7 files changed, 37 insertions, 27 deletions

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index bbc2ac2c79f..636d827ff9e 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1613,7 +1613,7 @@ information on the configuration file syntax."
                                  '("conf=/etc/security/limits.conf")))))
                (if (member (pam-service-name pam)
                            '("login" "greetd" "su" "slim" "gdm-password"
-                             "sddm" "sudo" "sshd"))
+                             "sddm" "sudo" "sshd" "lightdm"))
                    (pam-service
                     (inherit pam)
                     (session (cons pam-limits
diff --git a/gnu/services/cgit.scm b/gnu/services/cgit.scm
index c2c003983a2..e33cb9e7dbf 100644
--- a/gnu/services/cgit.scm
+++ b/gnu/services/cgit.scm
@@ -561,7 +561,8 @@ to it, that should loaded as Git repositories.  An empty list means that all
 subdirectories will be loaded.")
   (readme
    (file-object "")
-   "Text which will be used as default value for @code{cgit-repo-readme}.")
+   "Text which will be used as default @code{repository-cgit-configuration}
+@code{readme}.")
   (remove-suffix?
    (boolean #f)
    "If set to @code{#t} and @code{repository-directory} is enabled, if any
@@ -642,7 +643,7 @@ for cgit to allow access to that repository.")
    "URL which, if specified, will be used as root for all cgit links.")
   (repositories
    (repository-cgit-configuration-list '())
-   "A list of @dfn{cgit-repo} records to use with config.")
+   "A list of @code{repository-cgit-configuration} records.")
   (extra-options
    (list '())
    "Extra options will be appended to cgitrc file."))
diff --git a/gnu/services/desktop.scm b/gnu/services/desktop.scm
index a63748b652f..01aec64bee3 100644
--- a/gnu/services/desktop.scm
+++ b/gnu/services/desktop.scm
@@ -1398,18 +1398,7 @@ rules."
                     '("gnome-settings-daemon"
                       "gnome-control-center"
                       "gnome-system-monitor"
-                      "gvfs"
-                      ;; spice-gtk provides polkit actions for USB redirection
-                      ;; in GNOME Boxes.
-                      ("gnome-boxes" "spice-gtk")))))
-
-(define (gnome-setuid-programs config)
-  "Return the list of GNOME setuid programs."
-  (let* ((gnome (gnome-desktop-configuration-gnome config))
-         (spice-gtk (gnome-package gnome '("gnome-boxes" "spice-gtk"))))
-    (map file-like->setuid-program
-         (list (file-append spice-gtk
-                            "/libexec/spice-client-glib-usb-acl-helper")))))
+                      "gvfs"))))
 
