GNU logs - #54309, boring messages

Message sent to guix-patches@HIDDEN:

Subject: [bug#54309] [PATCH] services: auditd: use exclusive log directory for auditd
Resent-From: fesoj000 <fesoj000@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Wed, 09 Mar 2022 19:22:02 +0000
Resent-Message-ID: <handler.54309.B.164685370324521 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: 54309 <at> debbugs.gnu.org
Message-ID: <cc3ad4b4-fd8b-f3c5-31c4-e27a52c694c4@HIDDEN>
Date: Wed, 9 Mar 2022 20:21:37 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.6.1
From: fesoj000 <fesoj000@HIDDEN>
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=2a00:1450:4864:20::532;
 envelope-from=fesoj000@HIDDEN; helo=mail-ed1-x532.google.com
X-Spam_score_int: -3
X-Spam_score: -0.4
X-Spam_bar: /
X-Spam_report: (-0.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, PDS_HP_HELO_NORDNS=0.659,
 RCVD_IN_DNSWL_NONE=-0.0001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.1 (-)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.1 (--)

Currently auditd writes logs to /var/log/audit.log. This is a problem because
auditd changes the permissions of the directory audit.log lives in to
700. /var/log usually has 755, this is assumed by some services. postgresql
for example, fails when used together with auditd.

On redhat for example, auditd uses /var/log/audit/ as its log directory. This
change mirrors this behaviour.

* gnu/services/auditd.scm: add auditd-activation function and extend
activation-service-type.
---
  gnu/services/auditd.scm | 12 ++++++++++--
  1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm
index abde811f51..8478581999 100644
--- a/gnu/services/auditd.scm
+++ b/gnu/services/auditd.scm
@@ -31,7 +31,7 @@ (define-module (gnu services auditd)
              %default-auditd-configuration-directory))
  
  (define auditd.conf
-  (plain-file "auditd.conf" "log_file = /var/log/audit.log\nlog_format = \
+  (plain-file "auditd.conf" "log_file = /var/log/audit/audit.log\nlog_format = \
  ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \
  syslog\nadmin_space_left_action = ignore\ndisk_full_action = \
  ignore\ndisk_error_action = syslog\n"))
@@ -50,6 +50,12 @@ (define-record-type* <auditd-configuration>
                             (default audit))
    (configuration-directory auditd-configuration-configuration-directory))      ; file-like
  
+(define (auditd-activation config)
+  (with-imported-modules '((guix build utils))
+    #~(begin
+        (use-modules (guix build utils))
+        (mkdir-p "/var/log/audit"))))
+
  (define (auditd-shepherd-service config)
    (let* ((audit (auditd-configuration-audit config))
           (configuration-directory (auditd-configuration-configuration-directory config)))
@@ -67,7 +73,9 @@ (define auditd-service-type
                  (extensions
                   (list
                    (service-extension shepherd-root-service-type
-                                     auditd-shepherd-service)))
+                                     auditd-shepherd-service)
+                  (service-extension activation-service-type
+                                     auditd-activation)))
                  (default-value
                    (auditd-configuration
                     (configuration-directory %default-auditd-configuration-directory)))))
-- 
2.34.0

Message sent:

Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Type: text/plain; charset=utf-8
X-Loop: help-debbugs@HIDDEN
From: help-debbugs@HIDDEN (GNU bug Tracking System)
To: fesoj000 <fesoj000@HIDDEN>
Subject: bug#54309: Acknowledgement ([PATCH] services: auditd: use
 exclusive log directory for auditd)
Message-ID: <handler.54309.B.164685370324521.ack <at> debbugs.gnu.org>
References: <cc3ad4b4-fd8b-f3c5-31c4-e27a52c694c4@HIDDEN>
X-Gnu-PR-Message: ack 54309
X-Gnu-PR-Package: guix-patches
X-Gnu-PR-Keywords: patch
Reply-To: 54309 <at> debbugs.gnu.org
Date: Wed, 09 Mar 2022 19:22:02 +0000

Thank you for filing a new bug report with debbugs.gnu.org.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 guix-patches@HIDDEN

If you wish to submit further information on this problem, please
send it to 54309 <at> debbugs.gnu.org.

Please do not send mail to help-debbugs@HIDDEN unless you wish
to report a problem with the Bug-tracking system.

--=20
54309: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D54309
GNU Bug Tracking System
Contact help-debbugs@HIDDEN with problems

Message sent to guix-patches@HIDDEN:

Subject: [bug#54309] [PATCH] services: auditd: use exclusive log directory for auditd
Resent-From: Maxime Devos <maximedevos@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Wed, 09 Mar 2022 19:37:01 +0000
Resent-Message-ID: <handler.54309.B54309.164685457926044 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: fesoj000 <fesoj000@HIDDEN>, 54309 <at> debbugs.gnu.org
Message-ID: <4ca12a3e0b1662addecb8bcca1f63ba5e223e8b8.camel@HIDDEN>
From: Maxime Devos <maximedevos@HIDDEN>
Date: Wed, 09 Mar 2022 20:36:09 +0100
In-Reply-To: <cc3ad4b4-fd8b-f3c5-31c4-e27a52c694c4@HIDDEN>
References: <cc3ad4b4-fd8b-f3c5-31c4-e27a52c694c4@HIDDEN>
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-tLn/sBL9Fe03S5Xi02BJ"
User-Agent: Evolution 3.38.3-1 
MIME-Version: 1.0
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>


--=-tLn/sBL9Fe03S5Xi02BJ
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

fesoj000 schreef op wo 09-03-2022 om 20:21 [+0100]:
> Currently auditd writes logs to /var/log/audit.log. This is a problem bec=
ause
> auditd changes the permissions of the directory audit.log lives in to
> 700.

Why is auditd doing this?  Can this behaviour be patched out? Is there
an upstream report?

>  /var/log usually has 755, this is assumed by some services. postgresql
> for example, fails when used together with auditd.

Why does postgresql care about the group and other bits?
Could postgresql be modified not to care?

What are the reasons for changing the group and other bits?
Perhaps that should be done by default by Guix when creating
/var/log (POLA)?

In any case, I would recommend adding to auditd.scm to make clear
why the default log location is unacceptable.

Greetings,
Maxime.

--=-tLn/sBL9Fe03S5Xi02BJ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYikBqRccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7u6NAPsEXmKP7fsQbcH0vymV1FoyouVQ
1zBRBm9lSWb1eLkC5AEAw3kSFrRC4HAyxEhGM2UzPIWwHBU5OKrZm0i+kaRXgwA=
=ODy0
-----END PGP SIGNATURE-----

--=-tLn/sBL9Fe03S5Xi02BJ--

Message sent to guix-patches@HIDDEN:

Subject: [bug#54309] [PATCH] services: auditd: use exclusive log directory for auditd
Resent-From: fesoj000 <fesoj000@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Wed, 09 Mar 2022 20:45:02 +0000
Resent-Message-ID: <handler.54309.B54309.1646858699803 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: Maxime Devos <maximedevos@HIDDEN>, 54309 <at> debbugs.gnu.org
Message-ID: <df590499-4508-249a-1083-ca596e1cf778@HIDDEN>
Date: Wed, 9 Mar 2022 21:44:51 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.6.1
Content-Language: en-US
References: <cc3ad4b4-fd8b-f3c5-31c4-e27a52c694c4@HIDDEN>
 <4ca12a3e0b1662addecb8bcca1f63ba5e223e8b8.camel@HIDDEN>
From: fesoj000 <fesoj000@HIDDEN>
In-Reply-To: <4ca12a3e0b1662addecb8bcca1f63ba5e223e8b8.camel@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>

Hi,

On 3/9/22 8:36 PM, Maxime Devos wrote:
> fesoj000 schreef op wo 09-03-2022 om 20:21 [+0100]:
>> Currently auditd writes logs to /var/log/audit.log. This is a problem because
>> auditd changes the permissions of the directory audit.log lives in to
>> 700.
> 
> Why is auditd doing this?  Can this behaviour be patched out? Is there
> an upstream reportThis is the default behavior. auditd will always change the permissions, but
some attributes for this permission change can be configured in the config file.

This behavior could be patched, but i don't think this is a good idea. Even the
manpages assume /var/log/audit as the default log directory in some paragraphs.

The auditd logfile contains events which can be usefull for debugging but
usually this information is used in the aftermath of an cyberattack to learn more
about what happend. It is even recommended to use a separate partition for
/var/log/audit. auditd measures disk space and having /var/log/audit on a separate
partition would deny unrelated processes from filling up the disk, effectively
disabling audit logging.

I think having /var/log/audit as the default log directory for auditd would not
hurt. This would be more in line with other distros and further would allow to use
a different partition.

>>   /var/log usually has 755, this is assumed by some services. postgresql
>> for example, fails when used together with auditd.
> 
> Why does postgresql care about the group and other bits?
> Could postgresql be modified not to care?
Maybe postgresql could be changed to gracefully handle this, but i am not sure what
the benefit would be in this context. In my mind this is obviously a problem of how
auditd is handled currently by auditd-service-type.

Postgresql might be not the only service behaving this way. I did use postgresql as
an example because this was the case i run into.

> What are the reasons for changing the group and other bits?
> Perhaps that should be done by default by Guix when creating
> /var/log (POLA)?
guix creates /var/log as 755, auditd changes its log directory to prevent access
from unprivileged processes. Maybe auditd is paranoid in this case, but it is fine
as long as it gets its own directory.

> In any case, I would recommend adding to auditd.scm to make clear
> why the default log location is unacceptable.
The log location is configured by the configuration file. This configuration file is
generated by auditd-service-type. The upstream [0] default configuration uses
/var/log/audit as log directory. I think that documenting upstream default behavior
does not add much value here. In fact, i think we can remove the log_file statement
all together, because the built in default config uses /var/log/audit/audit.log [1].
I will prepare and test a new diff which removes the log_file statement.


[0] https://github.com/linux-audit/audit-userspace/blob/master/init.d/auditd.conf
[1] https://github.com/linux-audit/audit-userspace/blob/master/src/auditd-config.c#L314

BR

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#54309] [PATCH] services: auditd: use exclusive log directory for auditd
References: <cc3ad4b4-fd8b-f3c5-31c4-e27a52c694c4@HIDDEN>
In-Reply-To: <cc3ad4b4-fd8b-f3c5-31c4-e27a52c694c4@HIDDEN>
Resent-From: fesoj000 <fesoj000@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Wed, 09 Mar 2022 21:01:02 +0000
Resent-Message-ID: <handler.54309.B54309.16468596294276 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 54309
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 54309 <at> debbugs.gnu.org
Received: via spool by 54309-submit <at> debbugs.gnu.org id=B54309.16468596294276
          (code B ref 54309); Wed, 09 Mar 2022 21:01:02 +0000
Received: (at 54309) by debbugs.gnu.org; 9 Mar 2022 21:00:29 +0000
Received: from localhost ([127.0.0.1]:60895 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nS3Q5-00016e-7B
	for submit <at> debbugs.gnu.org; Wed, 09 Mar 2022 16:00:29 -0500
Received: from mail-ej1-f52.google.com ([209.85.218.52]:44577)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <fesoj000@HIDDEN>) id 1nS3Q3-0000zI-Cq
 for 54309 <at> debbugs.gnu.org; Wed, 09 Mar 2022 16:00:27 -0500
Received: by mail-ej1-f52.google.com with SMTP id qt6so7748790ejb.11
 for <54309 <at> debbugs.gnu.org>; Wed, 09 Mar 2022 13:00:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=message-id:date:mime-version:user-agent:from:subject
 :content-language:to:content-transfer-encoding;
 bh=0ambC4f9Ik2fWvZgzZLWC8Ln/L3Ydgc070oSo5/Z/Pg=;
 b=VyXw1pDb265IvGL3/ny7+uKlSd0S3XB2wJ/P+knuQG+R8Osh2l8f+mauDdvJp1qkMO
 oIRfLVQESyoCHhcN3RNOHEB057mpbHrx//7pk/8GqXTCw1sXfPt75gngRBd/ThphG0Ko
 w+X+NzUKRhDD70OSErbPgQlQ2fTHaV0/z2uiT02iZ+U2urkUE1sBGYuZJFjTvwB2cNBX
 nlc8S2bhOyvhYxAviVF3EpGSM/mguAVKJKdZ8MTwJmz2YaJcDkisEez664upksrxGMXD
 Ezy/7I3MWkemai8Ges5+GTBOS6DFstmKB2/EFwNZ85uEErcjxQ4Zgs5gJbbcjmcB3sP5
 CqNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:message-id:date:mime-version:user-agent:from
 :subject:content-language:to:content-transfer-encoding;
 bh=0ambC4f9Ik2fWvZgzZLWC8Ln/L3Ydgc070oSo5/Z/Pg=;
 b=MPBpk1l69Ps/ONW2oABNqlwCYmB0eVPSZYwwEKKn48eigxR1SFTqskfYLx+2H6AhsY
 QukXEL23k9scbXc+nSbhmyVPV+2KgJqoWqJP3CI704gdzpAutPADFA/bnxloE3keTwqn
 PzCeMvktIz8ZLXZK8N6eeghtfpBESTQC4OYKBcL4xjH8CcOVTlRoaQ1J3yYjbI5hASQx
 qt9HEzy9t5XPG1uN4KV2SIpaHVS5vTeElXNL+xEghGNRUJebsIUPYmvEjpj1BtA+Geni
 dxcxeHeurgSxzbfmiNrfsOZcfTXgSlXoLG6YgZFYYyuD5NE42c6iihLxxiPDfxP7TL5Y
 4JQg==
X-Gm-Message-State: AOAM5318TmvtdUGaf2K07PIYZ28xJABSj69tAXJCkPSNadGEXfli6si7
 hdQhaiz1ZaT6J5ylF662DVpb8kGxXTk=
X-Google-Smtp-Source: ABdhPJy/3OH/N/9/0wrrqHTqS4cwtSxg4wz1FuuTwwzfb+6lz8lJG8BQg7NnS8N8fe6vO3h1HHjOcw==
X-Received: by 2002:a17:906:2a85:b0:6ce:36bd:bcd9 with SMTP id
 l5-20020a1709062a8500b006ce36bdbcd9mr1467307eje.318.1646859621301; 
 Wed, 09 Mar 2022 13:00:21 -0800 (PST)
Received: from ?IPV6:2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5?
 (p200300eeaf2f0e00c2f9c2bbbf951fc5.dip0.t-ipconnect.de.
 [2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5])
 by smtp.gmail.com with ESMTPSA id
 yy18-20020a170906dc1200b006d6e5c75029sm1091377ejb.187.2022.03.09.13.00.20
 for <54309 <at> debbugs.gnu.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Wed, 09 Mar 2022 13:00:20 -0800 (PST)
Message-ID: <b2d2cc9b-0c3f-b5a3-e564-76ab8f17459f@HIDDEN>
Date: Wed, 9 Mar 2022 22:00:21 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.6.1
From: fesoj000 <fesoj000@HIDDEN>
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.2 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

Use the upstream default log file for auditd.

