Hi Guix, coming from this thread: https://lists.gnu.org/archive/html/help-guix/2020-07/msg00088.html I had defined a service that needs to run by a specific user. regarding application creates a unix domain socket during start and change the ownership of socket file to specific group. the problem is that daemon user (the user that runs the service) only detects it's primary group and don't have permission to `chown` the socket file. I also performed another test and run a bash instance inside a `screen` using the service. when I check for the user groups, I had seen that only primary group is detected as group for service user. I assume that that this might be a bug on group assignment for service user. or I might missed something in service definition. kind regards, Reza -- Reza Alizadeh Majd PantherX Team https://www.pantherx.org/
[-- Attachment #1: Type: text/plain, Size: 1227 bytes --] Hi Reza, This kind of message should probably go to guix-help instead. Can you send your user and groups definition you're using? Then we should see if there's anything wrong with it, or if we can reproduce the issue. On 2020年8月19日 3:46:59 GMT-04:00, Reza Alizadeh Majd <r.majd@pantherx.org> wrote: >Hi Guix, > >coming from this thread: >https://lists.gnu.org/archive/html/help-guix/2020-07/msg00088.html > >I had defined a service that needs to run by a specific user. regarding >application creates a unix domain socket during start and change the >ownership of socket file to specific group. > >the problem is that daemon user (the user that runs the service) only >detects it's primary group and don't have permission to `chown` the >socket file. > >I also performed another test and run a bash instance inside a `screen` >using the service. when I check for the user groups, I had seen that >only primary group is detected as group for service user. > >I assume that that this might be a bug on group assignment for service >user. or I might missed something in service definition. > >kind regards, >Reza > > >-- >Reza Alizadeh Majd >PantherX Team >https://www.pantherx.org/ [-- Attachment #2: Type: text/html, Size: 1509 bytes --]
Hi Julien, On Wed, 19 Aug 2020 07:11:25 -0400 Julien Lepiller <julien@lepiller.eu> wrote: > This kind of message should probably go to guix-help instead. Can you > send your user and groups definition you're using? Then we should see > if there's anything wrong with it, or if we can reproduce the issue. sorry for interruption, since I assumed this could be a bug I continue previous discussion in this mailing list, if you think `help-guix` is the proper place to discuss about this issue we can continue on following thread: https://lists.gnu.org/archive/html/help-guix/2020-07/msg00088.html by the way, here is the user account and groups that I'm using for my service definition: --8<---------------cut here---------------start------------->8--- (define %kyc-accounts (list (user-group (name "kyc-service")) (user-group (name "kyc-rpc")) (user-account (name "kyc-service") (group "kyc-service") (system? #f) (supplementary-groups '("wheel" "kyc-rpc" "video")) (comment "KYC service user")))) --8<---------------cut here---------------end--------------->8--- later I add these definitions using `account-service-type` extension: --8<---------------cut here---------------start------------->8--- (define kyc-service-type ... (extensions (list ... (service-extension account-service-type (const %kyc-accounts)))) ... --8<---------------cut here---------------end--------------->8--- -- Reza Alizadeh Majd PantherX Team https://www.pantherx.org/
[-- Attachment #1: Type: text/plain, Size: 1946 bytes --] From what I understand, the generated /etc/group is correct, but loging as kyc-service, even after a reboot, you don't see the additional groups? On 2020年8月19日 12:18:34 GMT-04:00, Reza Alizadeh Majd <r.majd@pantherx.org> wrote: >Hi Julien, > >On Wed, 19 Aug 2020 07:11:25 -0400 >Julien Lepiller <julien@lepiller.eu> wrote: > >> This kind of message should probably go to guix-help instead. Can you >> send your user and groups definition you're using? Then we should see >> if there's anything wrong with it, or if we can reproduce the issue. > > >sorry for interruption, since I assumed this could be a bug I continue >previous discussion in this mailing list, if you think `help-guix` is >the proper place to discuss about this issue we can continue on >following thread: > >https://lists.gnu.org/archive/html/help-guix/2020-07/msg00088.html > >by the way, here is the user account and groups that I'm using for my >service definition: > >--8<---------------cut here---------------start------------->8--- >(define %kyc-accounts > (list (user-group (name "kyc-service")) > (user-group (name "kyc-rpc")) > (user-account > (name "kyc-service") > (group "kyc-service") > (system? #f) > (supplementary-groups '("wheel" "kyc-rpc" "video")) > (comment "KYC service user")))) >--8<---------------cut here---------------end--------------->8--- > >later I add these definitions using `account-service-type` extension: > >--8<---------------cut here---------------start------------->8--- >(define kyc-service-type > ... > (extensions (list ... > (service-extension account-service-type > (const %kyc-accounts)))) > ... >--8<---------------cut here---------------end--------------->8--- > > >-- >Reza Alizadeh Majd >PantherX Team >https://www.pantherx.org/ [-- Attachment #2: Type: text/html, Size: 2410 bytes --]
