unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Allow to add more than one group for service user
@ 2020-08-19  7:46 Reza Alizadeh Majd
  2020-08-19 11:11 ` Julien Lepiller
  0 siblings, 1 reply; 8+ messages in thread
From: Reza Alizadeh Majd @ 2020-08-19  7:46 UTC (permalink / raw)
  To: Guix Development Mailing List

Hi Guix, 

coming from this thread: 
https://lists.gnu.org/archive/html/help-guix/2020-07/msg00088.html

I had defined a service that needs to run by a specific user. regarding
application creates a unix domain socket during start and change the
ownership of socket file to specific group.

the problem is that daemon user (the user that runs the service) only
detects it's primary group and don't have permission to `chown` the
socket file. 

I also performed another test and run a bash instance inside a `screen`
using the service. when I check for the user groups, I had seen that
only primary group is detected as group for service user. 

I assume that that this might be a bug on group assignment for service
user. or I might missed something in service definition. 

kind regards,
Reza


-- 
Reza Alizadeh Majd
PantherX Team
https://www.pantherx.org/


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Allow to add more than one group for service user
  2020-08-19  7:46 Allow to add more than one group for service user Reza Alizadeh Majd
@ 2020-08-19 11:11 ` Julien Lepiller
  2020-08-19 16:18   ` Reza Alizadeh Majd
  0 siblings, 1 reply; 8+ messages in thread
From: Julien Lepiller @ 2020-08-19 11:11 UTC (permalink / raw)
  To: guix-devel, Reza Alizadeh Majd

[-- Attachment #1: Type: text/plain, Size: 1227 bytes --]

Hi Reza,

This kind of message should probably go to guix-help instead. Can you send your user and groups definition you're using? Then we should see if there's anything wrong with it, or if we can reproduce the issue.

On 2020年8月19日 3:46:59 GMT-04:00, Reza Alizadeh Majd <r.majd@pantherx.org> wrote:
>Hi Guix, 
>
>coming from this thread: 
>https://lists.gnu.org/archive/html/help-guix/2020-07/msg00088.html
>
>I had defined a service that needs to run by a specific user. regarding
>application creates a unix domain socket during start and change the
>ownership of socket file to specific group.
>
>the problem is that daemon user (the user that runs the service) only
>detects it's primary group and don't have permission to `chown` the
>socket file. 
>
>I also performed another test and run a bash instance inside a `screen`
>using the service. when I check for the user groups, I had seen that
>only primary group is detected as group for service user. 
>
>I assume that that this might be a bug on group assignment for service
>user. or I might missed something in service definition. 
>
>kind regards,
>Reza
>
>
>-- 
>Reza Alizadeh Majd
>PantherX Team
>https://www.pantherx.org/

[-- Attachment #2: Type: text/html, Size: 1509 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Allow to add more than one group for service user
  2020-08-19 11:11 ` Julien Lepiller
@ 2020-08-19 16:18   ` Reza Alizadeh Majd
  2020-08-19 18:13     ` Julien Lepiller
  0 siblings, 1 reply; 8+ messages in thread
From: Reza Alizadeh Majd @ 2020-08-19 16:18 UTC (permalink / raw)
  To: Julien Lepiller; +Cc: guix-devel

Hi Julien,

On Wed, 19 Aug 2020 07:11:25 -0400
Julien Lepiller <julien@lepiller.eu> wrote:

> This kind of message should probably go to guix-help instead. Can you
> send your user and groups definition you're using? Then we should see
> if there's anything wrong with it, or if we can reproduce the issue.


sorry for interruption, since I assumed this could be a bug I continue
previous discussion in this mailing list, if you think `help-guix` is
the proper place to discuss about this issue we can continue on
following thread: 

https://lists.gnu.org/archive/html/help-guix/2020-07/msg00088.html

by the way, here is the user account and groups that I'm using for my
service definition:

--8<---------------cut here---------------start------------->8---
(define %kyc-accounts
  (list (user-group (name "kyc-service"))
        (user-group (name "kyc-rpc"))
        (user-account
          (name "kyc-service")
          (group "kyc-service")
          (system? #f)
          (supplementary-groups '("wheel" "kyc-rpc" "video"))
          (comment "KYC service user"))))
--8<---------------cut here---------------end--------------->8---

later I add these definitions using `account-service-type` extension:

--8<---------------cut here---------------start------------->8---
(define kyc-service-type
   ...
   (extensions (list ...
                            (service-extension account-service-type
                                                          (const %kyc-accounts))))
   ...
--8<---------------cut here---------------end--------------->8---


