola Barbato <dnbarbato@posteo.de>
>> Date: Tue, 7 Apr 2020 13:38:47 +0200
>> Subject: [PATCH 2/2] service: Add #:file-creation-mask to
>>  'make-forkexec-constructor'.
>>
>> * modules/shepherd/service.scm (exec-command): Add #:file-creation-mask
>>   parameter and honor it.
>>   (fork+exec-command): Add #:file-creation-mask parameter and pass it to
>>   exec-command.
>>   (make-forkexec-constructor): Add #:file-creation-mask parameter and pass it
>>   to fork+exec-command.
>> * doc/shepherd.texi (Service De- and Constructors): Adjust accordingly.
>
> I went ahead and pushed these two patches.

These patches are in Shepherd 0.8.0, which was pushed in Guix master
commit e3358a831e7d5d9e8dc614340e49ea5aeb11a7ff, so we’re done!

Ludo’.

Message #39 received at 40405-done@debbugs.gnu.org (full text, mbox, reply):

From: Diego Nicola Barbato <dnbarbato@posteo.de>

To: Ludovic Courtès <ludo@gnu.org>

Cc: 40405-done@debbugs.gnu.org

Subject: Re: bug#40405: System log files are world readable

Date: Tue, 28 Apr 2020 15:11:47 +0200

[Message part 1 (text/plain, inline)]

Hi,

Ludovic Courtès <ludo@gnu.org> writes:

> Hi,
>
> Ludovic Courtès <ludo@gnu.org> skribis:
>
>> Diego Nicola Barbato <dnbarbato@posteo.de> skribis:
>>
>>>>From 43c9ded791ce5b480504ce3528ee34578168f90e Mon Sep 17 00:00:00 2001
>>> From: Diego Nicola Barbato <dnbarbato@posteo.de>
>>> Date: Tue, 7 Apr 2020 13:58:28 +0200
>>> Subject: [PATCH 1/2] service: Create log files as non-world-readable.
>>>
>>> * modules/shepherd/service.scm (exec-command): Create log-file with file
>>>   permissions #o640.
>>
>> [...]
>>
>>>>From e491436967a912e6e7372f582b3bf5c9784b8209 Mon Sep 17 00:00:00 2001
>>> From: Diego Nicola Barbato <dnbarbato@posteo.de>
>>> Date: Tue, 7 Apr 2020 13:38:47 +0200
>>> Subject: [PATCH 2/2] service: Add #:file-creation-mask to
>>>  'make-forkexec-constructor'.
>>>
>>> * modules/shepherd/service.scm (exec-command): Add #:file-creation-mask
>>>   parameter and honor it.
>>>   (fork+exec-command): Add #:file-creation-mask parameter and pass it to
>>>   exec-command.
>>>   (make-forkexec-constructor): Add #:file-creation-mask parameter and pass it
>>>   to fork+exec-command.
>>> * doc/shepherd.texi (Service De- and Constructors): Adjust accordingly.
>>
>> I went ahead and pushed these two patches.
>
> These patches are in Shepherd 0.8.0, which was pushed in Guix master
> commit e3358a831e7d5d9e8dc614340e49ea5aeb11a7ff, so we’re done!

Great!  Now we can simplify the 'start' method of
'syslogd-service-type'.

I did eventually write a test script, which I've attached in case we
want to add it to the Shepherd.  I'm sorry it took so long that I missed
the new Shepherd release.

Regards,

Diego

[0001-tests-Test-file-creation-mask-option-of-make-forkexe.patch (text/x-patch, inline)]

From 2e7a0795b3a7080376238ab604c50d2c180f8730 Mon Sep 17 00:00:00 2001
From: Diego Nicola Barbato <dnbarbato@posteo.de>
Date: Mon, 27 Apr 2020 16:57:36 +0200
Subject: [PATCH] tests: Test #:file-creation-mask option of
 'make-forkexec-constructor'.

