jetomit/monguix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

services/sssd: create config file with correct permissions in /etc

Browse source 
The sssd.conf must be readable only by root for sssd to start.
This commit is contained in:
Timotej Lazar 2022-10-01 12:28:26 +02:00
parent 9f38f95e38
commit 4834bb2d59
1 changed files with 22 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

32
services/sssd.scm
View file

@ -17,11 +17,13 @@
sssd-configuration make-sssd-configuration sssd-configuration make-sssd-configuration
sssd-configuration? sssd-configuration?
(package sssd-configuration-package (default sssd)) (package sssd-configuration-package (default sssd))
(configuration sssd-configuration-configuration (default ""))
(config-file sssd-configuration-config-file (default "/etc/sssd/sssd.conf"))) (config-file sssd-configuration-config-file (default "/etc/sssd/sssd.conf")))
(define (sssd-shepherd-service config) (define (sssd-shepherd-service config)
"Return a <shepherd-service> for SSSD with CONFIG." "Return a <shepherd-service> for SSSD with CONFIG."
(let ((sssd (sssd-configuration-package config))) (let ((sssd (sssd-configuration-package config))
(config-file (sssd-configuration-config-file config)))
(list (list
(shepherd-service (shepherd-service
(requirement '(dbus-system)) (requirement '(dbus-system))
@ -29,26 +31,36 @@
(documentation "Start sssd") (documentation "Start sssd")
(start #~(make-forkexec-constructor (start #~(make-forkexec-constructor
(list (string-append #$sssd "/sbin/sssd") (list (string-append #$sssd "/sbin/sssd")
"-c" #$(sssd-configuration-config-file config) "--config" #$config-file
"--logger=files") "--logger=files")
#:pid-file "/var/run/sssd.pid" #:pid-file "/var/run/sssd.pid"
#:log-file "/var/log/sssd/daemon.log")) #:log-file "/var/log/sssd/daemon.log"))
(stop #~(make-kill-destructor)))))) (stop #~(make-kill-destructor))))))
(define sssd-activation (define (sssd-activation config)
;; Create data directories for sssd. (let ((configuration (sssd-configuration-configuration config))
#~(begin (config-file (sssd-configuration-config-file config)))
(use-modules (guix build utils)) #~(begin
(mkdir-p "/var/log/sssd") (use-modules (guix build utils))
(for-each (lambda (dir) (mkdir-p (string-append "/var/lib/sss/" dir))) ;; Create data directories for sssd.
'("db" "gpo_cache" "mc" "pipes/private" "pubconf")))) (mkdir-p "/var/log/sssd")
(for-each (lambda (dir) (mkdir-p (string-append "/var/lib/sss/" dir)))
'("db" "gpo_cache" "mc" "pipes/private" "pubconf"))
;; Create config file if a configuration is given; otherwise we assume
;; the file is managed externally.
(unless (string-null? #$configuration)
(mkdir-p (dirname #$config-file))
(with-output-to-file #$config-file
(lambda _ (display #$configuration))))
;; Must be a regular file readable only by root.
(chmod #$config-file #o600))))
(define sssd-service-type (define sssd-service-type
(service-type (service-type
(name 'sssd) (name 'sssd)
(extensions (extensions
(list (service-extension activation-service-type (list (service-extension activation-service-type
(const sssd-activation)) sssd-activation)
(service-extension dbus-root-service-type (service-extension dbus-root-service-type
(compose list sssd-configuration-package)) (compose list sssd-configuration-package))
(service-extension nscd-service-type (service-extension nscd-service-type