unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* User group during build process
@ 2022-07-24 14:00 Maya
  2022-07-24 14:14 ` Tobias Geerinckx-Rice
  0 siblings, 1 reply; 5+ messages in thread
From: Maya @ 2022-07-24 14:00 UTC (permalink / raw)
  To: guix-devel@gnu.org

[-- Attachment #1: Type: text/plain, Size: 830 bytes --]

Hi,

I have been setting up mail server on my guix machine and I have found a bug. The smtpctl command from the opensmptd package requires to be owned by the smtpq group.

The problem is, that this group is added by opensmtp-service, but it is required during the build process as can be seen here http://ci.guix.gnu.org/build/748270/log/raw (search for chgrp)

I write to you since I’m not sure how to fix it idiomatically. Here are my solutions:

a) smtpq can be a system group that exists on all guix machines
b) smtpq will get a static gid, the build process will create a dummy group with that gid, chgrp the file to that group and the opensmtp-service-type will create user-group smtpq with that static gid (i dont know if there’s an index of reserved guix gids)
c) patch the upstream opensmtpd

With all the best,

Maya

[-- Attachment #2: Type: text/html, Size: 1113 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: User group during build process
  2022-07-24 14:00 User group during build process Maya
@ 2022-07-24 14:14 ` Tobias Geerinckx-Rice
  2022-07-24 16:19   ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
  0 siblings, 1 reply; 5+ messages in thread
From: Tobias Geerinckx-Rice @ 2022-07-24 14:14 UTC (permalink / raw)
  To: Maya, guix-devel@gnu.org

Hi Maya!

So... You cannot change group ownership in the store.  There are no additional user groups in the build environment.  The chgrp failing is by design ('it's a feature, not a bug'), and there's no way to subvert this.  The group is not required during the build process.

The correct way to make smtpctl setgid is to use Guix System's setuid-programs field, and use (setgid? #t) (group "smtpq") for smtpctl.

Kind regards,

T G-R

Sent on the go.  Excuse or enjoy my brevity.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: User group during build process
  2022-07-24 14:14 ` Tobias Geerinckx-Rice
@ 2022-07-24 16:19   ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
  2022-07-24 19:17     ` Maya
  0 siblings, 1 reply; 5+ messages in thread
From: Felix Lechner via Development of GNU Guix and the GNU System distribution. @ 2022-07-24 16:19 UTC (permalink / raw)
  To: Maya; +Cc: guix-devel@gnu.org

Hi,

On Sun, Jul 24, 2022 at 7:14 AM Tobias Geerinckx-Rice <me@tobias.gr> wrote:
>
> The correct way to make smtpctl setgid is to use Guix System's setuid-programs field, and use (setgid? #t) (group "smtpq") for smtpctl.

In line with TGR's recommendation, the snippet below works locally.

Kind regards
Felix Lechner

* * *

  (setuid-programs
   (append (list

            (setuid-program
             (program (file-append opensmtpd "/sbin/smtpctl"))
             (setuid? #false)
             (setgid? #true)
             (group "smtpq"))

            (setuid-program
             (program (file-append opensmtpd "/sbin/sendmail"))
             (setuid? #false)
             (setgid? #true)
             (group "smtpq"))

            (setuid-program
             (program (file-append opensmtpd "/sbin/send-mail"))
             (setuid? #false)
             (setgid? #true)
             (group "smtpq"))

            (setuid-program
             (program (file-append opensmtpd "/sbin/makemap"))
             (setuid? #false)
             (setgid? #true)
             (group "smtpq"))

            (setuid-program
             (program (file-append opensmtpd "/sbin/mailq"))
             (setuid? #false)
             (setgid? #true)
             (group "smtpq"))

            (setuid-program
             (program (file-append opensmtpd "/sbin/newaliases"))
             (setuid? #false)
             (setgid? #true)
             (group "smtpq")))

             %setuid-programs))


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: User group during build process
  2022-07-24 16:19   ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
@ 2022-07-24 19:17     ` Maya
  2022-07-24 19:57       ` Tobias Geerinckx-Rice
  0 siblings, 1 reply; 5+ messages in thread
From: Maya @ 2022-07-24 19:17 UTC (permalink / raw)
  To: Felix Lechner; +Cc: guix-devel@gnu.org

[-- Attachment #1: Type: text/plain, Size: 301 bytes --]

Hi!

Thank you both for the responses. Although I wanted to ask you, can I use the setuid-program-service-type?

If yes, shouldn’t opensmtpd-service-type already extend setuid-program-service-type with appropriate setuids? As it right now renders smtpctl unusable.

With all the best wishes,
Maya

>

[-- Attachment #2: Type: text/html, Size: 519 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: User group during build process
  2022-07-24 19:17     ` Maya
@ 2022-07-24 19:57       ` Tobias Geerinckx-Rice
  0 siblings, 0 replies; 5+ messages in thread
From: Tobias Geerinckx-Rice @ 2022-07-24 19:57 UTC (permalink / raw)
  To: Maya, Felix Lechner; +Cc: guix-devel@gnu.org

Hiya,

On 24 July 2022 19:17:29 UTC, Maya <maya.omase@protonmail.com> wrote:
> shouldn’t opensmtpd-service-type already extend setuid-program-service-type with appropriate setuids?

A matter of taste (I disagree with your characterisation 'useless'!), but I certainly wouldn't mind.  Plenty of services do this for convenience nowadays.

You seem to be familiar with the mechanisms needed; would you like to propose a patch?

Kind regards,

T G-R

Sent on the go.  Excuse or enjoy my brevity.


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2022-07-24 20:00 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-07-24 14:00 User group during build process Maya
2022-07-24 14:14 ` Tobias Geerinckx-Rice
2022-07-24 16:19   ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2022-07-24 19:17     ` Maya
2022-07-24 19:57       ` Tobias Geerinckx-Rice

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).