From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id eGy/KSYV7F4ccwAA0tVLHw (envelope-from ) for ; Fri, 19 Jun 2020 01:30:14 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id uMSPJSYV7F5oVwAAB5/wlQ (envelope-from ) for ; Fri, 19 Jun 2020 01:30:14 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A8EA79404C8 for ; Fri, 19 Jun 2020 01:30:13 +0000 (UTC) Received: from localhost ([::1]:57518 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jm5r9-0005I2-C2 for larch@yhetil.org; Thu, 18 Jun 2020 21:30:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35684) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jm5r1-0005He-FY for guix-patches@gnu.org; Thu, 18 Jun 2020 21:30:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:43194) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jm5r1-0003fF-68 for guix-patches@gnu.org; Thu, 18 Jun 2020 21:30:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jm5r1-00016E-19 for guix-patches@gnu.org; Thu, 18 Jun 2020 21:30:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#41573] [PATCH Shepherd] shepherd: service: Add #:supplementary-groups. Resent-From: Oleg Pykhalov Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 19 Jun 2020 01:30:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 41573 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 41573@debbugs.gnu.org Received: via spool by 41573-submit@debbugs.gnu.org id=B41573.15925301584142 (code B ref 41573); Fri, 19 Jun 2020 01:30:02 +0000 Received: (at 41573) by debbugs.gnu.org; 19 Jun 2020 01:29:18 +0000 Received: from localhost ([127.0.0.1]:54740 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jm5qH-00014j-EJ for submit@debbugs.gnu.org; Thu, 18 Jun 2020 21:29:17 -0400 Received: from mail-lf1-f50.google.com ([209.85.167.50]:38549) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jm5qE-00014Q-2c for 41573@debbugs.gnu.org; Thu, 18 Jun 2020 21:29:15 -0400 Received: by mail-lf1-f50.google.com with SMTP id d27so4599625lfq.5 for <41573@debbugs.gnu.org>; Thu, 18 Jun 2020 18:29:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=Yp/bOstr02hA5EuLdWSZzIuYDBQ4PR5MvToI06DU+hU=; b=rMnqVZMSiJnfb5YtvTAz9dD4vynVLlo70UNoqv2vEbzMD8cjUmiNsQ49JsatOyMYvD hqz7TR7+et62O4XEPfbBxz/we0DLC/0/kRbKoi4c+GhMX4eBgQPuVgHtoyMtQLH39G8r SOwQW4iY8PCpazpRHKreaB5IN6DNEDlduES6R9Ju6Ya8DSgZ/4PxD4gCIQeQna1dWJ1h kkiSOz17mJScODv1G1x/z1qR/GaiQdCE3qlxF7+LMYk60fmrIMf6tf37pmXxe+w9V/KN JqRaDzZKKkUEC0HAKHm2yYSsjaKz5dtJGBXuKZ7yCd9n08cQJJemsMQD86CAVHOyyPGK c3DQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=Yp/bOstr02hA5EuLdWSZzIuYDBQ4PR5MvToI06DU+hU=; b=tFfnOAVZqmewimlrfcDWUePbELZxHe2sLIJSnge2Lk8ZxJv252EU1klA31AJgU4SaZ m0//0IqX+DY5dSj+Z38gBorZNL01UlL5jVKqQPk9kCi+0dyCaYlfDlQqvFlVV5Wa5zGy d3Q2cH2RRVj/hIMACxBTHOusE5kIjWdTmNcWTZ2ZxFWiozesi4GgKVMFsoJ2/+z0hK5f VnUQh2KOljfULtp34wqJLDvuBGrZdnpqgoWWY81/pxaRtr7TKYCeoDWq3QDm+UiqKadz dnnA96gNWSPedJE4EpP5R+1L8hgFSkz6oddwG9ddRNbJ71LzJ/rOIyrK7TZlzyJmvE0o RosQ== X-Gm-Message-State: AOAM532GBh65fYn8i5d2ErRVEi66vkiZd2UB/3giwAymnfyDOh4G/Icg mDtO0pub0LWzUQIe5E+F8i3u7xbuyTA= X-Google-Smtp-Source: ABdhPJyRJI36fjwENdBCjg9m3t2tcBXhjsNhyIy9wn4omVEv1ZGsw2klRV3e5bW7NW0H9eFPdqvjjQ== X-Received: by 2002:a19:ca11:: with SMTP id a17mr544400lfg.120.1592530147397; Thu, 18 Jun 2020 18:29:07 -0700 (PDT) Received: from guixsd (ppp91-122-98-213.pppoe.avangarddsl.ru. [91.122.98.213]) by smtp.gmail.com with ESMTPSA id p2sm920565ljg.95.2020.06.18.18.29.