* gnu/services/auditd.scm: add auditd-activation function and extend
activation-service-type.
---
  gnu/services/auditd.scm | 17 ++++++++++++-----
  1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm
index abde811f51..c88e974adb 100644
--- a/gnu/services/auditd.scm
+++ b/gnu/services/auditd.scm
@@ -31,10 +31,9 @@ (define-module (gnu services auditd)
              %default-auditd-configuration-directory))
  
  (define auditd.conf
-  (plain-file "auditd.conf" "log_file = /var/log/audit.log\nlog_format = \
-ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \
-syslog\nadmin_space_left_action = ignore\ndisk_full_action = \
-ignore\ndisk_error_action = syslog\n"))
+  (plain-file "auditd.conf" "log_format = ENRICHED\nfreq = 1\nspace_left = 5% \
+\nspace_left_action = syslog\nadmin_space_left_action = ignore\
+\ndisk_full_action = ignore\ndisk_error_action = syslog\n"))
  
  (define %default-auditd-configuration-directory
    (computed-file "auditd"
@@ -50,6 +49,12 @@ (define-record-type* <auditd-configuration>
                             (default audit))
    (configuration-directory auditd-configuration-configuration-directory))      ; file-like
  
+(define (auditd-activation config)
+  (with-imported-modules '((guix build utils))
+    #~(begin
+        (use-modules (guix build utils))
+        (mkdir-p "/var/log/audit"))))
+
  (define (auditd-shepherd-service config)
    (let* ((audit (auditd-configuration-audit config))
           (configuration-directory (auditd-configuration-configuration-directory config)))
@@ -67,7 +72,9 @@ (define auditd-service-type
                  (extensions
                   (list
                    (service-extension shepherd-root-service-type
-                                     auditd-shepherd-service)))
+                                     auditd-shepherd-service)
+                  (service-extension activation-service-type
+                                     auditd-activation)))
                  (default-value
                    (auditd-configuration
                     (configuration-directory %default-auditd-configuration-directory)))))
-- 
2.34.0

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#54309] [PATCH] services: auditd: use exclusive log directory for auditd
Resent-From: Liliana Marie Prikler <liliana.prikler@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Thu, 10 Mar 2022 07:13:02 +0000
Resent-Message-ID: <handler.54309.B54309.164689636427055 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 54309
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: fesoj000 <fesoj000@HIDDEN>, 54309 <at> debbugs.gnu.org
Received: via spool by 54309-submit <at> debbugs.gnu.org id=B54309.164689636427055
          (code B ref 54309); Thu, 10 Mar 2022 07:13:02 +0000
Received: (at 54309) by debbugs.gnu.org; 10 Mar 2022 07:12:44 +0000
Received: from localhost ([127.0.0.1]:33049 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nSCya-00072I-Im
	for submit <at> debbugs.gnu.org; Thu, 10 Mar 2022 02:12:44 -0500
Received: from mailrelay.tugraz.at ([129.27.2.202]:18705)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <liliana.prikler@HIDDEN>) id 1nSCyY-00072A-R8
 for 54309 <at> debbugs.gnu.org; Thu, 10 Mar 2022 02:12:43 -0500
Received: from lprikler-laptop.ist.intra (gw.ist.tugraz.at [129.27.202.101])
 by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4KDgHr1lmTz1LWp5;
 Thu, 10 Mar 2022 08:12:40 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 mailrelay.tugraz.at 4KDgHr1lmTz1LWp5
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at;
 s=mailrelay; t=1646896360;
 bh=1VudQc5a0uQuW1BsVmHAzS5+/bj3ccU2/VkOfSDu1gQ=;
 h=Subject:From:To:Date:In-Reply-To:References:From;
 b=lerqVRUD+qxU52GCXfTy0fwql4BqOKxZyDZdqz4ndom4gteXU+awF18gKoG5gGTkV
 Q8rZCIIFVSbYzc07RNumTrhjYUqHArIY1bLs56AS8oOxhUbS6u9LMeA9Te6pMVm443
 CCcZIJMo30LpYuoCm5XETX5BnRzXoq11fAKK8lIo=
Message-ID: <ddafff6b38aba33f1e4a703114b243ac8273cb6c.camel@HIDDEN>
From: Liliana Marie Prikler <liliana.prikler@HIDDEN>
Date: Thu, 10 Mar 2022 08:12:38 +0100
In-Reply-To: <b2d2cc9b-0c3f-b5a3-e564-76ab8f17459f@HIDDEN>
References: <b2d2cc9b-0c3f-b5a3-e564-76ab8f17459f@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.42.1 
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TUG-Backscatter-control: waObeELIUl4ypBWmcn/8wQ
X-Spam-Scanner: SpamAssassin 3.003001 
X-Spam-Score-relay: -1.9
X-Scanned-By: MIMEDefang 2.74 on 129.27.10.116
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi,

Am Mittwoch, dem 09.03.2022 um 22:00 +0100 schrieb fesoj000:
> Use the upstream default log file for auditd.
> 
> * gnu/services/auditd.scm: add auditd-activation function and extend
> activation-service-type.
> ---
>   gnu/services/auditd.scm | 17 ++++++++++++-----
>   1 file changed, 12 insertions(+), 5 deletions(-)
> 
> diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm
> index abde811f51..c88e974adb 100644
> --- a/gnu/services/auditd.scm
> +++ b/gnu/services/auditd.scm
> @@ -31,10 +31,9 @@ (define-module (gnu services auditd)
>               %default-auditd-configuration-directory))
>   
>   (define auditd.conf
> -  (plain-file "auditd.conf" "log_file =
> /var/log/audit.log\nlog_format = \
> -ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \
> -syslog\nadmin_space_left_action = ignore\ndisk_full_action = \
> -ignore\ndisk_error_action = syslog\n"))
> +  (plain-file "auditd.conf" "log_format = ENRICHED\nfreq =
> 1\nspace_left = 5% \
> +\nspace_left_action = syslog\nadmin_space_left_action = ignore\
> +\ndisk_full_action = ignore\ndisk_error_action = syslog\n"))
I'm not sure what the rationale behind writing auditd.conf this way is,
but note that can simply writethis as "\
log_format = ENRICHED
freq = 1
space_left = 5%
..."

Doing this, it would take up some more vertical real estate, but imho
it'd be easier to read.  We might also want to make some of these
configurable later on, e.g. space_left, but that's not relevant to this
patch set.

>   (define %default-auditd-configuration-directory
>     (computed-file "auditd"
> @@ -50,6 +49,12 @@ (define-record-type* <auditd-configuration>
>                              (default audit))
>     (configuration-directory auditd-configuration-configuration-
> directory))      ; file-like
>   
> +(define (auditd-activation config)
> +  (with-imported-modules '((guix build utils))
> +    #~(begin
> +        (use-modules (guix build utils))
> +        (mkdir-p "/var/log/audit"))))
I think guix should already create this directory with the 700
permissions auditd demands, to prevent any TOCTOU-style tampering.


Cheers

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#54309] [PATCH] services: auditd: use exclusive log directory for auditd
Resent-From: fesoj000 <fesoj000@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Thu, 10 Mar 2022 10:38:01 +0000
Resent-Message-ID: <handler.54309.B54309.164690862616729 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 54309
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Liliana Marie Prikler <liliana.prikler@HIDDEN>, 54309 <at> debbugs.gnu.org
Received: via spool by 54309-submit <at> debbugs.gnu.org id=B54309.164690862616729
          (code B ref 54309); Thu, 10 Mar 2022 10:38:01 +0000
Received: (at 54309) by debbugs.gnu.org; 10 Mar 2022 10:37:06 +0000
Received: from localhost ([127.0.0.1]:33399 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nSGAM-0004Ll-AS
	for submit <at> debbugs.gnu.org; Thu, 10 Mar 2022 05:37:06 -0500
Received: from mail-ej1-f41.google.com ([209.85.218.41]:45052)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <fesoj000@HIDDEN>) id 1nSGAK-0004LF-L5
 for 54309 <at> debbugs.gnu.org; Thu, 10 Mar 2022 05:37:05 -0500
Received: by mail-ej1-f41.google.com with SMTP id qt6so11015139ejb.11
 for <54309 <at> debbugs.gnu.org>; Thu, 10 Mar 2022 02:37:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=message-id:date:mime-version:user-agent:subject:content-language:to
 :references:from:in-reply-to:content-transfer-encoding;
 bh=ShsQiWsj1pnLHBXYwPnpaXnvtWQY7yY7tw4J+3oyHZk=;
 b=QNCcoTbeinNyBxuaQlDnuWwr5qfTJqPURACEYYQx4FIIXuSXwpl9LjXXU82MroQoj4
 2Cx4uW7wHDIXWWiDdVA3e8F8fCWsbeKk72PSEZI4nN3SweNWu6XwtFaIK/R5TXTJzPEN
 EHY4oCjAGV9YHedK2Zd4sgZ8DrCTNBAGt6Qdx/UsjnTBvzdWC+6DwdnARxxrq3sKzj91
 2jKZS1doFgRr41cBsMutlDTvwC03Lz3CjKDMSP4MzAop/sLDsWF/SYL/7PCF6jW0DZGq
 OCsPRBx/WeYYKrWYCJJKA7B+9Z0uVLB4c/1vm27T0gVE13N4c3rO/v7LHiH8bCUdhJK9
 3HEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:message-id:date:mime-version:user-agent:subject
 :content-language:to:references:from:in-reply-to
 :content-transfer-encoding;
 bh=ShsQiWsj1pnLHBXYwPnpaXnvtWQY7yY7tw4J+3oyHZk=;
 b=UUwrfkI7wzSIdIiTqysZF0zcsfVaz9J3w7zts+ezNJ3Jad7wykzd2nYii1I/InC5p2
 kmuUcRSXRUIZXxUzDxZFyFratLM6DhUwXDXg3ELgO+WEMu9KVMXwQ8KS8yt/leffY21R
 SIlvGI5SIFb289EyPDV0DiAolGH3n/TIYJ2r+IfirfnMV4AUR2ec0/207Cp3flr48cb4
 npXmrWINZfnMhT1WA1FonTmPJDTV6KWvcWE63Toy0/KQctNtJ8S+RFFQH+r2aKsro0YY
 5hY82vXaLtqYWBVgG75ikVoOGztLKPyZZWuugdcEayRWs3ELomLCBQxlkUl1bLp3n4eh
 YiLQ==
X-Gm-Message-State: AOAM530EmXbofenLoFfsdyyDJjpMCIEsuXuRB3tP4ivuhcQ4QpNNxCBd
 jogI6JEoPydnSIZEEGLAN3M=
X-Google-Smtp-Source: ABdhPJw4TXUTlj/YjqMmox1n9lI88Oj0KGP90jAivvM/7dF/F4hvTMabyw4+F6bBt1fkwv8RStuEpA==
X-Received: by 2002:a17:907:7d8e:b0:6d7:12a2:a962 with SMTP id
 oz14-20020a1709077d8e00b006d712a2a962mr3624752ejc.565.1646908618551; 
 Thu, 10 Mar 2022 02:36:58 -0800 (PST)
Received: from ?IPV6:2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5?
 (p200300eeaf2f0e00c2f9c2bbbf951fc5.dip0.t-ipconnect.de.
 [2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5])
 by smtp.gmail.com with ESMTPSA id
 ky5-20020a170907778500b006d1b2dd8d4csm1630724ejc.99.2022.03.10.02.36.57
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Thu, 10 Mar 2022 02:36:57 -0800 (PST)
Message-ID: <dc42a4cf-791a-1f0f-e8bc-66d498af63bd@HIDDEN>
Date: Thu, 10 Mar 2022 11:36:57 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.6.1
Content-Language: en-US
References: <b2d2cc9b-0c3f-b5a3-e564-76ab8f17459f@HIDDEN>
 <ddafff6b38aba33f1e4a703114b243ac8273cb6c.camel@HIDDEN>
From: fesoj000 <fesoj000@HIDDEN>
In-Reply-To: <ddafff6b38aba33f1e4a703114b243ac8273cb6c.camel@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.2 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

Hi,

On 3/10/22 8:12 AM, Liliana Marie Prikler wrote:
> Hi,
> 
> Am Mittwoch, dem 09.03.2022 um 22:00 +0100 schrieb fesoj000:
>> Use the upstream default log file for auditd.
>>
>> * gnu/services/auditd.scm: add auditd-activation function and extend
>> activation-service-type.
>> ---
>>    gnu/services/auditd.scm | 17 ++++++++++++-----
>>    1 file changed, 12 insertions(+), 5 deletions(-)
>>
>> diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm
>> index abde811f51..c88e974adb 100644
>> --- a/gnu/services/auditd.scm
>> +++ b/gnu/services/auditd.scm
>> @@ -31,10 +31,9 @@ (define-module (gnu services auditd)
>>                %default-auditd-configuration-directory))
>>    
>>    (define auditd.conf
>> -  (plain-file "auditd.conf" "log_file =
>> /var/log/audit.log\nlog_format = \
>> -ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \
>> -syslog\nadmin_space_left_action = ignore\ndisk_full_action = \
>> -ignore\ndisk_error_action = syslog\n"))
>> +  (plain-file "auditd.conf" "log_format = ENRICHED\nfreq =
>> 1\nspace_left = 5% \
>> +\nspace_left_action = syslog\nadmin_space_left_action = ignore\
>> +\ndisk_full_action = ignore\ndisk_error_action = syslog\n"))
> I'm not sure what the rationale behind writing auditd.conf this way is,
> but note that can simply writethis as "\
> log_format = ENRICHED
> freq = 1
> space_left = 5%
> ..."
> 
> Doing this, it would take up some more vertical real estate, but imho
> it'd be easier to read.  We might also want to make some of these
> configurable later on, e.g. space_left, but that's not relevant to this
> patch set.
Sure, i will send a new patch later.

