Re: Changing permissions of files created with simple-service etc-service-type

[Ludovic Courtès]

Josua Stingelin <josuast@hotmail.com> skribis:

> I'm using the etc-service-type of the simple-service to copy the file. Which
> works great. But sadly grants read-access to everyone. I'd prefer it only be
> readable by root.
>
>   (simple-service 'wpasupplicantconf-service
>                   etc-service-type
>                   `(("wpa_supplicant.conf",
>                      (local-file "wpa_supplicant.conf"))))
>
>   $ ls -l /etc/wpa_supplicant.conf
>   -r--r--r-- 1 root root 2.3K Feb 11 11:39 /etc/wpa_supplicant.conf
>
> How can I achieve that?

Currently ‘etc-service-type’ does not let you specify permissions.  All
the files that end up in /etc first go through the store though, so
changing the permission of those files once copied under /etc wouldn’t
buy you much in terms of confidentiality.  For example, there’s a copy
of ‘wpa_supplicant.conf’ above in your store.  For that reason, files
containing secrets must be handled “out of band”, without Guix support.

I guess changing permissions for /etc could still be useful for those
programs that verify permission bits and refuse to start if the config
file is readable by all.  However, those programs may have a good reason
to verify that, so…

Thoughts?

Ludo’.