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 18 Jun 2020 18:29:05 -0700 (PDT) From: Oleg Pykhalov References: <87a71sbpr4.fsf@gmail.com> <87mu55s72d.fsf@gnu.org> Date: Fri, 19 Jun 2020 04:28:57 +0300 In-Reply-To: <87mu55s72d.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Sun, 14 Jun 2020 22:53:14 +0200") Message-ID: <871rmb4zdy.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -1.0 (-) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=fail (rsa verify failed) header.d=gmail.com header.s=20161025 header.b=rMnqVZMS; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: -2.01 X-TUID: 5pGMRhaZ2EyY --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello, Ludovic Court=C3=A8s writes: > Oleg Pykhalov skribis: > >> From 5718eb5f4130530b48df896d7f7e4a126e08428a Mon Sep 17 00:00:00 2001 >> From: Oleg Pykhalov >> Date: Sun, 24 May 2020 20:30:27 +0300 >> Subject: [PATCH] service: Add #:supplementary-groups. >> >> * modules/shepherd/service.scm (format-supplementary-groups): New proced= ure. >> (exec-command, fork+exec-command, make-forkexec-constructor): Add >> '#:supplementary-groups'. >> * doc/shepherd.texi (Service De- and Constructors): Document this. > > [...] > >> +(define (format-supplementary-groups supplementary-groups) >> + (if (vector? supplementary-groups) >> + supplementary-groups >> + (list->vector (map (lambda (group) (group:gid (getgr group))) >> + supplementary-groups)))) > > Perhaps we should remove the =E2=80=98vector?=E2=80=99 case, no? I find = it clearer when > the interface accepts just one single data type. OK. > Apart from that, it LGTM! > > Note that for compatibility reasons we=E2=80=99ll have to wait before usi= ng it > in Guix System. No problem. I updated the patch and tested it again with make check and reconfiguring my system. --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: attachment; filename=0001-service-Add-supplementary-groups.patch Content-Transfer-Encoding: quoted-printable Content-Description: [PATCH] service: Add #:supplementary-groups. From=2020a08c750c4d6126d36835c64fed211299cb03e3 Mon Sep 17 00:00:00 2001 From: Oleg Pykhalov Date: Sun, 24 May 2020 20:30:27 +0300 Subject: [PATCH] service: Add #:supplementary-groups. * modules/shepherd/service.scm (format-supplementary-groups): New procedure. (exec-command, fork+exec-command, make-forkexec-constructor): Add '#:supplementary-groups'. * doc/shepherd.texi (Service De- and Constructors): Document this. =2D-- doc/shepherd.texi | 39 +++++++++++++++++++++--------------- modules/shepherd/service.scm | 12 ++++++++++- 2 files changed, 34 insertions(+), 17 deletions(-) diff --git a/doc/shepherd.texi b/doc/shepherd.texi index 1de49af..18f1a4d 100644 =2D-- a/doc/shepherd.texi +++ b/doc/shepherd.texi @@ -11,7 +11,8 @@ @copying Copyright @copyright{} @value{OLD-YEARS} Wolfgang J@"ahrling@* Copyright @copyright{} @value{NEW-YEARS} Ludovic Court=C3=A8s@* =2DCopyright @copyright{} 2020 Brice Waegeneire +Copyright @copyright{} 2020 Brice Waegeneire@* +Copyright @copyright{} 2020 Oleg Pykhalov =20 Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -893,21 +894,24 @@ execution of the @var{command} was successful, @code{= #t} if not. @deffn {procedure} make-forkexec-constructor @var{command} @ [#:user #f] @ [#:group #f] @ + [#:supplementary-groups '()] @ [#:pid-file #f] [#:pid-file-timeout (default-pid-file-timeout)] @ [#:log-file #f] @ [#:directory (default-service-directory)] @ [#:file-creation-mask #f] @ [#:environment-variables (default-environment-variables)] Return a procedure that forks a child process, closes all file =2Ddescriptors except the standard output and standard error descriptors, s= ets =2Dthe current directory to @var{directory}, sets the umask to =2D@var{file-creation-mask} unless it is @code{#f}, changes the environment= to =2D@var{environment-variables} (using the @code{environ} procedure), sets t= he =2Dcurrent user to @var{user} and the current group to @var{group} unless t= hey =2Dare @code{#f}, and executes @var{command} (a list of strings.) The resu= lt of =2Dthe procedure will be the PID of the child process. Note that this will =2Dnot work as expected if the process ``daemonizes'' (forks); in that =2Dcase, you will need to pass @code{#:pid-file}, as explained below. +descriptors except the standard output and standard error descriptors, +sets the current directory to @var{directory}, sets the umask to +@var{file-creation-mask} unless it is @code{#f}, changes the environment +to @var{environment-variables} (using the @code{environ} procedure), +sets the current user to @var{user} the current group to @var{group} +unless they are @code{#f} and supplementary groups to +@var{supplementary-groups} unless they are @code{'()}, and executes +@var{command} (a list of strings.) The result of the procedure will be +the PID of the child process. Note that this will not work as expected +if the process ``daemonizes'' (forks); in that case, you will need to +pass @code{#:pid-file}, as explained below. =20 When @var{pid-file} is true, it must be the name of a PID file associated with the process being launched; the return value is the PID @@ -937,6 +941,7 @@ procedures. @deffn {procedure} exec-command @var{command} @ [#:user #f] @ [#:group #f] @ + [#:supplementary-groups '()] @ [#:log-file #f] @ [#:directory (default-service-directory)] @ [#:file-creation-mask #f] @ @@ -944,6 +949,7 @@ procedures. @deffnx {procedure} fork+exec-command @var{command} @ [#:user #f] @ [#:group #f] @ + [#:supplementary-groups '()] @ [#:directory (default-service-directory)] @ [#:file-creation-mask #f] @ [#:environment-variables (default-environment-variables)] @@ -955,12 +961,13 @@ if it's true, whereas file descriptor 0 (standard input) points to @file{/dev/null}; all other file descriptors are closed prior to yielding control to @var{command}. =20 =2DBy default, @var{command} is run as the current user. If the =2D@var{user} keyword argument is present and not false, change to =2D@var{user} immediately before invoking @var{command}. @var{user} may =2Dbe a string, indicating a user name, or a number, indicating a user =2DID. Likewise, @var{command} will be run under the current group, =2Dunless the @var{group} keyword argument is present and not false. +By default, @var{command} is run as