>>    (define %default-auditd-configuration-directory
>>      (computed-file "auditd"
>> @@ -50,6 +49,12 @@ (define-record-type* <auditd-configuration>
>>                               (default audit))
>>      (configuration-directory auditd-configuration-configuration-
>> directory))      ; file-like
>>    
>> +(define (auditd-activation config)
>> +  (with-imported-modules '((guix build utils))
>> +    #~(begin
>> +        (use-modules (guix build utils))
>> +        (mkdir-p "/var/log/audit"))))
> I think guix should already create this directory with the 700
> permissions auditd demands, to prevent any TOCTOU-style tampering.
Good point.

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#54309] [PATCH] services: auditd: use exclusive log directory for auditd
References: <cc3ad4b4-fd8b-f3c5-31c4-e27a52c694c4@HIDDEN>
In-Reply-To: <cc3ad4b4-fd8b-f3c5-31c4-e27a52c694c4@HIDDEN>
Resent-From: fesoj000 <fesoj000@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Thu, 10 Mar 2022 16:30:02 +0000
Resent-Message-ID: <handler.54309.B54309.164692977832054 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 54309
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 54309 <at> debbugs.gnu.org
Received: via spool by 54309-submit <at> debbugs.gnu.org id=B54309.164692977832054
          (code B ref 54309); Thu, 10 Mar 2022 16:30:02 +0000
Received: (at 54309) by debbugs.gnu.org; 10 Mar 2022 16:29:38 +0000
Received: from localhost ([127.0.0.1]:35349 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nSLfV-0008Kw-Sm
	for submit <at> debbugs.gnu.org; Thu, 10 Mar 2022 11:29:38 -0500
Received: from mail-wm1-f51.google.com ([209.85.128.51]:45869)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <fesoj000@HIDDEN>) id 1nSLfU-0008Kf-0i
 for 54309 <at> debbugs.gnu.org; Thu, 10 Mar 2022 11:29:36 -0500
Received: by mail-wm1-f51.google.com with SMTP id
 k29-20020a05600c1c9d00b003817fdc0f00so3715976wms.4
 for <54309 <at> debbugs.gnu.org>; Thu, 10 Mar 2022 08:29:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=message-id:date:mime-version:user-agent:from:subject
 :content-language:to:content-transfer-encoding;
 bh=2XLRdKwdlMymofDXtAQhcpWE05SxVzV11tRAFLlpFNo=;
 b=Fu98BkXdx3qew0dCzKNFUAhcsnBRC7MOMAi05Gz0dbQwu2DRQljKbZfKlffLAc/cMd
 9wnGHl33sk4fVBoU1Cfvmb/dGIJ3UPD4lZkDDlBmrYwgwSbMqjVH0eQTbS+oewsAACIt
 UkoKBfoV5sH4BF92jfq5HYbtE5ZF0TKrzEhY+SA/SuicuhUw85h8XajhYgjupH+/dtXT
 EZqv56CaVjn1a5hdzkRdhuVvGxta8Y4dNHCgwxBfJbLVAWxio5ICAZiNcueApWhs6iqz
 pfpTVcndau8b4xmos/01Q74REnxnaKUis0tG26j/lguMz9PFZK/3j6PxaxtpjSW5GbYV
 ZCfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:message-id:date:mime-version:user-agent:from
 :subject:content-language:to:content-transfer-encoding;
 bh=2XLRdKwdlMymofDXtAQhcpWE05SxVzV11tRAFLlpFNo=;
 b=dWOlwjb5uMRdP7hsMsCxN2ssTQYEM8wRpyrnDLNwsuksvnab+dw9yHn0w00ED+1ZaU
 TFwMfUGOgtcxe1bUI4WwwzCTJMKV9/D5uREG3USQeEd0ts53oagNzB+14/eCYUQUSwzi
 aVUrhwPJj73theT7EYDDwIiZtyEOR3cN+sFNq59Dt2jTyQEgY7Nf7m1RUWbMqeUp6Q4+
 Qwx6qA6LvfOIw54ycb1YsknRjSt4FEX5fuuT/yV+RffsbM6gW+RyuOGwp+MHuJjhT+6u
 CZx8wZZj/Lm29Y4uQAgaym6CZlhH4Yoi+hp4V/Ww8YHt460A83RTwTHcy5CDxZxzsFhD
 exmg==
X-Gm-Message-State: AOAM533PJ9tchgq0CvFwmio7TXWWfn31w7MXX1Fuwwcp3lfDp7FwId4s
 evYSjOWFpWDGxsSZjHmm3xXpgBgH86U=
X-Google-Smtp-Source: ABdhPJz66gsJHLp5/2Wozo3EfNHEDj7WKH438fUTdVxEh+0sfzdKVFYcHJN370oX/wWGyEsC2Lzzqg==
X-Received: by 2002:a05:600c:3483:b0:380:edaf:d479 with SMTP id
 a3-20020a05600c348300b00380edafd479mr12414534wmq.20.1646929770033; 
 Thu, 10 Mar 2022 08:29:30 -0800 (PST)
Received: from ?IPV6:2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5?
 (p200300eeaf2f0e00c2f9c2bbbf951fc5.dip0.t-ipconnect.de.
 [2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5])
 by smtp.gmail.com with ESMTPSA id
 r188-20020a1c2bc5000000b00387c81c32e7sm8569828wmr.8.2022.03.10.08.29.29
 for <54309 <at> debbugs.gnu.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Thu, 10 Mar 2022 08:29:29 -0800 (PST)
Message-ID: <8b52d7e5-314d-406e-87b7-cdc087dc7826@HIDDEN>
Date: Thu, 10 Mar 2022 17:29:28 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.6.1
From: fesoj000 <fesoj000@HIDDEN>
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.2 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

Use /var/log/audit for auditd. This is the upstream default.

Further, rework the config file generated by auditd-service-type. Only
write values which diverge from the upstream default.

* gnu/services/auditd.scm: add auditd-activation function and extend
activation-service-type.
---
  gnu/services/auditd.scm | 20 +++++++++++++++-----
  1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm
index abde811f51..1eb0ed291b 100644
--- a/gnu/services/auditd.scm
+++ b/gnu/services/auditd.scm
@@ -31,10 +31,10 @@ (define-module (gnu services auditd)
              %default-auditd-configuration-directory))
  
  (define auditd.conf
-  (plain-file "auditd.conf" "log_file = /var/log/audit.log\nlog_format = \
-ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \
-syslog\nadmin_space_left_action = ignore\ndisk_full_action = \
-ignore\ndisk_error_action = syslog\n"))
+  (plain-file "auditd.conf" "\
+space_left = 5%
+space_left_action = syslog
+"))
  
  (define %default-auditd-configuration-directory
    (computed-file "auditd"
@@ -50,6 +50,14 @@ (define-record-type* <auditd-configuration>
                             (default audit))
    (configuration-directory auditd-configuration-configuration-directory))      ; file-like
  
+(define (auditd-activation config)
+  (with-imported-modules '((guix build utils))
+    #~(begin
+        (use-modules (guix build utils))
+        (let ((var-log-audit "/var/log/audit"))
+          (mkdir-p var-log-audit)
+          (chmod var-log-audit #o700)))))
+
  (define (auditd-shepherd-service config)
    (let* ((audit (auditd-configuration-audit config))
           (configuration-directory (auditd-configuration-configuration-directory config)))
@@ -67,7 +75,9 @@ (define auditd-service-type
                  (extensions
                   (list
                    (service-extension shepherd-root-service-type
-                                     auditd-shepherd-service)))
+                                     auditd-shepherd-service)
+                  (service-extension activation-service-type
+                                     auditd-activation)))
                  (default-value
                    (auditd-configuration
                     (configuration-directory %default-auditd-configuration-directory)))))
-- 
2.34.0

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#54309] What is the process from here?
References: <cc3ad4b4-fd8b-f3c5-31c4-e27a52c694c4@HIDDEN>
In-Reply-To: <cc3ad4b4-fd8b-f3c5-31c4-e27a52c694c4@HIDDEN>
Resent-From: fesoj000 <fesoj000@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Fri, 18 Mar 2022 19:18:02 +0000
Resent-Message-ID: <handler.54309.B54309.1647631035884 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 54309
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 54309 <at> debbugs.gnu.org
Received: via spool by 54309-submit <at> debbugs.gnu.org id=B54309.1647631035884
          (code B ref 54309); Fri, 18 Mar 2022 19:18:02 +0000
Received: (at 54309) by debbugs.gnu.org; 18 Mar 2022 19:17:15 +0000
Received: from localhost ([127.0.0.1]:58412 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nVI66-0000EB-LE
	for submit <at> debbugs.gnu.org; Fri, 18 Mar 2022 15:17:14 -0400
Received: from mail-ed1-f45.google.com ([209.85.208.45]:42736)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <fesoj000@HIDDEN>) id 1nVI65-0000Dl-AW
 for 54309 <at> debbugs.gnu.org; Fri, 18 Mar 2022 15:17:13 -0400
Received: by mail-ed1-f45.google.com with SMTP id a17so10313927edm.9
 for <54309 <at> debbugs.gnu.org>; Fri, 18 Mar 2022 12:17:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=message-id:date:mime-version:user-agent:content-language:to:from
 :subject:content-transfer-encoding;
 bh=fnrT32AzBvmSee0zsNFrTu/ZHKBK6dsANISTweLp2/o=;
 b=INrztaHXMBhLseGuTvXm0a2R/DRPGT5+xroLOjAmLqh4XcP2cXPoeTNoZS7NDZd6EE
 HRxfY+s6cm7hYau0MR6XCEjSCRY/FvUgwcwb6Fma9SZuiTFPUk1tgbUOSh9qwQ3i8B/k
 TDNib2a7jxE1STf0O+ZZm8jE6427AMNM2GUKYWYPO22rJnG7u6ZJxi5G2DUkRvEi8MQ7
 5oLYrBb0Szd8mWyoUFEOTQczZDEX2VxXjpksror+0byaSOXmNGEaWCPPKHNS7GXUjyBb
 l09zoL9fStRFMI3h0WMA8f8Fkr/dppvfs2Ag+nJe5m6blyyGOswvXqs0rMf5VSKV1+OX
 2zYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:message-id:date:mime-version:user-agent
 :content-language:to:from:subject:content-transfer-encoding;
 bh=fnrT32AzBvmSee0zsNFrTu/ZHKBK6dsANISTweLp2/o=;
 b=4RhAsJoNqmloAJusPZQ/rw488c+MfPvAb/RZ0PAzi8Pjxw6VFd482yluOeFnB89ZOC
 4Q8QFRSEUWTblH4z/mtmOvzuXgqkQtLF2AiANx6t30zkaM/C/xMphpaFTKd4aZ8yjyds
 13SeyxRNhaohy8b7oGoJhLoQ+WYbRxOtq+s/szoobGkEpwx6iScUyJ8JmieQcds1uhIZ
 4AEL7PvROoVSFXeY1l5Zdm6g66hQN57yMJTgLR2vzoiBBD5P7Msl2gAuH589SRWyNS+7
 4v+KSPO7LJZoF7W3Y0bl/obZ425lUuGoCbmpK/HtihkewZDfPK2H2/9KHUPIpv048wH/
 1w/g==
X-Gm-Message-State: AOAM53229AssIvSP0wwlGS8MS2+Qg24dmzJV7euOG9bHNOETuHIZgX/L
 WgisIpswmhhFcn63vFPNRjXP1+qjkyM=
X-Google-Smtp-Source: ABdhPJz6knxgO0LDg0l/v9MPMWma39AK9IGTJi6jy9P/febwCXZ5IFj5nACQ+35id2GkBpsZkSQtew==
X-Received: by 2002:a50:fe81:0:b0:419:16a5:d265 with SMTP id
 d1-20020a50fe81000000b0041916a5d265mr2735472edt.4.1647631027460; 
 Fri, 18 Mar 2022 12:17:07 -0700 (PDT)
Received: from ?IPV6:2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5?
 (p200300eeaf2f0e00c2f9c2bbbf951fc5.dip0.t-ipconnect.de.
 [2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5])
 by smtp.gmail.com with ESMTPSA id
 i2-20020a1709067a4200b006db720b1231sm4129675ejo.2.2022.03.18.12.17.06
 for <54309 <at> debbugs.gnu.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Fri, 18 Mar 2022 12:17:07 -0700 (PDT)
Message-ID: <b70a1fd7-e432-3d6d-8dea-17d4231e407e@HIDDEN>
Date: Fri, 18 Mar 2022 20:17:06 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.7.0
Content-Language: en-US
From: fesoj000 <fesoj000@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.2 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

Hi there,

i don't think this is the right spot to ask this, but i am not sure where else
i could ask this.

What is the patch acceptance process? I am wondering, what are steps from patch
to commit? I have quite some packages, services and other patches laying around
in varying quality. I recently started cleaning them up. I plan to get them
integrated into master at some point.

