aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorArun Isaac2024-01-05 15:41:40 +0000
committerArun Isaac2024-01-05 15:54:49 +0000
commit4b3786b53f85223a8527e2fd39c7166471efd204 (patch)
tree01eadc725d6ea495f4a5667b65dfef355082a296
parentcc92203f1fd6004c8b87a4a3ed9bd70616af7175 (diff)
downloadgn-machines-4b3786b53f85223a8527e2fd39c7166471efd204.tar.gz
Set ownership and permissions on secret files.
* genenetwork-development.scm (genenetwork-activation): Set ownership and permissions on secret files. * genenetwork-development-deploy.sh: Share /etc/genenetwork/conf instead of merely exposing it.
-rwxr-xr-xgenenetwork-development-deploy.sh7
-rw-r--r--genenetwork-development.scm14
2 files changed, 16 insertions, 5 deletions
diff --git a/genenetwork-development-deploy.sh b/genenetwork-development-deploy.sh
index e496fd0..d39bb7f 100755
--- a/genenetwork-development-deploy.sh
+++ b/genenetwork-development-deploy.sh
@@ -1,7 +1,7 @@
#! /bin/sh -e
# genenetwork-machines --- Guix configuration for genenetwork machines
-# Copyright © 2022 Arun Isaac <arunisaac@systemreboot.net>
+# Copyright © 2022–2024 Arun Isaac <arunisaac@systemreboot.net>
#
# This file is part of genenetwork-machines.
#
@@ -24,6 +24,9 @@
# If we shared only the mysqld.sock socket file, it would break when
# the external mysqld server is restarted. So, we share the mysqld
# socket directory.
+
+# We set permissions on the secret files. So, we share
+# /etc/genenetwork/conf instead of merely exposing it.
container_script=$(guix system container --network \
--verbosity=3 \
--load-path=. \
@@ -34,7 +37,7 @@ container_script=$(guix system container --network \
--share=/export2/guix-containers/genenetwork-development/var/lib/tissue=/var/lib/tissue \
--share=/export2/guix-containers/genenetwork-development/var/lib/virtuoso=/var/lib/virtuoso \
--share=/export2/guix-containers/genenetwork-development/var/log/cd=/var/log/cd \
- --expose=/export2/guix-containers/genenetwork-development/etc/genenetwork/conf=/etc/genenetwork/conf \
+ --share=/export2/guix-containers/genenetwork-development/etc/genenetwork/conf=/etc/genenetwork/conf \
--share=/export/data/genenetwork-virtuoso=/var/lib/data \
--expose=/export/data/genenetwork \
--share=/export/data/genenetwork-xapian \
diff --git a/genenetwork-development.scm b/genenetwork-development.scm
index 59fbf37..5848ae5 100644
--- a/genenetwork-development.scm
+++ b/genenetwork-development.scm
@@ -680,17 +680,25 @@ described by CONFIG, a <genenetwork-configuration> object."
(define (genenetwork-activation config)
(match-record config <genenetwork-configuration>
- (auth-db-path)
+ (gn2-secrets gn3-secrets auth-db-path)
(with-imported-modules '((guix build utils))
#~(begin
(use-modules (guix build utils))
+ ;; Set ownership of files.
(for-each (lambda (file)
(chown file
(passwd:uid (getpw "genenetwork"))
(passwd:gid (getpw "genenetwork"))))
- (find-files #$(dirname auth-db-path)
- #:directories? #t))))))
+ (cons* #$gn2-secrets
+ #$gn3-secrets
+ (find-files #$(dirname auth-db-path)
+ #:directories? #t)))
+ ;; Prevent other users from reading secret files.
+ (for-each (lambda (file)
+ (chmod file #o600))
+ (list #$gn2-secrets
+ #$gn3-secrets))))))
(define genenetwork-service-type
(service-type