* User group during build process
@ 2022-07-24 14:00 Maya
2022-07-24 14:14 ` Tobias Geerinckx-Rice
0 siblings, 1 reply; 5+ messages in thread
From: Maya @ 2022-07-24 14:00 UTC (permalink / raw)
To: guix-devel@gnu.org
[-- Attachment #1: Type: text/plain, Size: 830 bytes --]
Hi,
I have been setting up mail server on my guix machine and I have found a bug. The smtpctl command from the opensmptd package requires to be owned by the smtpq group.
The problem is, that this group is added by opensmtp-service, but it is required during the build process as can be seen here http://ci.guix.gnu.org/build/748270/log/raw (search for chgrp)
I write to you since I’m not sure how to fix it idiomatically. Here are my solutions:
a) smtpq can be a system group that exists on all guix machines
b) smtpq will get a static gid, the build process will create a dummy group with that gid, chgrp the file to that group and the opensmtp-service-type will create user-group smtpq with that static gid (i dont know if there’s an index of reserved guix gids)
c) patch the upstream opensmtpd
With all the best,
Maya
[-- Attachment #2: Type: text/html, Size: 1113 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: User group during build process
2022-07-24 14:00 User group during build process Maya
@ 2022-07-24 14:14 ` Tobias Geerinckx-Rice
2022-07-24 16:19 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
0 siblings, 1 reply; 5+ messages in thread
From: Tobias Geerinckx-Rice @ 2022-07-24 14:14 UTC (permalink / raw)
To: Maya, guix-devel@gnu.org
Hi Maya!
So... You cannot change group ownership in the store. There are no additional user groups in the build environment. The chgrp failing is by design ('it's a feature, not a bug'), and there's no way to subvert this. The group is not required during the build process.
The correct way to make smtpctl setgid is to use Guix System's setuid-programs field, and use (setgid? #t) (group "smtpq") for smtpctl.
Kind regards,
T G-R
Sent on the go. Excuse or enjoy my brevity.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: User group during build process
2022-07-24 14:14 ` Tobias Geerinckx-Rice
@ 2022-07-24 16:19 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2022-07-24 19:17 ` Maya
0 siblings, 1 reply; 5+ messages in thread
From: Felix Lechner via Development of GNU Guix and the GNU System distribution. @ 2022-07-24 16:19 UTC (permalink / raw)
To: Maya; +Cc: guix-devel@gnu.org
Hi,
On Sun, Jul 24, 2022 at 7:14 AM Tobias Geerinckx-Rice <me@tobias.gr> wrote:
>
> The correct way to make smtpctl setgid is to use Guix System's setuid-programs field, and use (setgid? #t) (group "smtpq") for smtpctl.
In line with TGR's recommendation, the snippet below works locally.
Kind regards
Felix Lechner
* * *
(setuid-programs
(append (list
(setuid-program
(program (file-append opensmtpd "/sbin/smtpctl"))
(setuid? #false)
(setgid? #true)
(group "smtpq"))
(setuid-program
(program (file-append opensmtpd "/sbin/sendmail"))
(setuid? #false)
(setgid? #true)
(group "smtpq"))
(setuid-program
(program (file-append opensmtpd "/sbin/send-mail"))
(setuid? #false)
(setgid? #true)
(group "smtpq"))
(setuid-program
(program (file-append opensmtpd "/sbin/makemap"))
(setuid? #false)
(setgid? #true)
(group "smtpq"))
(setuid-program
(program (file-append opensmtpd "/sbin/mailq"))
(setuid? #false)
(setgid? #true)
(group "smtpq"))
(setuid-program
(program (file-append opensmtpd "/sbin/newaliases"))
(setuid? #false)
(setgid? #true)
(group "smtpq")))
%setuid-programs))
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: User group during build process
2022-07-24 16:19 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
@ 2022-07-24 19:17 ` Maya
2022-07-24 19:57 ` Tobias Geerinckx-Rice
0 siblings, 1 reply; 5+ messages in thread
From: Maya @ 2022-07-24 19:17 UTC (permalink / raw)
To: Felix Lechner; +Cc: guix-devel@gnu.org
[-- Attachment #1: Type: text/plain, Size: 301 bytes --]
Hi!
Thank you both for the responses. Although I wanted to ask you, can I use the setuid-program-service-type?
If yes, shouldn’t opensmtpd-service-type already extend setuid-program-service-type with appropriate setuids? As it right now renders smtpctl unusable.
With all the best wishes,
Maya
>
[-- Attachment #2: Type: text/html, Size: 519 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: User group during build process
2022-07-24 19:17 ` Maya
@ 2022-07-24 19:57 ` Tobias Geerinckx-Rice
0 siblings, 0 replies; 5+ messages in thread
From: Tobias Geerinckx-Rice @ 2022-07-24 19:57 UTC (permalink / raw)
To: Maya, Felix Lechner; +Cc: guix-devel@gnu.org
Hiya,
On 24 July 2022 19:17:29 UTC, Maya <maya.omase@protonmail.com> wrote:
> shouldn’t opensmtpd-service-type already extend setuid-program-service-type with appropriate setuids?
A matter of taste (I disagree with your characterisation 'useless'!), but I certainly wouldn't mind. Plenty of services do this for convenience nowadays.
You seem to be familiar with the mechanisms needed; would you like to propose a patch?
Kind regards,
T G-R
Sent on the go. Excuse or enjoy my brevity.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-07-24 20:00 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-07-24 14:00 User group during build process Maya
2022-07-24 14:14 ` Tobias Geerinckx-Rice
2022-07-24 16:19 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2022-07-24 19:17 ` Maya
2022-07-24 19:57 ` Tobias Geerinckx-Rice
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).