-- 
Reza Alizadeh Majd
PantherX Team
https://www.pantherx.org/


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Allow to add more than one group for service user
  2020-08-19 16:18   ` Reza Alizadeh Majd
@ 2020-08-19 18:13     ` Julien Lepiller
  2020-08-20  4:32       ` Reza Alizadeh Majd
  2020-08-20  5:03       ` Reza Alizadeh Majd
  0 siblings, 2 replies; 8+ messages in thread
From: Julien Lepiller @ 2020-08-19 18:13 UTC (permalink / raw)
  To: Reza Alizadeh Majd; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1946 bytes --]

From what I understand, the generated /etc/group is correct, but loging as kyc-service, even after a reboot, you don't see the additional groups?

On 2020年8月19日 12:18:34 GMT-04:00, Reza Alizadeh Majd <r.majd@pantherx.org> wrote:
>Hi Julien,
>
>On Wed, 19 Aug 2020 07:11:25 -0400
>Julien Lepiller <julien@lepiller.eu> wrote:
>
>> This kind of message should probably go to guix-help instead. Can you
>> send your user and groups definition you're using? Then we should see
>> if there's anything wrong with it, or if we can reproduce the issue.
>
>
>sorry for interruption, since I assumed this could be a bug I continue
>previous discussion in this mailing list, if you think `help-guix` is
>the proper place to discuss about this issue we can continue on
>following thread: 
>
>https://lists.gnu.org/archive/html/help-guix/2020-07/msg00088.html
>
>by the way, here is the user account and groups that I'm using for my
>service definition:
>
>--8<---------------cut here---------------start------------->8---
>(define %kyc-accounts
>  (list (user-group (name "kyc-service"))
>        (user-group (name "kyc-rpc"))
>        (user-account
>          (name "kyc-service")
>          (group "kyc-service")
>          (system? #f)
>          (supplementary-groups '("wheel" "kyc-rpc" "video"))
>          (comment "KYC service user"))))
>--8<---------------cut here---------------end--------------->8---
>
>later I add these definitions using `account-service-type` extension:
>
>--8<---------------cut here---------------start------------->8---
>(define kyc-service-type
>   ...
>   (extensions (list ...
>                            (service-extension account-service-type
>                                               (const %kyc-accounts))))
>   ...
>--8<---------------cut here---------------end--------------->8---
>
>
>-- 
>Reza Alizadeh Majd
>PantherX Team
>https://www.pantherx.org/

[-- Attachment #2: Type: text/html, Size: 2410 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Allow to add more than one group for service user
  2020-08-19 18:13     ` Julien Lepiller
@ 2020-08-20  4:32       ` Reza Alizadeh Majd
  2020-08-20  5:03       ` Reza Alizadeh Majd
  1 sibling, 0 replies; 8+ messages in thread
From: Reza Alizadeh Majd @ 2020-08-20  4:32 UTC (permalink / raw)
  To: Julien Lepiller; +Cc: guix-devel

On Wed, 19 Aug 2020 14:13:43 -0400
Julien Lepiller <julien@lepiller.eu> wrote:

> From what I understand, the generated /etc/group is correct, but
> loging as kyc-service, even after a reboot, you don't see the
> additional groups?

when I login normally, using `su - kyc-service` all groups are in place
and I can see both the primary and supplementary groups using `groups`
command. 

but, when I switch to a shell that is run by service, `groups` command
shows me only the primary group of the user:

--8<---------------cut here---------------start------------->8---
sh-5.0$ whoami 
kyc-service
sh-5.0$ groups
kyc-service
--8<---------------cut here---------------end--------------->8---

-- 
Reza Alizadeh Majd
PantherX Team
https://www.pantherx.org/


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Allow to add more than one group for service user
  2020-08-19 18:13     ` Julien Lepiller
  2020-08-20  4:32       ` Reza Alizadeh Majd
@ 2020-08-20  5:03       ` Reza Alizadeh Majd
  2020-08-20  6:04         ` Oleg Pykhalov
  1 sibling, 1 reply; 8+ messages in thread
From: Reza Alizadeh Majd @ 2020-08-20  5:03 UTC (permalink / raw)
  To: Julien Lepiller; +Cc: guix-devel

On Wed, 19 Aug 2020 14:13:43 -0400
Julien Lepiller <julien@lepiller.eu> wrote:

> From what I understand, the generated /etc/group is correct, but
> loging as kyc-service, even after a reboot, you don't see the
> additional groups?