So, i assume that there has to be interest and time from a guix developer to
review, maybe test and then integrate the changes/packages into one of the
branches.

Is there something i can do to help the process along? Maybe we could use this
very patch as an example. Currently i am uncertain if this patch is appropriate
for master, because of the risk that changing the auditd default log directory
might break some setups. This could be 'fixed' by writing a news snippet. But i
am not sure. Or is there still something else missing?

BR

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#54309] What is the process from here?
Resent-From: Liliana Marie Prikler <liliana.prikler@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Fri, 18 Mar 2022 20:07:01 +0000
Resent-Message-ID: <handler.54309.B54309.16476339916194 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 54309
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: fesoj000 <fesoj000@HIDDEN>, 54309 <at> debbugs.gnu.org
Received: via spool by 54309-submit <at> debbugs.gnu.org id=B54309.16476339916194
          (code B ref 54309); Fri, 18 Mar 2022 20:07:01 +0000
Received: (at 54309) by debbugs.gnu.org; 18 Mar 2022 20:06:31 +0000
Received: from localhost ([127.0.0.1]:58455 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nVIrn-0001bq-0M
	for submit <at> debbugs.gnu.org; Fri, 18 Mar 2022 16:06:31 -0400
Received: from mail-ej1-f65.google.com ([209.85.218.65]:41855)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <liliana.prikler@HIDDEN>) id 1nVIrl-0001bb-ET
 for 54309 <at> debbugs.gnu.org; Fri, 18 Mar 2022 16:06:29 -0400
Received: by mail-ej1-f65.google.com with SMTP id a8so19058909ejc.8
 for <54309 <at> debbugs.gnu.org>; Fri, 18 Mar 2022 13:06:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=message-id:subject:from:to:date:in-reply-to:references:user-agent
 :mime-version:content-transfer-encoding;
 bh=sTKMryypjHqdiXMwe30f8v+J4k9SujErMCFD0o5urT0=;
 b=NPCQXCyYqGlOA9Gb66o1hl5geT9BCaMqWPx2w8T7FE5CwL7p6zUPoWxoCBp8pQj8ZP
 xnjTaIOENJylrF7wA1BE6rO6yd+YitOfl/t/JJSmYaUE7GuGQDxcbkqpn0xVHRNCMj8o
 IW23lJv2zCU9NZjosNg/pPLwi04QoyX1WmDxbmI/6A6YnbbYVOF5SsyQXlNdY5B7rVDy
 WF12VLbRZawtayaX87a6uK3lOr+dTLwbwZR5HBRftk7nr8TSI/1jI8KbwhUtGO9eI78P
 dmRrw1FmjI8cEl67sXnBeiNagYLImaU3KZpkM1ivAjQXc4z6aSvfoq+7M9QnzQprgisB
 Mdyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to
 :references:user-agent:mime-version:content-transfer-encoding;
 bh=sTKMryypjHqdiXMwe30f8v+J4k9SujErMCFD0o5urT0=;
 b=H98+iPmoABhrNW+NsLgrsxXHoNdIpoODs6G8YnI0e7OUlgq5voQztbTcv1e9rPnIdG
 11AIGdvBV71F3N/SITQctyY2MNUENtKAo59TIYlcRTosGiOdK/2aE/WQGwgLSczm7Cxz
 c2nhCN/uEsVlV4DfbX+DqoN/TA3lFODWzNqy6IlwmwWEpxRZTVr5cG00G15suZnq/W82
 EwDwotcXBCnin5G9NBqeAStHe8brAZ3aHnPQh/Sxdgf47UUPlZcOQfvEqbyFMOgfX82D
 fVefuQqUb1hcCYRmHcSyre+kB9CeCsA4JiV9MMQKSm1wZ4i+znoOSP0s3qwJO6ZdHZle
 ilkA==
X-Gm-Message-State: AOAM530j3gh0PNNnedcTDkaccurTYCBIyYADDC0yJW+RsR01iTev09aK
 YshGO94zSkTnjrwp5EX/6K4=
X-Google-Smtp-Source: ABdhPJwkQ4eB+H8IsdelzddpZFikJl2Jfe5KvSBvm1eKQJpVwrTztsd7w0bVkLx7L6cViaudyGoe+Q==
X-Received: by 2002:a17:907:3d8c:b0:6df:4bdc:a282 with SMTP id
 he12-20020a1709073d8c00b006df4bdca282mr10693052ejc.464.1647633983491; 
 Fri, 18 Mar 2022 13:06:23 -0700 (PDT)
Received: from nijino.fritz.box (85-127-52-93.dsl.dynamic.surfer.at.
 [85.127.52.93]) by smtp.gmail.com with ESMTPSA id
 h21-20020a170906829500b006cef3dcd067sm4036997ejx.174.2022.03.18.13.06.22
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 18 Mar 2022 13:06:22 -0700 (PDT)
Message-ID: <8640c4e7b1a46e76ea4df8c21a290d1aa72de0d8.camel@HIDDEN>
From: Liliana Marie Prikler <liliana.prikler@HIDDEN>
Date: Fri, 18 Mar 2022 21:06:21 +0100
In-Reply-To: <b70a1fd7-e432-3d6d-8dea-17d4231e407e@HIDDEN>
References: <b70a1fd7-e432-3d6d-8dea-17d4231e407e@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.42.1 
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Spam-Score: -0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi,

Am Freitag, dem 18.03.2022 um 20:17 +0100 schrieb fesoj000:
> Hi there,
> 
> i don't think this is the right spot to ask this, but i am not sure
> where else i could ask this.
> 
> What is the patch acceptance process? I am wondering, what are steps
> from patch to commit?  I have quite some packages, services and other
> patches laying around in varying quality.  I recently started
> cleaning them up.  I plan to get them integrated into master at some
> point.
In general it's send a patch, wait for review (this might take some
time), argue with the reviewer, reluctantly send v2, v3, ... until your
patch passes the quality criteria, gets stamped and arrives upstream
via avian carrier.

> So, i assume that there has to be interest and time from a guix
> developer to review, maybe test and then integrate the
> changes/packages into one of the branches.
Note that there have already been two people reviewing; you currently
owe me a v2 addressing the TOCTOU "race" of creating the audit
directory without 700 permissions. 

> Is there something i can do to help the process along?  Maybe we
> could use this very patch as an example.  Currently i am uncertain if
> this patch is appropriate for master, because of the risk that
> changing the auditd default log directory might break some setups.
> This could be 'fixed' by writing a news snippet. But i
> am not sure.  Or is there still something else missing?
In general, you should read the reviews carefully, reflect on them,
implement suggested changes (or come up with better alternative
solutions) and resend the patches with said changes; rinse and repeat
until you hear a "LGTM".  If the reviewer in question is a committer,
you might hear a "Thanks, pushed" instead.  As a rule of thumb, others
will rarely actively fix up your code and if they do it's mostly minor
things.  Any work more than that takes them away from other review or
their own submissions.

Cheers

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#54309] What is the process from here?
Resent-From: fesoj000 <fesoj000@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Fri, 18 Mar 2022 21:49:01 +0000
Resent-Message-ID: <handler.54309.B54309.164764012017169 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 54309
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Liliana Marie Prikler <liliana.prikler@HIDDEN>, 54309 <at> debbugs.gnu.org
Received: via spool by 54309-submit <at> debbugs.gnu.org id=B54309.164764012017169
          (code B ref 54309); Fri, 18 Mar 2022 21:49:01 +0000
Received: (at 54309) by debbugs.gnu.org; 18 Mar 2022 21:48:40 +0000
Received: from localhost ([127.0.0.1]:58549 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nVKSd-0004Sr-RV
	for submit <at> debbugs.gnu.org; Fri, 18 Mar 2022 17:48:40 -0400
Received: from mail-ej1-f45.google.com ([209.85.218.45]:42534)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <fesoj000@HIDDEN>) id 1nVKSc-0004Sf-ME
 for 54309 <at> debbugs.gnu.org; Fri, 18 Mar 2022 17:48:39 -0400
Received: by mail-ej1-f45.google.com with SMTP id j15so5365965eje.9
 for <54309 <at> debbugs.gnu.org>; Fri, 18 Mar 2022 14:48:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=message-id:date:mime-version:user-agent:subject:content-language:to
 :references:from:in-reply-to:content-transfer-encoding;
 bh=+lGFlsXR4IzFbRH7Ui0Z1lTGoSltAYPYoJYfwN7Q+w8=;
 b=eL5OonMqZFuQ9NI/pfbubLdxb+sjO5t77X27PDovKg8H/xM1pNt+kxC7izTuz0MQv/
 6bNWgKG6Js9MTvUYatkcbAAFnHuMvO9LHBke8GeziaP/wKK4vf3Lmxf8MD7xoOx5cF15
 /qHV5Z7W8sKYGtklZ9Jy8D23TfdGBWPExp6NTUSITOynkkBUBRryI0hOKrjqOrPhonqI
 p1SKPhumO7ukrchFhdeTB4R7rkBLTEpgBYtX0LA6ZVRYdmirJNk157GwiYk5cn8bZWmn
 BwvN9JhjFl1/QUFdPdnoKS2URiwZJEZZm97BdIMwq+Q1F91WKKsRNuE7ltKfr+KRYAz0
 unNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:message-id:date:mime-version:user-agent:subject
 :content-language:to:references:from:in-reply-to
 :content-transfer-encoding;
 bh=+lGFlsXR4IzFbRH7Ui0Z1lTGoSltAYPYoJYfwN7Q+w8=;
 b=8JJzcl6nwKKXqdQsGZawbKaB19jGMfJtNcHHl/rKeV/SYvQIKhKTrVXFzFKWSxYex7
 SpoqvelwqHsGCKBySa/6e6AAlwkoF25/tvk+Q5UQ7GhqOFPMQ7Vr80o9FsLnHYz+lOEQ
 7p2TGdqpGK2viFfkdbmCv7+G+TF3OjFOl/fAXG0SAqB9ELVKOY4fGCdWWrvw+p/58Owh
 M/YLXr7grb91Yz+pNr1KrFkkUFP1vsFJyRAFpNX0IBxatWLRWuFvsCBPcHVQr4zNLSb2
 IKwL/7ktELtalg1yGZLlT6t3jhdaIO6ufHCcX397gOnoyNMM47l/koqVtye1zqq2X+3d
 KMHQ==
X-Gm-Message-State: AOAM532Z3R9F3nPIFT5rTC7z/0mbSmx6T8Lm8vh0/yYcvFPszh4BxOW4
 DiCvVSuYnryuMB5uSWz9pvk=
X-Google-Smtp-Source: ABdhPJz/z66+WyQeFV67DgTlbfu3S0IL1MOgicxJW/o1s4Ph/Pz4X8gSMpdvvpZoXxyBetcJ6CcBfg==
X-Received: by 2002:a17:907:7ba3:b0:6df:b07c:ee35 with SMTP id
 ne35-20020a1709077ba300b006dfb07cee35mr5691994ejc.588.1647640112414; 
 Fri, 18 Mar 2022 14:48:32 -0700 (PDT)
Received: from ?IPV6:2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5?
 (p200300eeaf2f0e00c2f9c2bbbf951fc5.dip0.t-ipconnect.de.
 [2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5])
 by smtp.gmail.com with ESMTPSA id
 h30-20020a056402095e00b00412b81dd96esm4568047edz.29.2022.03.18.14.48.31
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Fri, 18 Mar 2022 14:48:32 -0700 (PDT)
Message-ID: <fafb2565-5593-aabb-1852-2af4e7dd7478@HIDDEN>
Date: Fri, 18 Mar 2022 22:48:30 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.7.0
Content-Language: en-US
References: <b70a1fd7-e432-3d6d-8dea-17d4231e407e@HIDDEN>
 <8640c4e7b1a46e76ea4df8c21a290d1aa72de0d8.camel@HIDDEN>
From: fesoj000 <fesoj000@HIDDEN>
In-Reply-To: <8640c4e7b1a46e76ea4df8c21a290d1aa72de0d8.camel@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.2 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

On 3/18/22 9:06 PM, Liliana Marie Prikler wrote:
>> So, i assume that there has to be interest and time from a guix
>> developer to review, maybe test and then integrate the
>> changes/packages into one of the branches.
> Note that there have already been two people reviewing; you currently
> owe me a v2 addressing the TOCTOU "race" of creating the audit
> directory without 700 permissions.
Yes, that is true. But i addressed the rest, i think. New version inline.


 From 0605a2b5cc8beb816e3ff557d7be060a050f91b7 Mon Sep 17 00:00:00 2001
From: fesoj000 <fesoj000@HIDDEN>
Date: Wed, 9 Mar 2022 20:07:42 +0100
Subject: [PATCH] services: auditd: use exclusive log directory for auditd

Use /var/log/audit for auditd. This is the upstream default.

Further, rework the config file generated by auditd-service-type. Only
write values which diverge from the upstream default.

