GNU bug report logs - #64862
[feature request] [shepherd] Specifying POSIX capabilities on services

Previous Next

Package: guix;

Reported by: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Date: Tue, 25 Jul 2023 21:05:01 UTC

Severity: wishlist

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 64862 in the body.
You can then email your comments to 64862 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#64862; Package guix. (Tue, 25 Jul 2023 21:05:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Tue, 25 Jul 2023 21:05:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: bug-guix <bug-guix <at> gnu.org>
Subject: [feature request] [shepherd] Specifying POSIX capabilities on services
Date: Tue, 25 Jul 2023 17:04:26 -0400
Hello,

It'd be useful to be able to specify POSIX capabilities a Shepherd
service should have, for example for an unprivileged process to be able
to bind to ports lower than 1024.

This came up while reviewing #63082, which patch 10/16 (now dropped
because of loss of functionality) suggested to let the user/group change
be effected by Shepherd instead of by MPD itself (see:
https://issues.guix.gnu.org/63082#98).

I know that NixOS has some mechanism to do that; I think it was a simple
shell script wrapper setting the capabilities, but that's all I
remember.

-- 
Thanks,
Maxim




Reply sent to Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
You have taken responsibility. (Tue, 12 Nov 2024 06:10:02 GMT) Full text and rfc822 format available.

Notification sent to Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
bug acknowledged by developer. (Tue, 12 Nov 2024 06:10:02 GMT) Full text and rfc822 format available.

Message #10 received at 64862-done <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: 64862-done <at> debbugs.gnu.org
Cc: Tobias Geerinckx-Rice <me <at> tobias.gr>
Subject: Re: bug#64862: [feature request] [shepherd] Specifying POSIX
 capabilities on services
Date: Tue, 12 Nov 2024 15:08:29 +0900
Hello,

Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:

> Hello,
>
> It'd be useful to be able to specify POSIX capabilities a Shepherd
> service should have, for example for an unprivileged process to be able
> to bind to ports lower than 1024.
>
> This came up while reviewing #63082, which patch 10/16 (now dropped
> because of loss of functionality) suggested to let the user/group change
> be effected by Shepherd instead of by MPD itself (see:
> https://issues.guix.gnu.org/63082#98).
>
> I know that NixOS has some mechanism to do that; I think it was a simple
> shell script wrapper setting the capabilities, but that's all I
> remember.

I believe that's now possible since commit 71f0676a29 ("privilege: Add
POSIX capabilities(7) support.").  Thank you, Tobias!

Closing.

-- 
Thanks,
Maxim




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 10 Dec 2024 12:24:11 GMT) Full text and rfc822 format available.

This bug report was last modified 11 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.