summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--gnu/build/file-systems.scm9
-rw-r--r--gnu/services/shepherd.scm12
-rw-r--r--gnu/tests/base.scm15
3 files changed, 32 insertions, 4 deletions
diff --git a/gnu/build/file-systems.scm b/gnu/build/file-systems.scm
index 3f97afeedd..efd744acc1 100644
--- a/gnu/build/file-systems.scm
+++ b/gnu/build/file-systems.scm
@@ -535,10 +535,13 @@ were found."
          (sleep 3)
          (reboot))
         ('fatal-error
-         (format (current-error-port)
-                 "File system check on ~a failed; spawning Bourne-like REPL~%"
+         (format (current-error-port) "File system check on ~a failed~%"
                  device)
-         (start-repl %bournish-language)))
+
+         ;; Spawn a REPL only if someone would be able to interact with it.
+         (when (isatty? (current-input-port))
+           (format (current-error-port) "Spawning Bourne-like REPL.~%")
+           (start-repl %bournish-language))))
       (format (current-error-port)
               "No file system check procedure for ~a; skipping~%"
               device)))
diff --git a/gnu/services/shepherd.scm b/gnu/services/shepherd.scm
index 49d08cc30f..12d649f542 100644
--- a/gnu/services/shepherd.scm
+++ b/gnu/services/shepherd.scm
@@ -281,7 +281,17 @@ stored."
                             (start service)))
                         '#$(append-map shepherd-service-provision
                                        (filter shepherd-service-auto-start?
-                                               services)))))))
+                                               services)))
+
+              ;; Hang up stdin.  At this point, we assume that 'start' methods
+              ;; that required user interaction on the console (e.g.,
+              ;; 'cryptsetup open' invocations, post-fsck emergency REPL) have
+              ;; completed.  User interaction becomes impossible after this
+              ;; call; this avoids situations where services wrongfully lead
+              ;; PID 1 to read from stdin (the console), which users may not
+              ;; have access to (see <https://bugs.gnu.org/23697>).
+              (redirect-port (open-input-file "/dev/null")
+                             (current-input-port))))))
 
     (scheme-file "shepherd.conf" config)))
 
diff --git a/gnu/tests/base.scm b/gnu/tests/base.scm
index 03392cef38..8d4e218a8f 100644
--- a/gnu/tests/base.scm
+++ b/gnu/tests/base.scm
@@ -123,6 +123,21 @@ initialization step, such as entering a LUKS passphrase."
                          #f))))
              marionette))
 
+          (test-eq "stdin is /dev/null"
+            'eof
+            ;; Make sure services can no longer read from stdin once the
+            ;; system has booted.
+            (marionette-eval
+             `(begin
+                (use-modules (gnu services herd))
+                (start 'user-processes)
+                ((@@ (gnu services herd) eval-there)
+                 '(let ((result (read (current-input-port))))
+                    (if (eof-object? result)
+                        'eof
+                        result))))
+             marionette))
+
           (test-assert "shell and user commands"
             ;; Is everything in $PATH?
             (zero? (marionette-eval '(system "