* gnu/services/auditd.scm: add auditd-activation function and extend
activation-service-type.
---
  gnu/services/auditd.scm | 20 +++++++++++++++-----
  1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm
index abde811f51..602a6c5a48 100644
--- a/gnu/services/auditd.scm
+++ b/gnu/services/auditd.scm
@@ -31,10 +31,10 @@ (define-module (gnu services auditd)
              %default-auditd-configuration-directory))
  
  (define auditd.conf
-  (plain-file "auditd.conf" "log_file = /var/log/audit.log\nlog_format = \
-ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \
-syslog\nadmin_space_left_action = ignore\ndisk_full_action = \
-ignore\ndisk_error_action = syslog\n"))
+  (plain-file "auditd.conf" "\
+space_left = 5%
+space_left_action = syslog
+"))
  
  (define %default-auditd-configuration-directory
    (computed-file "auditd"
@@ -50,6 +50,14 @@ (define-record-type* <auditd-configuration>
                             (default audit))
    (configuration-directory auditd-configuration-configuration-directory))      ; file-like
  
+(define (auditd-activation config)
+  (with-imported-modules '((guix build utils))
+    #~(begin
+        (use-modules (guix build utils))
+        (let ((var-log-audit "/var/log/audit"))
+          (umask #o077)
+          (mkdir-p var-log-audit)))))
+
  (define (auditd-shepherd-service config)
    (let* ((audit (auditd-configuration-audit config))
           (configuration-directory (auditd-configuration-configuration-directory config)))
@@ -67,7 +75,9 @@ (define auditd-service-type
                  (extensions
                   (list
                    (service-extension shepherd-root-service-type
-                                     auditd-shepherd-service)))
+                                     auditd-shepherd-service)
+                  (service-extension activation-service-type
+                                     auditd-activation)))
                  (default-value
                    (auditd-configuration
                     (configuration-directory %default-auditd-configuration-directory)))))
-- 
2.34.0

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#54309] What is the process from here?
Resent-From: Liliana Marie Prikler <liliana.prikler@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Fri, 18 Mar 2022 22:37:01 +0000
Resent-Message-ID: <handler.54309.B54309.164764301330638 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 54309
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: fesoj000 <fesoj000@HIDDEN>, 54309 <at> debbugs.gnu.org
Received: via spool by 54309-submit <at> debbugs.gnu.org id=B54309.164764301330638
          (code B ref 54309); Fri, 18 Mar 2022 22:37:01 +0000
Received: (at 54309) by debbugs.gnu.org; 18 Mar 2022 22:36:53 +0000
Received: from localhost ([127.0.0.1]:58611 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nVLDB-0007xw-GF
	for submit <at> debbugs.gnu.org; Fri, 18 Mar 2022 18:36:53 -0400
Received: from mail-ej1-f68.google.com ([209.85.218.68]:38616)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <liliana.prikler@HIDDEN>) id 1nVLD9-0007xi-1y
 for 54309 <at> debbugs.gnu.org; Fri, 18 Mar 2022 18:36:43 -0400
Received: by mail-ej1-f68.google.com with SMTP id r13so19622024ejd.5
 for <54309 <at> debbugs.gnu.org>; Fri, 18 Mar 2022 15:36:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=message-id:subject:from:to:date:in-reply-to:references:user-agent
 :mime-version:content-transfer-encoding;
 bh=TOIe3xARKDNXgcEXA/tcf+hFdDS/bZNZokuR+y4M01Q=;
 b=c6n9CV1KqArAZwZbV86vDqAz/Uhc37geRvVK/K4yCMyGiE+XbrQPD5tPZpztQ1yWTV
 vwYYsuE9WiVVoLXiqRF89OJFywNY1VtL4HtvvJsoJpyhncdJHanmyulUjjQ7UqFp6BqF
 /8nGpW0qxNGiC96NFf4wuoF6yL1NaXHf3sN6To/YQI5naeZC0LbZ1orxgANonDy7E0Bg
 m5Hs4n7/1SJVqwdPTnZjAY1szKcyFQdUfxUulviQtxakJlu+/aAIHPC0/m6LYz8HycaB
 EeW0YJllQ3xrHqAr/IRXVx5FcSwGLjL7pJaqmNjYx3+1IdQkupUKMItbP/YnUnxl1Ioe
 yBkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to
 :references:user-agent:mime-version:content-transfer-encoding;
 bh=TOIe3xARKDNXgcEXA/tcf+hFdDS/bZNZokuR+y4M01Q=;
 b=mcQDhzTkEwNK2vVwpW/5IanSsqq8LnY5pE68SGy8j2ATd5/gWCCS9RrS5fJe2/OGlZ
 XRnTJPIzwRkOslclp6fkKSyhtILu34wAv2VWTQpnl2OihVzkE2NdsoIlG36GdoOds8sk
 BneAsd13w0K8PluEoXJeBzOK5lQZ9rSGO6/iFCX0YDDjW1tvehGw7Q11yrSrAlKnWB/9
 jnKyOUQG5UW3zYAFu2K+TTBOOnstMbZuHTapkS4eVM6mi8V8LfLrlaF6EwLAxK6C+t71
 Fk+RmWf5jL3fau3dJwGMpVXbZnJTIKjHEuxFlPS0np/GT7bxVtsaYUVzmawQUXJT99QB
 Pokg==
X-Gm-Message-State: AOAM532+9Jl0kXL9w7iDrGhy/7Xe/Dg80zuHX7TrTVM6yIdkt9ZSMckU
 +IaFX/i4Xcw8hHuw1oNA0L8=
X-Google-Smtp-Source: ABdhPJxhTEiX9Q2CvOfKy71DvbYcqDGhRgo/vtMd9ZE2EwxP8w2TmKbBFaxgnJgqLb2rBbX3gUYvEA==
X-Received: by 2002:a17:907:1687:b0:6df:877e:c81d with SMTP id
 hc7-20020a170907168700b006df877ec81dmr10666915ejc.306.1647642997249; 
 Fri, 18 Mar 2022 15:36:37 -0700 (PDT)
Received: from nijino.fritz.box (85-127-52-93.dsl.dynamic.surfer.at.
 [85.127.52.93]) by smtp.gmail.com with ESMTPSA id
 t14-20020a170906608e00b006d1455acc62sm4223164ejj.74.2022.03.18.15.36.36
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 18 Mar 2022 15:36:36 -0700 (PDT)
Message-ID: <87f117ba35bb40fe063d5cd0bee61039a5f9801e.camel@HIDDEN>
From: Liliana Marie Prikler <liliana.prikler@HIDDEN>
Date: Fri, 18 Mar 2022 23:36:35 +0100
In-Reply-To: <fafb2565-5593-aabb-1852-2af4e7dd7478@HIDDEN>
References: <b70a1fd7-e432-3d6d-8dea-17d4231e407e@HIDDEN>
 <8640c4e7b1a46e76ea4df8c21a290d1aa72de0d8.camel@HIDDEN>
 <fafb2565-5593-aabb-1852-2af4e7dd7478@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.42.1 
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: -0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Am Freitag, dem 18.03.2022 um 22:48 +0100 schrieb fesoj000:
> On 3/18/22 9:06 PM, Liliana Marie Prikler wrote:
> > > So, i assume that there has to be interest and time from a guix
> > > developer to review, maybe test and then integrate the
> > > changes/packages into one of the branches.
> > Note that there have already been two people reviewing; you
> > currently
> > owe me a v2 addressing the TOCTOU "race" of creating the audit
> > directory without 700 permissions.
> Yes, that is true. But i addressed the rest, i think. New version
> inline.
For the record, inline patches generate noise that's hard to separate
when applying, so you'd probably want to avoid them.  If you don't have
git send-email set up regular attachments also work for some, though
they do become tedious as well with series.

> From 0605a2b5cc8beb816e3ff557d7be060a050f91b7 Mon Sep 17 00:00:00
> 2001
> From: fesoj000 <fesoj000@HIDDEN>
> Date: Wed, 9 Mar 2022 20:07:42 +0100
> Subject: [PATCH] services: auditd: use exclusive log directory for
> auditd
> 
> Use /var/log/audit for auditd. This is the upstream default.
> 
> Further, rework the config file generated by auditd-service-type.
> Only
> write values which diverge from the upstream default.
> 
> * gnu/services/auditd.scm: add auditd-activation function and extend
> activation-service-type.
> ---
>   gnu/services/auditd.scm | 20 +++++++++++++++-----
>   1 file changed, 15 insertions(+), 5 deletions(-)
> 
> diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm
> index abde811f51..602a6c5a48 100644
> --- a/gnu/services/auditd.scm
> +++ b/gnu/services/auditd.scm
> @@ -31,10 +31,10 @@ (define-module (gnu services auditd)
>               %default-auditd-configuration-directory))
>   
>   (define auditd.conf
> -  (plain-file "auditd.conf" "log_file =
> /var/log/audit.log\nlog_format = \
> -ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \
> -syslog\nadmin_space_left_action = ignore\ndisk_full_action = \
> -ignore\ndisk_error_action = syslog\n"))
> +  (plain-file "auditd.conf" "\
> +space_left = 5%
> +space_left_action = syslog
> +"))
I can understand discarding the log_file entry because we now use
upstream default, but the rest should remain imo.
 
>   (define %default-auditd-configuration-directory
>     (computed-file "auditd"
> @@ -50,6 +50,14 @@ (define-record-type* <auditd-configuration>
>                              (default audit))
>     (configuration-directory auditd-configuration-configuration-
> directory))      ; file-like
>   
> +(define (auditd-activation config)
> +  (with-imported-modules '((guix build utils))
> +    #~(begin
> +        (use-modules (guix build utils))
> +        (let ((var-log-audit "/var/log/audit"))
> +          (umask #o077)
> +          (mkdir-p var-log-audit)))))
> +
This would also apply umask 077 to /var and /var/log if those don't
already exist.  More importantly, code executed after that will also
inherit the umask, which I don't think is the intended consequence.


Cheers

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#54309] What is the process from here?
Resent-From: fesoj000 <fesoj000@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Sat, 19 Mar 2022 11:11:01 +0000
Resent-Message-ID: <handler.54309.B54309.164768825726758 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 54309
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Liliana Marie Prikler <liliana.prikler@HIDDEN>, 54309 <at> debbugs.gnu.org
Received: via spool by 54309-submit <at> debbugs.gnu.org id=B54309.164768825726758
          (code B ref 54309); Sat, 19 Mar 2022 11:11:01 +0000
Received: (at 54309) by debbugs.gnu.org; 19 Mar 2022 11:10:57 +0000
Received: from localhost ([127.0.0.1]:59148 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nVWz2-0006xW-LN
	for submit <at> debbugs.gnu.org; Sat, 19 Mar 2022 07:10:56 -0400
Received: from mail-ej1-f53.google.com ([209.85.218.53]:39819)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <fesoj000@HIDDEN>) id 1nVWz0-0006xF-IB
 for 54309 <at> debbugs.gnu.org; Sat, 19 Mar 2022 07:10:55 -0400
Received: by mail-ej1-f53.google.com with SMTP id dr20so21054542ejc.6
 for <54309 <at> debbugs.gnu.org>; Sat, 19 Mar 2022 04:10:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=message-id:date:mime-version:user-agent:subject:content-language:to
 :references:from:in-reply-to:content-transfer-encoding;
 bh=rAHiG3oL7jHXw2Ux9SPAawIcnssirZXc/n8lGvroY2c=;
 b=Gd4dluGzKLvTgvBoafAJBwEEFuHvB1yaQIeMdZXZAdmQ5NRoJ7wlFRaApdExpu95P+
 VvB/xaLp4iuccVmVJdDsoj7lzNuxE1m8ZFLYHZIv1IwF8dMltQ8ZemkkTWiU8GIntC3f
 sMO1C2aWcULs0da1xRR8n9W+FMCNrCpZ5p0Wn8rQeSxayWdqUvQAbk4QeXZIfNRnwDMK
 2cOGwoiJ3/Rh912CEPi5LfXBEdyjKpDC+ESDDxHWRRh//Py5wboGVpivbA1jZKY+s8Da
 263wB8jgzwTxJr3Vs3i/EMmCz8aURTYg53VwQBbu0r2dChYACY0pgr0krYP7bufQkyVY
 BOrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:message-id:date:mime-version:user-agent:subject
 :content-language:to:references:from:in-reply-to
 :content-transfer-encoding;
 bh=rAHiG3oL7jHXw2Ux9SPAawIcnssirZXc/n8lGvroY2c=;
 b=YvuuUg55wuOuMi8J9vqi3R02o2tPcDczk+eGmyjho+AXWYSs6IzAmefHNcedEMgVra
 AqPOsenKBCoD/Dp7OHm/dYfdGrl2NdVwc6snveW8rBLRpzEg2JUAdqyMwmrrP7yNo3fW
 p7BYZwc5plfIYbxSNsh4CGXFaUuiqPyMtd25c8Av7i5/7RmUtWWlNE0pPRqOrmNkUNbG
 VgeG60ewkbpt6LLI+n3AzPLZvQgIUQ+Mjzj6HnHQRjE5cGW4v9aVeMzv0jhpWtFMEPh7
 qtMTfZA3n2g7G5CQIDpzUn5+L+yMIMvESfZp7mEabM6I089Phd3YnX7mokFkXjbtd9x9
 k7ng==
X-Gm-Message-State: AOAM531WfZR31XVcVrf8IV9TEeH0rwO74czm0HunFp7PFgpYoi+Dejck
 kCYFF+zNjpErLJSlGkUPxDQ=
X-Google-Smtp-Source: ABdhPJw94kxOLDlrVWyleSCfr7MgaG0YpMg5BGNSnG/F/qTAhhejwCJxPJrmlL5A0kjcT35YSQOc8g==
X-Received: by 2002:a17:906:2bc5:b0:6cd:e676:3624 with SMTP id
 n5-20020a1709062bc500b006cde6763624mr12767689ejg.277.1647688248631; 
 Sat, 19 Mar 2022 04:10:48 -0700 (PDT)
Received: from ?IPV6:2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5?
 (p200300eeaf2f0e00c2f9c2bbbf951fc5.dip0.t-ipconnect.de.
 [2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5])
 by smtp.gmail.com with ESMTPSA id
 l2-20020aa7cac2000000b003f9b3ac68d6sm5486432edt.15.2022.03.19.04.10.47
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Sat, 19 Mar 2022 04:10:48 -0700 (PDT)
Message-ID: <f877fe2f-1d94-fd39-7f4e-08dfd3810071@HIDDEN>
Date: Sat, 19 Mar 2022 12:10:47 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.7.0
Content-Language: en-US
References: <b70a1fd7-e432-3d6d-8dea-17d4231e407e@HIDDEN>
 <8640c4e7b1a46e76ea4df8c21a290d1aa72de0d8.camel@HIDDEN>
 <fafb2565-5593-aabb-1852-2af4e7dd7478@HIDDEN>
 <87f117ba35bb40fe063d5cd0bee61039a5f9801e.camel@HIDDEN>
From: fesoj000 <fesoj000@HIDDEN>
In-Reply-To: <87f117ba35bb40fe063d5cd0bee61039a5f9801e.camel@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.2 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.8 (/)