in order to replicate this issue I had prepared a `test-service` that
provides bash access inside a screen for a test user:

--8<---------------cut here---------------start------------->8---
(use-modules (gnu)
             (gnu system)
             (gnu system shadow)
             (gnu packages admin)
             (gnu packages bash)
             (gnu packages base)
             (gnu packages screen)
             (gnu services shepherd)
             (guix gexp)
             (guix records)
             (ice-9 match))

(define-record-type* <test-configuration>
  test-configuration make-test-configuration
  test-configuration?
  (package test-configuration-package
           (default bash)))

(define test-shepherd-service
  (match-lambda
    (($ <test-configuration> package)
      (list (shepherd-service
              (provision '(test-service))
              (documentation "run a bash instance inside screen")
              (requirement '(user-processes))
              (start #~(make-forkexec-constructor
                        (list (string-append #$screen "/bin/screen")
                              "-D" "-m" "-S" "test-service" 
                              (string-append #$package "/bin/sh"))
                        #:user "test"
                        #:group "users"))
              (stop #~(make-kill-destructor)))))))

(define (test-accounts config)
  "return the user accounts for test-service"
  (list (user-group (name "testgrp"))
        (user-account
          (name "test")
          (group "testgrp")
          (system? #t)
          (comment "test user")
          (supplementary-groups '("users" "wheel"))
          (home-directory "/home/test"))))

(define test-service-type
  (service-type
    (name 'test-service)
    (extensions (list (service-extension shepherd-root-service-type
                                         test-shepherd-service)
                      (service-extension account-service-type
                                         test-accounts)))
    (default-value (test-configuration))))

--8<---------------cut here---------------end--------------->8---

using above snippet, I realized that the only group which is set to
`#:group` parameter of `make-forkexec-constructor` (`users` in this
test) is available for service.

--8<---------------cut here---------------start------------->8---
root@panther ~# su - test
-bash-5.0$ groups
testgrp users wheel

-bash-5.0$ screen -r test-service
sh-5.0$ groups
users
--8<---------------cut here---------------end--------------->8--- 

-- 
Reza Alizadeh Majd
PantherX Team
https://www.pantherx.org/


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Allow to add more than one group for service user
  2020-08-20  5:03       ` Reza Alizadeh Majd
@ 2020-08-20  6:04         ` Oleg Pykhalov
  2020-08-20 11:17           ` Reza Alizadeh Majd
  0 siblings, 1 reply; 8+ messages in thread
From: Oleg Pykhalov @ 2020-08-20  6:04 UTC (permalink / raw)
  To: Reza Alizadeh Majd; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 463 bytes --]

Hi,

Reza Alizadeh Majd <r.majd@pantherx.org> writes:

[…]

> using above snippet, I realized that the only group which is set to
> `#:group` parameter of `make-forkexec-constructor` (`users` in this
> test) is available for service.

Addional groups which could be specified via ‘supplementary-groups’ will
be available for processes launched as services after Shepherd's next
release with merged patch https://issues.guix.info/41573

Oleg.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: Allow to add more than one group for service user
  2020-08-20  6:04         ` Oleg Pykhalov
@ 2020-08-20 11:17           ` Reza Alizadeh Majd
  0 siblings, 0 replies; 8+ messages in thread
From: Reza Alizadeh Majd @ 2020-08-20 11:17 UTC (permalink / raw)
  To: Oleg Pykhalov; +Cc: guix-devel

Hi Oleg, 

Thanks for your response

On Thu, 20 Aug 2020 09:04:36 +0300
Oleg Pykhalov <go.wigust@gmail.com> wrote:

> Addional groups which could be specified via ‘supplementary-groups’
> will be available for processes launched as services after Shepherd's
> next release with merged patch https://issues.guix.info/41573

Glad to hear about that, I assume this could fix my issue, so I just
need to wait for next release of Shepherd.

Regards, 
Reza

-- 
Reza Alizadeh Majd
PantherX Team
https://www.pantherx.org/


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2020-08-20 11:17 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-08-19  7:46 Allow to add more than one group for service user Reza Alizadeh Majd
2020-08-19 11:11 ` Julien Lepiller
2020-08-19 16:18   ` Reza Alizadeh Majd
2020-08-19 18:13     ` Julien Lepiller
2020-08-20  4:32       ` Reza Alizadeh Majd
2020-08-20  5:03       ` Reza Alizadeh Majd
2020-08-20  6:04         ` Oleg Pykhalov
2020-08-20 11:17           ` Reza Alizadeh Majd

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).