 (define gnome-desktop-service-type
   (service-type
@@ -1419,8 +1408,6 @@ rules."
                              gnome-udev-rules)
           (service-extension polkit-service-type
                              gnome-polkit-settings)
-          (service-extension setuid-program-service-type
-                             gnome-setuid-programs)
           (service-extension profile-service-type
                              (compose list gnome-desktop-configuration-gnome))))
    (default-value (gnome-desktop-configuration))
diff --git a/gnu/services/dict.scm b/gnu/services/dict.scm
index 90d3c35b6c7..23e1d363649 100644
--- a/gnu/services/dict.scm
+++ b/gnu/services/dict.scm
@@ -167,15 +167,15 @@ database {
            (provision '(dicod))
            (requirement '(user-processes))
            (documentation "Run the dicod daemon.")
-           (start #~(if (and (defined? 'make-inetd-constructor)
-                             #$(= 1 (length interfaces))) ;XXX
+           (start #~(if (defined? 'make-inetd-constructor)
                         (make-inetd-constructor
                          (list #$dicod "--inetd" "--foreground"
                                (string-append "--config=" #$dicod.conf))
-                         (list (endpoint
-                                (addrinfo:addr
-                                 (car (getaddrinfo #$(first interfaces)
-                                                   "dict")))))
+                         (map (lambda (interface)
+                                (endpoint
+                                 (addrinfo:addr
+                                  (car (getaddrinfo interface "dict")))))
+                              '#$interfaces)
                          #:requirements '#$requirement
                          #:user "dicod" #:group "dicod"
                          #:service-name-stem "dicod")
@@ -183,8 +183,7 @@ database {
                          (list #$dicod "--foreground"
                                (string-append "--config=" #$dicod.conf))
                          #:user "dicod" #:group "dicod")))
-           (stop #~(if (and (defined? 'make-inetd-destructor)
-                            #$(= 1 (length interfaces))) ;XXX
+           (stop #~(if (defined? 'make-inetd-destructor)
                        (make-inetd-destructor)
                        (make-kill-destructor)))
            (actions (list (shepherd-configuration-action dicod.conf)))))))
diff --git a/gnu/services/shepherd.scm b/gnu/services/shepherd.scm
index de40454f7da..e9d3a631c21 100644
--- a/gnu/services/shepherd.scm
+++ b/gnu/services/shepherd.scm
@@ -27,8 +27,9 @@
   #:use-module (guix store)
   #:use-module (guix records)
   #:use-module (guix packages)
-  #:use-module (guix derivations)                 ;imported-modules, etc.
   #:use-module (guix utils)
+  #:use-module ((guix diagnostics)
+                #:select (define-with-syntax-properties formatted-message))
   #:use-module (gnu services)
   #:use-module (gnu services herd)
   #:use-module (gnu packages admin)
@@ -186,12 +187,25 @@ DEFAULT is given, use it as the service's default value."
     ((guix build utils) #:hide (delete))
     (guix build syscalls)))
 
+(define-with-syntax-properties (validate-provision (provision properties))
+  (match provision
+    (((? symbol?) ..1) provision)
+    (_
+     (raise
+      (make-compound-condition
+       (condition
+        (&error-location
+         (location (source-properties->location properties))))
+       (formatted-message
+        (G_ "'provision' must be a non-empty list of symbols")))))))
+
 (define-record-type* <shepherd-service>
   shepherd-service make-shepherd-service
   shepherd-service?
   (documentation shepherd-service-documentation        ;string
                  (default "[No documentation.]"))
-  (provision     shepherd-service-provision)           ;list of symbols
+  (provision     shepherd-service-provision            ;list of symbols
+                 (sanitize validate-provision))
   (requirement   shepherd-service-requirement          ;list of symbols
                  (default '()))
   (one-shot?     shepherd-service-one-shot?            ;Boolean
diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm
index 880557915cd..506f5a7ab6a 100644
--- a/gnu/services/virtualization.scm
+++ b/gnu/services/virtualization.scm
@@ -478,6 +478,7 @@ potential infinite waits blocking libvirt."))
     (list (shepherd-service
            (documentation "Run the libvirt daemon.")
            (provision '(libvirtd))
+           (requirement '(dbus-system))
            (start #~(make-forkexec-constructor
                      (list (string-append #$libvirt "/sbin/libvirtd")
                            "-f" #$config-file
diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index 45897d7d6fd..818226a4f76 100644
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -1144,6 +1144,14 @@ a webserver.")
    (uri "~ \\.php$")
    (body (list
           "fastcgi_split_path_info ^(.+\\.php)(/.+)$;"
+
+          ;; Include some upstream recommendations from
+          ;; https://www.nginx.com/resources/wiki/start/topics/examples/phpfcgi
+          ;; Mitigate https://httpoxy.org/ vulnerabilities
+          "fastcgi_param HTTP_PROXY \"\";"
+          ;; Only pass existing php files to the backend.
+          "if (!-f $document_root$fastcgi_script_name) { return 404; }"
+
           (string-append "fastcgi_pass unix:" socket ";")
           "fastcgi_index index.php;"
           (list "include " nginx-package "/share/nginx/conf/fastcgi.conf;")))))