On 3/18/22 11:36 PM, Liliana Marie Prikler wrote:
> Am Freitag, dem 18.03.2022 um 22:48 +0100 schrieb fesoj000:
>> On 3/18/22 9:06 PM, Liliana Marie Prikler wrote:
>>>> So, i assume that there has to be interest and time from a guix
>>>> developer to review, maybe test and then integrate the
>>>> changes/packages into one of the branches.
>>> Note that there have already been two people reviewing; you
>>> currently
>>> owe me a v2 addressing the TOCTOU "race" of creating the audit
>>> directory without 700 permissions.
>> Yes, that is true. But i addressed the rest, i think. New version
>> inline.
> For the record, inline patches generate noise that's hard to separate
> when applying, so you'd probably want to avoid them.  If you don't have
> git send-email set up regular attachments also work for some, though
> they do become tedious as well with series.
> 
>>  From 0605a2b5cc8beb816e3ff557d7be060a050f91b7 Mon Sep 17 00:00:00
>> 2001
>> From: fesoj000 <fesoj000@HIDDEN>
>> Date: Wed, 9 Mar 2022 20:07:42 +0100
>> Subject: [PATCH] services: auditd: use exclusive log directory for
>> auditd
>>
>> Use /var/log/audit for auditd. This is the upstream default.
>>
>> Further, rework the config file generated by auditd-service-type.
>> Only
>> write values which diverge from the upstream default.
>>
>> * gnu/services/auditd.scm: add auditd-activation function and extend
>> activation-service-type.
>> ---
>>    gnu/services/auditd.scm | 20 +++++++++++++++-----
>>    1 file changed, 15 insertions(+), 5 deletions(-)
>>
>> diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm
>> index abde811f51..602a6c5a48 100644
>> --- a/gnu/services/auditd.scm
>> +++ b/gnu/services/auditd.scm
>> @@ -31,10 +31,10 @@ (define-module (gnu services auditd)
>>                %default-auditd-configuration-directory))
>>    
>>    (define auditd.conf
>> -  (plain-file "auditd.conf" "log_file =
>> /var/log/audit.log\nlog_format = \
>> -ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \
>> -syslog\nadmin_space_left_action = ignore\ndisk_full_action = \
>> -ignore\ndisk_error_action = syslog\n"))
>> +  (plain-file "auditd.conf" "\
>> +space_left = 5%
>> +space_left_action = syslog
>> +"))
> I can understand discarding the log_file entry because we now use
> upstream default, but the rest should remain imo.
Alright. Lets first keep all options. At another point in time we can
rethink the default options. Maybe when implementing configuration for
auditd.

>>    (define %default-auditd-configuration-directory
>>      (computed-file "auditd"
>> @@ -50,6 +50,14 @@ (define-record-type* <auditd-configuration>
>>                               (default audit))
>>      (configuration-directory auditd-configuration-configuration-
>> directory))      ; file-like
>>    
>> +(define (auditd-activation config)
>> +  (with-imported-modules '((guix build utils))
>> +    #~(begin
>> +        (use-modules (guix build utils))
>> +        (let ((var-log-audit "/var/log/audit"))
>> +          (umask #o077)
>> +          (mkdir-p var-log-audit)))))
>> +
> This would also apply umask 077 to /var and /var/log if those don't
> already exist.
Hm, it seems that 'gnu/services.scm: (activation-script)' ensures the
existence of /var/log before the auditd activation gexp is running. So,
the reasoning behind your remark is that we can not guarantee the
existence of /var/log in every case? What cases might that be? I will
take care of it anyway for the sake of robustness, but i am curious.

> More importantly, code executed after that will also
> inherit the umask, which I don't think is the intended consequence.
I was under the impression that every activation script is run it its
own process. But that is not the case. This changes things, more care
is needed.

Patch will follow later.

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#54309] [PATCH] services: auditd: use exclusive log directory for auditd
References: <cc3ad4b4-fd8b-f3c5-31c4-e27a52c694c4@HIDDEN>
In-Reply-To: <cc3ad4b4-fd8b-f3c5-31c4-e27a52c694c4@HIDDEN>
Resent-From: fesoj000 <fesoj000@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Sat, 19 Mar 2022 11:35:01 +0000
Resent-Message-ID: <handler.54309.B54309.16476896874961 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 54309
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 54309 <at> debbugs.gnu.org
Received: via spool by 54309-submit <at> debbugs.gnu.org id=B54309.16476896874961
          (code B ref 54309); Sat, 19 Mar 2022 11:35:01 +0000
Received: (at 54309) by debbugs.gnu.org; 19 Mar 2022 11:34:47 +0000
Received: from localhost ([127.0.0.1]:59163 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nVXM7-0001Hx-Ab
	for submit <at> debbugs.gnu.org; Sat, 19 Mar 2022 07:34:47 -0400
Received: from mail-ej1-f48.google.com ([209.85.218.48]:46818)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <fesoj000@HIDDEN>) id 1nVXM5-0001Hi-Bo
 for 54309 <at> debbugs.gnu.org; Sat, 19 Mar 2022 07:34:45 -0400
Received: by mail-ej1-f48.google.com with SMTP id qx21so21386927ejb.13
 for <54309 <at> debbugs.gnu.org>; Sat, 19 Mar 2022 04:34:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=message-id:date:mime-version:user-agent:from:subject
 :content-language:to:content-transfer-encoding;
 bh=uKNaWvlncFhUDTgle8JtNcbH0aqqfFmIyj95YQb9gCc=;
 b=emhO0YsUQsvL4uh7sdEudM0pUyyTEPc4I6a/gWFr286VPrTNtg351W1u7HB77UgxgW
 tvH1zON83V48NUDwEf/aEl9tNC0s7czI9oKN7P3HVlXTG3UqJAegEoxKhwuRB7rdYicL
 8dF4fIS1Ut2i7Uyxf84gQs8URoWnXDszJkZ0w+7p9OnbXRZwoo+BxbgvU8skSkuTlmxM
 FozrhgtuOMo8++nV2E/L7lSXJoCmy/aBe5+9r33BQgK4sMoujq7U16b4oI+cgDE7sZ0f
 NHQb8FUFLx3C28C5EJ5k1RJTaKyHwguTktec9MZOEJhZQoyXTmIIzKqh9DP3erDJc05P
 hc3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:message-id:date:mime-version:user-agent:from
 :subject:content-language:to:content-transfer-encoding;
 bh=uKNaWvlncFhUDTgle8JtNcbH0aqqfFmIyj95YQb9gCc=;
 b=NjNBxZuEX8PDWAXCBj4e2uAV9QXkZuNQYpH+zso/LtfLpzhsnY/NJ4OdItZK3JOvk8
 1sLkfSwNCUSySHFVCHxKqPk5ImG7jYDom2ZhToFipG/eAWp1CyGpSmKOUW94ethK2i7s
 BxciQJtBhOKh20C/q4iMgyF1rioTTBuDSR0xbYAWVf+CydPG78JccCfNRUugahxbpw0i
 SDDwAyV4yPP3LdJE051sQdeFxEFhJ4EYlX1kLTt72s6HoDhIYtfXjwNyWLyupwWUvexL
 Kfs/lSnYgrOjSIWhj8ScUjb+bCBXFFxLPfCfDlnvGvK7z4VaqoifUs2xRwoj17Xs5hDG
 seJw==
X-Gm-Message-State: AOAM530criElChXr6N/a0fVn8nvuaJN3sbh3RfBcoiaeS1LxH1F0oldS
 KkUdagaWhE3mgL1cuIyIt6nP3y56Rq8=
X-Google-Smtp-Source: ABdhPJx/v+Yrf6/quVp15RQ0aOy4rr3uwRC0mZm2RLT7fzQpAmYRuyR9ghbrfZGCXDL7xNo1oDBrNQ==
X-Received: by 2002:a17:907:6e8d:b0:6d7:1261:d468 with SMTP id
 sh13-20020a1709076e8d00b006d71261d468mr12736261ejc.390.1647689679321; 
 Sat, 19 Mar 2022 04:34:39 -0700 (PDT)
Received: from ?IPV6:2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5?
 (p200300eeaf2f0e00c2f9c2bbbf951fc5.dip0.t-ipconnect.de.
 [2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5])
 by smtp.gmail.com with ESMTPSA id
 ka6-20020a170907990600b006ce54c95e3csm4733533ejc.161.2022.03.19.04.34.38
 for <54309 <at> debbugs.gnu.org>
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Sat, 19 Mar 2022 04:34:38 -0700 (PDT)
Message-ID: <a545ae09-1801-3d71-ef4c-a490dcc39cdf@HIDDEN>
Date: Sat, 19 Mar 2022 12:34:38 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.7.0
From: fesoj000 <fesoj000@HIDDEN>
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.2 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

Use /var/log/audit for auditd. This is the upstream default.

Further, make the inline config file more readable.

* gnu/services/auditd.scm: add auditd-activation function and extend
activation-service-type.
---
  gnu/services/auditd.scm | 27 ++++++++++++++++++++++-----
  1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/gnu/services/auditd.scm b/gnu/services/auditd.scm
index abde811f51..e9e19c61be 100644
--- a/gnu/services/auditd.scm
+++ b/gnu/services/auditd.scm
@@ -31,10 +31,15 @@ (define-module (gnu services auditd)
              %default-auditd-configuration-directory))
  
  (define auditd.conf
-  (plain-file "auditd.conf" "log_file = /var/log/audit.log\nlog_format = \
-ENRICHED\nfreq = 1\nspace_left = 5%\nspace_left_action = \
-syslog\nadmin_space_left_action = ignore\ndisk_full_action = \
-ignore\ndisk_error_action = syslog\n"))
+  (plain-file "auditd.conf" "\
+log_format = ENRICHED
+freq = 1
+space_left = 5%
+space_left_action = syslog
+admin_space_left_action = ignore
+disk_full_action = ignore
+disk_error_action = syslog
+"))
  
  (define %default-auditd-configuration-directory
    (computed-file "auditd"
@@ -50,6 +55,16 @@ (define-record-type* <auditd-configuration>
                             (default audit))
    (configuration-directory auditd-configuration-configuration-directory))      ; file-like
  
+(define (auditd-activation config)
+  (with-imported-modules '((guix build utils))
+    #~(begin
+        (use-modules (guix build utils))
+        ;; make sure /var/log exists before changing umask
+        (mkdir-p "/var/log")
+        (let* ((previous-umask (umask #o077)))
+          (mkdir-p "/var/log/audit")
+          (umask previous-umask)))))
+
  (define (auditd-shepherd-service config)
    (let* ((audit (auditd-configuration-audit config))
           (configuration-directory (auditd-configuration-configuration-directory config)))
@@ -67,7 +82,9 @@ (define auditd-service-type
                  (extensions
                   (list
                    (service-extension shepherd-root-service-type
-                                     auditd-shepherd-service)))
+                                     auditd-shepherd-service)
+                  (service-extension activation-service-type
+                                     auditd-activation)))
                  (default-value
                    (auditd-configuration
                     (configuration-directory %default-auditd-configuration-directory)))))
-- 
2.34.0

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#54309] What is the process from here?
Resent-From: Maxime Devos <maximedevos@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Sat, 19 Mar 2022 23:10:02 +0000
Resent-Message-ID: <handler.54309.B54309.164773140029935 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 54309
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Liliana Marie Prikler <liliana.prikler@HIDDEN>, fesoj000 <fesoj000@HIDDEN>, 54309 <at> debbugs.gnu.org
Received: via spool by 54309-submit <at> debbugs.gnu.org id=B54309.164773140029935
          (code B ref 54309); Sat, 19 Mar 2022 23:10:02 +0000
Received: (at 54309) by debbugs.gnu.org; 19 Mar 2022 23:10:00 +0000
Received: from localhost ([127.0.0.1]:60763 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nViCu-0007mk-7m
	for submit <at> debbugs.gnu.org; Sat, 19 Mar 2022 19:10:00 -0400
Received: from albert.telenet-ops.be ([195.130.137.90]:47304)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@HIDDEN>) id 1nViCt-0007mc-1b
 for 54309 <at> debbugs.gnu.org; Sat, 19 Mar 2022 19:09:59 -0400
Received: from ptr-bvsjgyhxw7psv60dyze.18120a2.ip6.access.telenet.be
 ([IPv6:2a02:1811:8c09:9d00:3c5f:2eff:feb0:ba5a])
 by albert.telenet-ops.be with bizsmtp
 id 8P9x270014UW6Th06P9xSt; Sun, 20 Mar 2022 00:09:57 +0100
Message-ID: <b311a2b72fd271fd3e7b78a8aca11cd4896fe49c.camel@HIDDEN>
From: Maxime Devos <maximedevos@HIDDEN>
Date: Sun, 20 Mar 2022 00:09:52 +0100
In-Reply-To: <87f117ba35bb40fe063d5cd0bee61039a5f9801e.camel@HIDDEN>
References: <b70a1fd7-e432-3d6d-8dea-17d4231e407e@HIDDEN>
 <8640c4e7b1a46e76ea4df8c21a290d1aa72de0d8.camel@HIDDEN>
 <fafb2565-5593-aabb-1852-2af4e7dd7478@HIDDEN>
 <87f117ba35bb40fe063d5cd0bee61039a5f9801e.camel@HIDDEN>
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-MHSacWW1g2LrBd85pOoy"
User-Agent: Evolution 3.38.3-1 
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22;
 t=1647731397; bh=R9VCfjLGJtZ9INN7xqE5s07ejZLIBmzlyh3QUrlhalU=;
 h=Subject:From:To:Date:In-Reply-To:References;
 b=AJUjbGIVaa7nwFUmmcacpT+jpfhYm1w/tCXU3ehz2yHV7JM1Mk9r9SY6/yPpQwMtE
 /BiIGQF3j/BTF8Uk9bIVRWLRv0PEsOpkREwaiVLjSv+p068d01C8y7TvsjJlZ9dqrH
 4FFGYimtyOKO9AM+HnD74JVZUv0ljxVLSPXtTusNtTnRf65TiHn6f1VcyrNETX/ZY6
 EACI5lbV1uGJR+fUp737hHskiAOv8u89cEbeHlvx7W1QWobedd2qQQ7uePEvXGQlWv
 SR7slUCmbJuyOFSE47m+JKXGh8EpXKZ9li2fb8VEKVj77qY3IQCMPVPR43dxA1h2gG
 1nFIwxNXAlgJw==
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--=-MHSacWW1g2LrBd85pOoy
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Liliana Marie Prikler schreef op vr 18-03-2022 om 23:36 [+0100]:
> > +(define (auditd-activation config)
> > +=C2=A0 (with-imported-modules '((guix build utils))
> > +=C2=A0=C2=A0=C2=A0 #~(begin
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (use-modules (guix build ut=
ils))
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (let ((var-log-audit "/var/=
log/audit"))
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (umask #o077)
> > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (mkdir-p var-lo=
g-audit)))))
> > +
> This would also apply umask 077 to /var and /var/log if those don't
> already exist.=C2=A0 More importantly, code executed after that will also
> inherit the umask, which I don't think is the intended consequence.

