From 6a8a6171a79dd6b9108cf9d25c8f9a86fd9bb8f8 Mon Sep 17 00:00:00 2001 From: Reepca Russelstein Date: Sat, 19 Oct 2024 22:43:27 -0500 Subject: services: guix: Add access control to daemon socket. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * gnu/services/base.scm (guix-configuration-socket-directory-{permissions,group,user}): New fields. (guix-shepherd-service): Use them. * doc/guix.texi (Base Services): Document them. Change-Id: I8f4c2e20392ced47c09812e62903c87cc0f4a97a Signed-off-by: Ludovic Courtès --- doc/guix.texi | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index 187bae6898..151fcd89ac 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -19822,6 +19822,18 @@ A directory path where the @command{guix-daemon} will perform builds. Environment variables to be set before starting the daemon, as a list of @code{key=value} strings. +@item @code{socket-directory-permissions} (default: @code{#o755}) +Permissions to set for the directory @file{/var/guix/daemon-socket}. +This, together with @code{socket-directory-group} and +@code{socket-directory-user}, determines who can connect to the build +daemon via its Unix socket. TCP socket operation is unaffected by +these. + +@item @code{socket-directory-user} (default: @code{#f}) +@itemx @code{socket-directory-group} (default: @code{#f}) +User and group owning the @file{/var/guix/daemon-socket} directory or +@code{#f} to keep the user or group as root. + @end table @end deftp -- cgit v1.2.3