* tests/file-creation-mask.sh: New file.
---
 tests/file-creation-mask.sh | 79 +++++++++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)
 create mode 100644 tests/file-creation-mask.sh

diff --git a/tests/file-creation-mask.sh b/tests/file-creation-mask.sh
new file mode 100644
index 0000000..9f5f10a
--- /dev/null
+++ b/tests/file-creation-mask.sh
@@ -0,0 +1,79 @@
+# GNU Shepherd --- Test the #:file-creation-mask option of 'make-forkexec-constructor'.
+# Copyright © 2020 Diego N. Barbato <dnbarbato@posteo.de>
+#
+# This file is part of the GNU Shepherd.
+#
+# The GNU Shepherd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or (at
+# your option) any later version.
+#
+# The GNU Shepherd is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with the GNU Shepherd.  If not, see <http://www.gnu.org/licenses/>.
+
+shepherd --version
+herd --version
+
+socket="t-socket-$$"
+conf="t-conf-$$"
+log="t-log-$$"
+pid="t-pid-$$"
+service_log="t-service-log-$$"
+service_new_file="t-service-new-file-$$"
+
+herd="herd -s $socket"
+
+trap "cat $log || true;
+      rm -f $socket $conf $log $service_log $service_new_file;
+      test -f $pid && kill \`cat $pid\` || true; rm -f $pid" EXIT
+
+function wait_for_file
+{
+    i=0
+    while ! test -f "$1" && test $i -lt 20
+    do
+	sleep 0.3
+	i=`expr $i + 1`
+    done
+    test -f "$1"
+}
+
+cat > "$conf"<<EOF
+(define %command
+  '("$SHELL" "-c" "touch $PWD/$service_new_file; echo foo"))
+
+(register-services
+ (make <service>
+   #:provides '(test)
+   #:start (make-forkexec-constructor %command
+                                      #:log-file "$PWD/$service_log"
+                                      ;; Set the umask such that file
+                                      ;; permissions are #o600.
+                                      #:file-creation-mask #o177)
+   #:stop (make-kill-destructor)
+   #:respawn? #f))
+EOF
+
+rm -f "$pid"
+shepherd -I -s "$socket" -c "$conf" -l "$log" --pid="$pid" &
+
+# Wait till it's ready.
+wait_for_file "$pid"
+
+# Start the service.
+$herd start test
+
+# Make sure the log file is created with the right permissions independently
+# of the value of #:file-creation-mask.
+wait_for_file "$service_log"
+test `stat -c %a "$service_log"` -eq 640
+
+# Make sure the service creates files with the right permissions as determined
+# by the value of #:file-creation-mask.
+wait_for_file "$service_new_file"
+test `stat -c %a "$service_new_file"` -eq 600
-- 
2.26.0

Message #42 received at 40405-done@debbugs.gnu.org (full text, mbox, reply):

From: Ludovic Courtès <ludo@gnu.org>

To: Diego Nicola Barbato <dnbarbato@posteo.de>

Cc: 40405-done@debbugs.gnu.org

Subject: Re: bug#40405: System log files are world readable

Date: Tue, 28 Apr 2020 22:57:38 +0200

Hello,

Diego Nicola Barbato <dnbarbato@posteo.de> skribis:

> Great!  Now we can simplify the 'start' method of
> 'syslogd-service-type'.

Oh right, do you want to take care of it?

> I did eventually write a test script, which I've attached in case we
> want to add it to the Shepherd.  I'm sorry it took so long that I missed
> the new Shepherd release.

No problem.  I figured it was okay to add it without a test, but having
a test is always better so I’ve happily pushed your patch.  Thank you!

Ludo’.

Message #45 received at 40405@debbugs.gnu.org (full text, mbox, reply):

From: Diego Nicola Barbato <dnbarbato@posteo.de>

To: Ludovic Courtès <ludo@gnu.org>

Cc: 40405@debbugs.gnu.org

Subject: Re: bug#40405: System log files are world readable

Date: Wed, 29 Apr 2020 12:02:05 +0200

Hi,

Ludovic Courtès <ludo@gnu.org> writes:

> Hello,
>
> Diego Nicola Barbato <dnbarbato@posteo.de> skribis:
>
>> Great!  Now we can simplify the 'start' method of
>> 'syslogd-service-type'.
>
> Oh right, do you want to take care of it?

I already did: https://debbugs.gnu.org/40937

[...]

Regards,

Diego

Send a report that this bug log contains spam.