More concretely, the procedure 'mkdir-p/perms' would address the umask
issue, but not the potential =E2=80=98oops too restrictive permissions for =
/var
and /var/log' issue.  Additionally, as var-log-audit is only used in a
single place, you could simplify to

  #~(begin
      (use-modules ...)
      (mkdir-p/perms "/var/log/audit"))

here.

Greetings,
Maxime.

--=-MHSacWW1g2LrBd85pOoy
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYjZiwBccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7k/wAQDRUa/PJU/p21gJrWCwCH6z4246
mkZ6BrAZUGXGBD/l7gD+NEdmv7dn7d82v7++/g3aTi1dZWlAdZFZr8Eg4cRDYg0=
=d/f5
-----END PGP SIGNATURE-----

--=-MHSacWW1g2LrBd85pOoy--

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#54309] [PATCH] services: auditd: use exclusive log directory for auditd
Resent-From: Maxime Devos <maximedevos@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Sat, 19 Mar 2022 23:14:02 +0000
Resent-Message-ID: <handler.54309.B54309.164773159130260 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 54309
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: fesoj000 <fesoj000@HIDDEN>, 54309 <at> debbugs.gnu.org
Received: via spool by 54309-submit <at> debbugs.gnu.org id=B54309.164773159130260
          (code B ref 54309); Sat, 19 Mar 2022 23:14:02 +0000
Received: (at 54309) by debbugs.gnu.org; 19 Mar 2022 23:13:11 +0000
Received: from localhost ([127.0.0.1]:60768 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nViFz-0007rz-MI
	for submit <at> debbugs.gnu.org; Sat, 19 Mar 2022 19:13:11 -0400
Received: from laurent.telenet-ops.be ([195.130.137.89]:55224)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@HIDDEN>) id 1nViFy-0007rr-AU
 for 54309 <at> debbugs.gnu.org; Sat, 19 Mar 2022 19:13:10 -0400
Received: from ptr-bvsjgyhxw7psv60dyze.18120a2.ip6.access.telenet.be
 ([IPv6:2a02:1811:8c09:9d00:3c5f:2eff:feb0:ba5a])
 by laurent.telenet-ops.be with bizsmtp
 id 8PD82700T4UW6Th01PD8zz; Sun, 20 Mar 2022 00:13:09 +0100
Message-ID: <80cc8802439c49138638dee6d4fb9015723f9727.camel@HIDDEN>
From: Maxime Devos <maximedevos@HIDDEN>
Date: Sun, 20 Mar 2022 00:13:08 +0100
In-Reply-To: <a545ae09-1801-3d71-ef4c-a490dcc39cdf@HIDDEN>
References: <cc3ad4b4-fd8b-f3c5-31c4-e27a52c694c4@HIDDEN>
 <a545ae09-1801-3d71-ef4c-a490dcc39cdf@HIDDEN>
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-U3UDrUg+SYTZ5RKsDHrf"
User-Agent: Evolution 3.38.3-1 
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22;
 t=1647731589; bh=KncFL6CYiuPQxP/gVEazsxd6XDMe+ccac/LiHawbFhM=;
 h=Subject:From:To:Date:In-Reply-To:References;
 b=A/Tv3JnH0KUGMpC6J4e50ic5klFva9feNlvfhdi1u8afvkIVdNSZSjF4HKDeDPnrt
 OAr9tPCCu/2r7tFoRf49w+t2BjZepX7yaYHuH6SryED8oRWrgQQi1Z+xnLPi8vVn9q
 4GUqvXmA1U1H6HYC79kNZaorvfiH9kdj8UytaeKk/AuFyQi1DLTZ0JharqqM1hCaK9
 U+dGHECIBglc6gbrnug7hxShiqaNLbWUeKq7SUuSDh5n+OoOKjiuS1QRVLHpazO8Nb
 43q8zY+B+3uDa22EudVgEnwGFUa2cfQfsjr8NkxdN/H3fi4wb0+rs75m6u1t5zXY5F
 kEKz/69auXhlw==
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--=-U3UDrUg+SYTZ5RKsDHrf
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

fesoj000 schreef op za 19-03-2022 om 12:34 [+0100]:
> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (let* ((previous-umask (umask=
 #o077)))
> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (mkdir-p "/var/lo=
g/audit")
> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 (umask previous-u=
mask)))))

I cannot recommend this, what if 'mkdir-p' throws an exception?
That might cause problems.  Or maybe not, but it would require
some analysis that can be avoided with 'mkdir-p/perms'.

Greetings,
Maxime.

--=-U3UDrUg+SYTZ5RKsDHrf
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYjZjhBccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7q6aAP48JIAfJ1LLtn22p4Ps43AiU7Er
ncPY6sMxUH5KIZXefgD/du52/IebjsxywuoL1p1MP1vo0/Z90xVd8zcXI8vUBAQ=
=hgd/
-----END PGP SIGNATURE-----

--=-U3UDrUg+SYTZ5RKsDHrf--

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#54309] [PATCH] services: auditd: use exclusive log directory for auditd
Resent-From: fesoj000 <fesoj000@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Sun, 20 Mar 2022 20:23:01 +0000
Resent-Message-ID: <handler.54309.B54309.164780774015569 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 54309
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Maxime Devos <maximedevos@HIDDEN>, 54309 <at> debbugs.gnu.org
Received: via spool by 54309-submit <at> debbugs.gnu.org id=B54309.164780774015569
          (code B ref 54309); Sun, 20 Mar 2022 20:23:01 +0000
Received: (at 54309) by debbugs.gnu.org; 20 Mar 2022 20:22:20 +0000
Received: from localhost ([127.0.0.1]:35185 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nW24C-000433-0v
	for submit <at> debbugs.gnu.org; Sun, 20 Mar 2022 16:22:20 -0400
Received: from mail-ej1-f44.google.com ([209.85.218.44]:42694)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <fesoj000@HIDDEN>) id 1nW249-00042k-A8
 for 54309 <at> debbugs.gnu.org; Sun, 20 Mar 2022 16:22:18 -0400
Received: by mail-ej1-f44.google.com with SMTP id j15so12196799eje.9
 for <54309 <at> debbugs.gnu.org>; Sun, 20 Mar 2022 13:22:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=message-id:date:mime-version:user-agent:subject:content-language:to
 :references:from:in-reply-to:content-transfer-encoding;
 bh=ikvD9lPIqfLH87srYPfq/TFoLobDizeZb0Bxb9KT/Jc=;
 b=V5jX/f/SdoruUTvaJ9ebQvYm18oJZeQVZI0O/dOjQwnQMMyeMQEaFGP9HZB0O0Xdzw
 I60LOAaIxN12bvkpwqXnqMjOTZrcMKT12NV5+ARJ3CBOaJh6lrvKupnGhB7EThFyUUeH
 a0kB4zEmz8+QFEbE0T+GjgBZQE3DQwrST+3ZQKG2STe/zxi+9JUhcdSIVU5YVynrg/2Z
 NjZszhCaocUuXXTy3a6y+o8BOc635/Q48OxhjApm4rhKd2DiTGN8QrastUwybYMwFBk7
 YMY5kzLrqiEGzDHkTTxRDeE6P5PJgiVbWud2QcerRodnaEL5j5Mfm7GZWGeddSx+xx0H
 FZJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:message-id:date:mime-version:user-agent:subject
 :content-language:to:references:from:in-reply-to
 :content-transfer-encoding;
 bh=ikvD9lPIqfLH87srYPfq/TFoLobDizeZb0Bxb9KT/Jc=;
 b=nDTiEMOgYAw+5CLKpdfBLAEZQgkx8PPky2fPV5UTc8JiUJXBcVY/PLxPujOoKO1h5Y
 DwFokfbMSuINX3OASpNLRAPJuKzIhBVTDYV0UIvO+007SB8osWIb2WXiMfXr3LK0Ye3B
 Vrvsf2cVfgAacKCLz1Gwa5CUmTfQtKEuoSxlvOYs/2QtY86rDN4z1sLvR2JWwE9KPHqR
 hLvVBNtp/40Sh2xgZsdmn84d1/MjSaGJYs5DBRvYNU2UyxdN2uz+3ay25b62dMvP6gG+
 p+vBPRYsozETDoVYNaZBvh+1gVqqKK9fTSA7Q6hzgIOHJVK90SLtIAF+6il68w572FRr
 n/bQ==
X-Gm-Message-State: AOAM530FsRDL76U+zjpgXFKKiqir3a3yr07zcThLOBcas7SVR60n6tNS
 d6itJKS1+iQCq+OWeKcrgLs=
X-Google-Smtp-Source: ABdhPJyxmNR2IkjLogfAu8HBL+yQ/fhhF/tOJ+Iz13iK9T27Nwl58rs+4dF74hNUOuhfPG97zzM7HQ==
X-Received: by 2002:a17:906:6158:b0:6ce:61d6:f243 with SMTP id
 p24-20020a170906615800b006ce61d6f243mr17203920ejl.268.1647807731388; 
 Sun, 20 Mar 2022 13:22:11 -0700 (PDT)
Received: from ?IPV6:2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5?
 (p200300eeaf2f0e00c2f9c2bbbf951fc5.dip0.t-ipconnect.de.
 [2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5])
 by smtp.gmail.com with ESMTPSA id
 dm11-20020a170907948b00b006cf488e72e3sm5987860ejc.25.2022.03.20.13.22.10
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Sun, 20 Mar 2022 13:22:11 -0700 (PDT)
Message-ID: <dce285c1-3d60-31ab-8f5a-1389c42080c2@HIDDEN>
Date: Sun, 20 Mar 2022 21:22:11 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.7.0
Content-Language: en-US
References: <cc3ad4b4-fd8b-f3c5-31c4-e27a52c694c4@HIDDEN>
 <a545ae09-1801-3d71-ef4c-a490dcc39cdf@HIDDEN>
 <80cc8802439c49138638dee6d4fb9015723f9727.camel@HIDDEN>
From: fesoj000 <fesoj000@HIDDEN>
In-Reply-To: <80cc8802439c49138638dee6d4fb9015723f9727.camel@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.2 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

On 3/20/22 12:13 AM, Maxime Devos wrote:
> fesoj000 schreef op za 19-03-2022 om 12:34 [+0100]:
>> +        (let* ((previous-umask (umask #o077)))
>> +          (mkdir-p "/var/log/audit")
>> +          (umask previous-umask)))))
> 
> I cannot recommend this, what if 'mkdir-p' throws an exception?
> That might cause problems.  Or maybe not, but it would require
> some analysis that can be avoided with 'mkdir-p/perms'.
Hm, but i still have to set umask to prevent TOCTOU, the
implementation of 'mkdir-p/perms' does not take care of that.