On Wed, 19 Aug 2020 14:13:43 -0400 Julien Lepiller <julien@lepiller.eu> wrote: > From what I understand, the generated /etc/group is correct, but > loging as kyc-service, even after a reboot, you don't see the > additional groups? when I login normally, using `su - kyc-service` all groups are in place and I can see both the primary and supplementary groups using `groups` command. but, when I switch to a shell that is run by service, `groups` command shows me only the primary group of the user: --8<---------------cut here---------------start------------->8--- sh-5.0$ whoami kyc-service sh-5.0$ groups kyc-service --8<---------------cut here---------------end--------------->8--- -- Reza Alizadeh Majd PantherX Team https://www.pantherx.org/
On Wed, 19 Aug 2020 14:13:43 -0400 Julien Lepiller <julien@lepiller.eu> wrote: > From what I understand, the generated /etc/group is correct, but > loging as kyc-service, even after a reboot, you don't see the > additional groups? in order to replicate this issue I had prepared a `test-service` that provides bash access inside a screen for a test user: --8<---------------cut here---------------start------------->8--- (use-modules (gnu) (gnu system) (gnu system shadow) (gnu packages admin) (gnu packages bash) (gnu packages base) (gnu packages screen) (gnu services shepherd) (guix gexp) (guix records) (ice-9 match)) (define-record-type* <test-configuration> test-configuration make-test-configuration test-configuration? (package test-configuration-package (default bash))) (define test-shepherd-service (match-lambda (($ <test-configuration> package) (list (shepherd-service (provision '(test-service)) (documentation "run a bash instance inside screen") (requirement '(user-processes)) (start #~(make-forkexec-constructor (list (string-append #$screen "/bin/screen") "-D" "-m" "-S" "test-service" (string-append #$package "/bin/sh")) #:user "test" #:group "users")) (stop #~(make-kill-destructor))))))) (define (test-accounts config) "return the user accounts for test-service" (list (user-group (name "testgrp")) (user-account (name "test") (group "testgrp") (system? #t) (comment "test user") (supplementary-groups '("users" "wheel")) (home-directory "/home/test")))) (define test-service-type (service-type (name 'test-service) (extensions (list (service-extension shepherd-root-service-type test-shepherd-service) (service-extension account-service-type test-accounts))) (default-value (test-configuration)))) --8<---------------cut here---------------end--------------->8--- using above snippet, I realized that the only group which is set to `#:group` parameter of `make-forkexec-constructor` (`users` in this test) is available for service. --8<---------------cut here---------------start------------->8--- root@panther ~# su - test -bash-5.0$ groups testgrp users wheel -bash-5.0$ screen -r test-service sh-5.0$ groups users --8<---------------cut here---------------end--------------->8--- -- Reza Alizadeh Majd PantherX Team https://www.pantherx.org/
[-- Attachment #1: Type: text/plain, Size: 463 bytes --] Hi, Reza Alizadeh Majd <r.majd@pantherx.org> writes: […] > using above snippet, I realized that the only group which is set to > `#:group` parameter of `make-forkexec-constructor` (`users` in this > test) is available for service. Addional groups which could be specified via ‘supplementary-groups’ will be available for processes launched as services after Shepherd's next release with merged patch https://issues.guix.info/41573 Oleg. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 832 bytes --]
Hi Oleg, Thanks for your response On Thu, 20 Aug 2020 09:04:36 +0300 Oleg Pykhalov <go.wigust@gmail.com> wrote: > Addional groups which could be specified via ‘supplementary-groups’ > will be available for processes launched as services after Shepherd's > next release with merged patch https://issues.guix.info/41573 Glad to hear about that, I assume this could fix my issue, so I just need to wait for next release of Shepherd. Regards, Reza -- Reza Alizadeh Majd PantherX Team https://www.pantherx.org/