From 6a8a6171a79dd6b9108cf9d25c8f9a86fd9bb8f8 Mon Sep 17 00:00:00 2001
From: Reepca Russelstein <reepca@russelstein.xyz>
Date: Sat, 19 Oct 2024 22:43:27 -0500
Subject: services: guix: Add access control to daemon socket.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* gnu/services/base.scm
  (guix-configuration-socket-directory-{permissions,group,user}): New fields.
  (guix-shepherd-service): Use them.
* doc/guix.texi (Base Services): Document them.

Change-Id: I8f4c2e20392ced47c09812e62903c87cc0f4a97a
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
---
 doc/guix.texi | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'doc')

diff --git a/doc/guix.texi b/doc/guix.texi
index 187bae6898..151fcd89ac 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -19822,6 +19822,18 @@ A directory path where the @command{guix-daemon} will perform builds.
 Environment variables to be set before starting the daemon, as a list of
 @code{key=value} strings.
 
+@item @code{socket-directory-permissions} (default: @code{#o755})
+Permissions to set for the directory @file{/var/guix/daemon-socket}.
+This, together with @code{socket-directory-group} and
+@code{socket-directory-user}, determines who can connect to the build
+daemon via its Unix socket.  TCP socket operation is unaffected by
+these.
+
+@item @code{socket-directory-user} (default: @code{#f})
+@itemx @code{socket-directory-group} (default: @code{#f})
+User and group owning the @file{/var/guix/daemon-socket} directory or
+@code{#f} to keep the user or group as root.
+
 @end table
 @end deftp
 
-- 
cgit v1.2.3