BR

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#54309] [PATCH] services: auditd: use exclusive log directory for auditd
Resent-From: Maxime Devos <maximedevos@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Sun, 20 Mar 2022 20:31:01 +0000
Resent-Message-ID: <handler.54309.B54309.164780824816468 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 54309
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: fesoj000 <fesoj000@HIDDEN>, 54309 <at> debbugs.gnu.org
Received: via spool by 54309-submit <at> debbugs.gnu.org id=B54309.164780824816468
          (code B ref 54309); Sun, 20 Mar 2022 20:31:01 +0000
Received: (at 54309) by debbugs.gnu.org; 20 Mar 2022 20:30:48 +0000
Received: from localhost ([127.0.0.1]:35191 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nW2CN-0004HR-QL
	for submit <at> debbugs.gnu.org; Sun, 20 Mar 2022 16:30:48 -0400
Received: from xavier.telenet-ops.be ([195.130.132.52]:50946)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@HIDDEN>) id 1nW2CK-0004HH-Ie
 for 54309 <at> debbugs.gnu.org; Sun, 20 Mar 2022 16:30:46 -0400
Received: from [192.168.100.254] ([178.119.10.153])
 by xavier.telenet-ops.be with bizsmtp
 id 8kWi2700D3J72EA01kWiH5; Sun, 20 Mar 2022 21:30:42 +0100
Message-ID: <05b76afd93703efe8fca7fd11513c07343123dd3.camel@HIDDEN>
From: Maxime Devos <maximedevos@HIDDEN>
Date: Sun, 20 Mar 2022 21:30:36 +0100
In-Reply-To: <dce285c1-3d60-31ab-8f5a-1389c42080c2@HIDDEN>
References: <cc3ad4b4-fd8b-f3c5-31c4-e27a52c694c4@HIDDEN>
 <a545ae09-1801-3d71-ef4c-a490dcc39cdf@HIDDEN>
 <80cc8802439c49138638dee6d4fb9015723f9727.camel@HIDDEN>
 <dce285c1-3d60-31ab-8f5a-1389c42080c2@HIDDEN>
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-Oy/6y2axoZzbDxXNO+7C"
User-Agent: Evolution 3.38.3-1 
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22;
 t=1647808242; bh=KTDy/MNabENoXvstrN7kDu0Rduo4kgyWdFWw1tb+zX8=;
 h=Subject:From:To:Date:In-Reply-To:References;
 b=c8bRoKQ8lMoR6nnm8QCh0zoFDi9fYGdbhSiMXIu00pR6TXpXRmqfrByW4i3btUsWQ
 qjSAmVjr2hsLXLjhkCQT4ymKf99VIkJJpRXcM+tjhl67dYbXCuq0bsmX6u7MRddFu0
 yw8ZAdLB7GKKgz9GxqYEyiVP9KRggpY0NTcbvYaIa0XvdM9oBKM3dSp64fBC4gDZZg
 NedknSflqeAyyOp8lV98ahOBY0/vK0Pcl9huWLNP7MeaxH5dr3X5fT0sL8xiEVCwf7
 DOUhZKFe9aKWaC89HmlAUCBFNnFr7eXYlPmcVSJ1Et9VQB9NrzRJ2HJj0/lXThAcW0
 b0NsCM709v8yQ==
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--=-Oy/6y2axoZzbDxXNO+7C
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

fesoj000 schreef op zo 20-03-2022 om 21:22 [+0100]:
> > I cannot recommend this, what if 'mkdir-p' throws an exception?
> > That might cause problems.=C2=A0 Or maybe not, but it would require
> > some analysis that can be avoided with 'mkdir-p/perms'.
> Hm, but i still have to set umask to prevent TOCTOU, the
> implementation of 'mkdir-p/perms' does not take care of that.

mkdir-p/perms could be modified to take care of that.
If that is done, then other users of mkdir-p/perms would benefit as
well.

To implement this, I recommend using the prodecures from
<https://lists.gnu.org/archive/html/guile-devel/2021-11/msg00005.html>
-- that patch was written to remove the TOCTOU!

Greetings,
Maxime.

--=-Oy/6y2axoZzbDxXNO+7C
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYjeO7BccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7uaQAP9x64C9LxQ9a7zwaAtTpMjlRs0A
CAbEvZkjjIi/cREyIQEAn1JIs/z1wT5juNCj1DdhWeQvW4wFpaASFS0VEs6AyAk=
=vQlN
-----END PGP SIGNATURE-----

--=-Oy/6y2axoZzbDxXNO+7C--

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#54309] [PATCH] services: auditd: use exclusive log directory for auditd
Resent-From: Maxime Devos <maximedevos@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Sun, 20 Mar 2022 20:36:02 +0000
Resent-Message-ID: <handler.54309.B54309.164780851716883 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 54309
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: fesoj000 <fesoj000@HIDDEN>, 54309 <at> debbugs.gnu.org
Received: via spool by 54309-submit <at> debbugs.gnu.org id=B54309.164780851716883
          (code B ref 54309); Sun, 20 Mar 2022 20:36:02 +0000
Received: (at 54309) by debbugs.gnu.org; 20 Mar 2022 20:35:17 +0000
Received: from localhost ([127.0.0.1]:35201 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nW2Gi-0004OF-OZ
	for submit <at> debbugs.gnu.org; Sun, 20 Mar 2022 16:35:16 -0400
Received: from xavier.telenet-ops.be ([195.130.132.52]:59852)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@HIDDEN>) id 1nW2Gh-0004O4-50
 for 54309 <at> debbugs.gnu.org; Sun, 20 Mar 2022 16:35:16 -0400
Received: from [192.168.100.254] ([178.119.10.153])
 by xavier.telenet-ops.be with bizsmtp
 id 8kbD270063J72EA01kbD6Q; Sun, 20 Mar 2022 21:35:13 +0100
Message-ID: <164b19e525895c50d73e0a84658c1d30c6ab452f.camel@HIDDEN>
From: Maxime Devos <maximedevos@HIDDEN>
Date: Sun, 20 Mar 2022 21:35:13 +0100
In-Reply-To: <05b76afd93703efe8fca7fd11513c07343123dd3.camel@HIDDEN>
References: <cc3ad4b4-fd8b-f3c5-31c4-e27a52c694c4@HIDDEN>
 <a545ae09-1801-3d71-ef4c-a490dcc39cdf@HIDDEN>
 <80cc8802439c49138638dee6d4fb9015723f9727.camel@HIDDEN>
 <dce285c1-3d60-31ab-8f5a-1389c42080c2@HIDDEN>
 <05b76afd93703efe8fca7fd11513c07343123dd3.camel@HIDDEN>
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-Fwer0rW+6oxCt1pbknNK"
User-Agent: Evolution 3.38.3-1 
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22;
 t=1647808513; bh=s0dA7qABkejZD3PFna5U11GMz/3mMoyQpvRQzO1aZ90=;
 h=Subject:From:To:Date:In-Reply-To:References;
 b=EdFWSoXupm4GcgeZ68Ahp/51egy56GO64X1rSqls0prLV40bibxtXD+/CqeQlC2FB
 /muIUbrJb3KaOxnvqgtE/a2+8Pd64MkuCBSiaDlOmOjzHJVUoU9rZdcONYqUAH1j5g
 8uPe0ZUslmOxHFEj78SDbmO+RZ2rKiToYksw2PPoidTmK1oK0ISkHLqjneAJNjOuQS
 gTVTPAeuyyIjQMEGCucujdrd4NblHChHeDzU8IE1YU2nHH29Lcje5+Oa6zpQBEzyfw
 UJXAaJl1XAleLOfobLnSmZHN6/22r680NbHEMiJdVkNiov0kMxvHg9m3Lo0Qm5DoS6
 ebcFyWNQv0/gQ==
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--=-Fwer0rW+6oxCt1pbknNK
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Maxime Devos schreef op zo 20-03-2022 om 21:30 [+0100]:
> fesoj000 schreef op zo 20-03-2022 om 21:22 [+0100]:
> > > I cannot recommend this, what if 'mkdir-p' throws an exception?
> > > That might cause problems.=C2=A0 Or maybe not, but it would require
> > > some analysis that can be avoided with 'mkdir-p/perms'.
> > Hm, but i still have to set umask to prevent TOCTOU, the
> > implementation of 'mkdir-p/perms' does not take care of that.
>=20
> mkdir-p/perms could be modified to take care of that.
> If that is done, then other users of mkdir-p/perms would benefit as
> well.
>=20
> To implement this, I recommend using the prodecures from
> <https://lists.gnu.org/archive/html/guile-devel/2021-11/msg00005.html
> >=20
> -- that patch was written to remove the TOCTOU!

It seems to be ignored so far upstream, so I'll look into defining
a Guile package variant that can be used by the activation code.

Greetings,
Maxime.

--=-Fwer0rW+6oxCt1pbknNK
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYjeQARccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7jndAP4vJegPum4a6DSNEHRtSGLywGcu
PzAW+e2xmG/tOnODxwEAwcnBgKCCJpsrqWIvBwDu0BIslZazdAiliGULghFJuAQ=
=Vvn8
-----END PGP SIGNATURE-----

--=-Fwer0rW+6oxCt1pbknNK--

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#54309] What is the process from here?
Resent-From: fesoj000 <fesoj000@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Tue, 22 Mar 2022 16:51:02 +0000
Resent-Message-ID: <handler.54309.B54309.164796782318042 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 54309
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Maxime Devos <maximedevos@HIDDEN>, Liliana Marie Prikler <liliana.prikler@HIDDEN>, 54309 <at> debbugs.gnu.org
Received: via spool by 54309-submit <at> debbugs.gnu.org id=B54309.164796782318042
          (code B ref 54309); Tue, 22 Mar 2022 16:51:02 +0000
Received: (at 54309) by debbugs.gnu.org; 22 Mar 2022 16:50:23 +0000
Received: from localhost ([127.0.0.1]:41729 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nWhiB-0004gw-HI
	for submit <at> debbugs.gnu.org; Tue, 22 Mar 2022 12:50:23 -0400
Received: from mail-ed1-f41.google.com ([209.85.208.41]:41884)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <fesoj000@HIDDEN>) id 1nWhiA-0004gj-AI
 for 54309 <at> debbugs.gnu.org; Tue, 22 Mar 2022 12:50:22 -0400
Received: by mail-ed1-f41.google.com with SMTP id x34so21234276ede.8
 for <54309 <at> debbugs.gnu.org>; Tue, 22 Mar 2022 09:50:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=message-id:date:mime-version:user-agent:subject:content-language:to
 :references:from:in-reply-to:content-transfer-encoding;
 bh=+7hmXTTwRllEV4RrbQapTvDzu+v1B/AI1USyN5pWN3U=;
 b=B/B7NaN2MvfayJUkx3jMHOtQ3ll5qgjWqPY2wqIt/ZbSzgGw1t59SOuaZmtoPVlukZ
 nf/TOab3L0+qi89J+YwwP03PEa5+JcKOT7Pnyjt4CI9BSf9nkb6k5Hyo3FMWVZDvEqm4
 PpsnW18eihDaLJWpK2ADTAt+fDcxmh9Duh9g/eEmx+mC38BlqMkz6opeJ794DTCgPzbZ
 Lrcp9b9qN+cGYmHbuzgtvpl7SmRFyZEVANz0r428/nhmkj2YG7wM2AdrZ8RGSvkw5syE
 jM91KAREYiSBKv5CD8mQr6Dud9bUB4VinICWNp26G/IbXgjrWBUb+YNRw7e8tOtjk9oZ
 aJEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:message-id:date:mime-version:user-agent:subject
 :content-language:to:references:from:in-reply-to
 :content-transfer-encoding;
 bh=+7hmXTTwRllEV4RrbQapTvDzu+v1B/AI1USyN5pWN3U=;
 b=VGZVQpEBswDjCN2WS2gGauzbWofe9lLe630u52aC0f7RLpsHePg5YYJ6vIETW9S+Oj
 sa9eLj8xQekSSWCSEM5G5SwnMbqEzcN/QxkfmL87QrDJmY6RMVCbuhxYMlJrtVIB5z2x
 4oZ5qjPMUlduR4rIGi0wkHMd0PvoW/d48IjmTR+8jvDbTHnlVS+ol30aP4+KBJbf3uyU
 Ka80jbSea9xqjV4Q9kCUP7rg5gANMgFY8/cH02GMzwojqfL5hckK+9ux6+0AWAsDzaTL
 b5uo4BqInpSvlIjLIhRhURRdV4nHfvzSd+xrtkiv5+nHGU7waeyH4XwAY6pfCgUgpRcR
 mF9w==
X-Gm-Message-State: AOAM531pDJXtabwcF1OPCNOam0IsfMTipBAIunKKxWaGnVXrrkS6Tto2
 WNt+B+kI1/4gqo3rTW0OppM=
X-Google-Smtp-Source: ABdhPJx2I9twBWVWfAf7odLjTCEiNY+jM1xuQ+PFdtUtFcBgwJ+4kbabUkS91Rcvldax2o9UXPmcgg==
X-Received: by 2002:a05:6402:4414:b0:419:28bc:55dc with SMTP id
 y20-20020a056402441400b0041928bc55dcmr16796550eda.130.1647967816139; 
 Tue, 22 Mar 2022 09:50:16 -0700 (PDT)
Received: from ?IPV6:2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5?
 (p200300eeaf2f0e00c2f9c2bbbf951fc5.dip0.t-ipconnect.de.
 [2003:ee:af2f:e00:c2f9:c2bb:bf95:1fc5])
 by smtp.gmail.com with ESMTPSA id
 n13-20020a170906724d00b006cedd6d7e24sm8662754ejk.119.2022.03.22.09.50.15
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Tue, 22 Mar 2022 09:50:15 -0700 (PDT)
Message-ID: <9f1cfbac-652f-ea32-d3fc-b730534ff666@HIDDEN>
Date: Tue, 22 Mar 2022 17:50:14 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.7.0
Content-Language: en-US
References: <b70a1fd7-e432-3d6d-8dea-17d4231e407e@HIDDEN>
 <8640c4e7b1a46e76ea4df8c21a290d1aa72de0d8.camel@HIDDEN>
 <fafb2565-5593-aabb-1852-2af4e7dd7478@HIDDEN>
 <87f117ba35bb40fe063d5cd0bee61039a5f9801e.camel@HIDDEN>
 <b311a2b72fd271fd3e7b78a8aca11cd4896fe49c.camel@HIDDEN>
From: fesoj000 <fesoj000@HIDDEN>
In-Reply-To: <b311a2b72fd271fd3e7b78a8aca11cd4896fe49c.camel@HIDDEN>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.2 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.8 (/)

On 3/20/22 12:09 AM, Maxime Devos wrote:
> Liliana Marie Prikler schreef op vr 18-03-2022 om 23:36 [+0100]:
>>> +(define (auditd-activation config)
>>> +  (with-imported-modules '((guix build utils))
>>> +    #~(begin
>>> +        (use-modules (guix build utils))
>>> +        (let ((var-log-audit "/var/log/audit"))
>>> +          (umask #o077)
>>> +          (mkdir-p var-log-audit)))))
>>> +
>> This would also apply umask 077 to /var and /var/log if those don't
>> already exist.  More importantly, code executed after that will also
>> inherit the umask, which I don't think is the intended consequence.
> 
> More concretely, the procedure 'mkdir-p/perms' would address the umask
> issue, but not the potential ‘oops too restrictive permissions for /var
> and /var/log' issue.
Ok, i can assume that a future version of 'mkdir-p/perms' will handle the
umask.

Should the activation now handle potential permission problems from past
activations and auditd starts? Can you try to explain in more detail
please?

BR

Last modified: Tue, 22 Mar 2022 17:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.