[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Changing permissions of files created with simple-service etc-servic
From: |
Ludovic Courtès |
Subject: |
Re: Changing permissions of files created with simple-service etc-service-type |
Date: |
Mon, 14 Feb 2022 22:48:09 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Josua Stingelin <josuast@hotmail.com> skribis:
> I'm using the etc-service-type of the simple-service to copy the file. Which
> works great. But sadly grants read-access to everyone. I'd prefer it only be
> readable by root.
>
> (simple-service 'wpasupplicantconf-service
> etc-service-type
> `(("wpa_supplicant.conf",
> (local-file "wpa_supplicant.conf"))))
>
> $ ls -l /etc/wpa_supplicant.conf
> -r--r--r-- 1 root root 2.3K Feb 11 11:39 /etc/wpa_supplicant.conf
>
> How can I achieve that?
Currently ‘etc-service-type’ does not let you specify permissions. All
the files that end up in /etc first go through the store though, so
changing the permission of those files once copied under /etc wouldn’t
buy you much in terms of confidentiality. For example, there’s a copy
of ‘wpa_supplicant.conf’ above in your store. For that reason, files
containing secrets must be handled “out of band”, without Guix support.
I guess changing permissions for /etc could still be useful for those
programs that verify permission bits and refuse to start if the config
file is readable by all. However, those programs may have a good reason
to verify that, so…
Thoughts?
Ludo’.