the current user. If the @var{user} +keyword argument is present and not false, change to @var{user} +immediately before invoking @var{command}. @var{user} may be a string, +indicating a user name, or a number, indicating a user ID. Likewise, +@var{command} will be run under the current group, unless the +@var{group} keyword argument is present and not false, and +supplementary-groups is not '(). =20 @code{fork+exec-command} does the same as @code{exec-command}, but in a separate process whose PID it returns. diff --git a/modules/shepherd/service.scm b/modules/shepherd/service.scm index 347b8cc..587ff68 100644 =2D-- a/modules/shepherd/service.scm +++ b/modules/shepherd/service.scm @@ -6,6 +6,7 @@ ;; Copyright (C) 2018 Carlo Zancanaro ;; Copyright (C) 2019 Ricardo Wurmus ;; Copyright (C) 2020 Mathieu Othacehe +;; Copyright (C) 2020 Oleg Pykhalov ;; ;; This file is part of the GNU Shepherd. ;; @@ -773,10 +774,15 @@ daemon writing FILE is running in a separate PID name= space." (try-again) (apply throw args))))))) =20 +(define (format-supplementary-groups supplementary-groups) + (list->vector (map (lambda (group) (group:gid (getgr group))) + supplementary-groups))) + (define* (exec-command command #:key (user #f) (group #f) + (supplementary-groups '()) (log-file #f) (directory (default-service-directory)) (file-creation-mask #f) @@ -832,7 +838,7 @@ false." (catch #t (lambda () ;; Clear supplementary groups. =2D (setgroups #()) + (setgroups (format-supplementary-groups supplementary-groups)) (setgid (group:gid (getgr group)))) (lambda (key . args) (format (current-error-port) @@ -879,6 +885,7 @@ false." #:key (user #f) (group #f) + (supplementary-groups '()) (log-file #f) (directory (default-service-directory)) (file-creation-mask #f) @@ -909,6 +916,7 @@ its PID." (exec-command command #:user user #:group group + #:supplementary-groups supplementary-groups #:log-file log-file #:directory directory #:file-creation-mask file-creation-mask @@ -919,6 +927,7 @@ its PID." #:key (user #f) (group #f) + (supplementary-groups '()) (directory (default-service-directory)) (environment-variables (default-environment-variables)) @@ -956,6 +965,7 @@ start." (let ((pid (fork+exec-command command #:user user #:group group + #:supplementary-groups supplementary-gro= ups #:log-file log-file #:directory directory #:file-creation-mask file-creation-mask =2D-=20 2.26.2 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEcjhxI46s62NFSFhXFn+OpQAa+pwFAl7sFNkACgkQFn+OpQAa +pyehRAAt4NZd8bLMQq1GSTyJNaJqeOT7gwOiEtUIDgQqw+Nk1+M15ocKNveZlxC gPE73iTM5U5hXdzWXILi0UkSQYY0C7cbvg1vOgDcv1vn4QEmCFrUAmZR8QO7GPUX aeXfkUm3JBGDXWybFyArkC2dMF0kfe0k8UjgGjmtlap1dC/sLRVVgJZqZV+Z0/Vz v2eJ/6zmYdqOgYqHbIwgCXeYm2hT1n6RFF2KpszjAcwdHWbjezuwzDTOdUeXCecB 8p44o56pZ4BpJkahrz8JtLwiRGTE/1Sq4A38j6uJzT14DTKWgTfp2oHxv9EVkAbU y/HRlPJ1KHYGhKEXGAEaPZ0YhryzUoBgX4/4QsKidVAMdH3wNv0jAZSwwnhrYR3H kn6pPKcuZ8Uc68IE5Ta7MCJ1oeT66Dg9ZsyFX3NAOvB3pvL13CGD2bGZPDOs95D1 94ORqtzWehikRSRq/JYYwfDlzvL2RMnzSHQAIbZQHvUJX4FNUOoSBcujTYNIbOTI hVqBe2PdY/ipfMG4NzlIdlaz0QMqehj/muPfpFlp0Q9B7EJ7WVJ/5oYsE95k+UI0 ge/EHUNwfpr8G3odHwRJqbkHliew6NCBZeEVqIiq/8DcIkYbxcV2Tb8t0UCeE6yC 0hQciC59OGpicOgQKOCLzTpnKQYTABzIl/AsyWuLBDwn8ypySks= =C1QS -----END PGP SIGNATURE----- --==-=-=--