From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id kLW9AcOOYmUzCgEAauVa8A:P1 (envelope-from ) for ; Sun, 26 Nov 2023 01:18:11 +0100 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id kLW9AcOOYmUzCgEAauVa8A (envelope-from ) for ; Sun, 26 Nov 2023 01:18:11 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 5DA175F00B for ; Sun, 26 Nov 2023 01:18:10 +0100 (CET) Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=worcester-edu.20230601.gappssmtp.com header.s=20230601 header.b=JvSRtYz8; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1700957891; a=rsa-sha256; cv=none; b=MVDeKEDaokz/vzcgwcj5YhSznaV3RiAI7sZeInPqf9r9pAW7j2TDi4jcnY6GkhGJEqeO4O Jcrgznj+TS4F8doM3T89MHyhUoBsNu/je4Ubf3D2apswLcUQlsAsQwqTNUiQ9zdtK+zvb4 nlU5LOrR+2GJav4I94B4Pnb5YM2f9bVor1x9/LaQjHoq+uy6DkcZ5tPpnMuRRimHW2IE2d Q3++chUHMEVnD4PHqV6JCv6KhDr3BUppNJJ25X4xHi6o9jfQL3zU8mNcHZ3RWxtUAiI4Iq tCXdL+kJUZcs5Qasnva7dyHv0oONVe1L6yzFXC2mSpq19bazrjFathsMC/R+1Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=worcester-edu.20230601.gappssmtp.com header.s=20230601 header.b=JvSRtYz8; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1700957891; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=Fkh07zynDn9f6DZki2P2y4MAFFTkJWInZ+Xbf13fSWk=; b=lHDr0hsJ6+4gVhmfnsMytGRltQMdQs5V3Q4RaqLXy302R3BIv5AMKIu/kuoKSsZS/fuxzs gdPkf63dG9m5J0h0wbjN9ZUCRV9HL4NgGpO0zgiBKSL1yOdQYVx94vu9LWzt9oDKLyj3A7 r0fsx/WI16I2boB4SlrFNwIQ2fGuIzqYQVev6hQuRfTRfzHhAv4EqiN/phahwTnzQdSuRs YLb5bJNY9qzQnzY14apw3u+1Ok45YOtPYsD2kaoq2dT9ePZteKrM/hL5vjFdNUtmWQwd4K Ytlu3TRecteVcVmSMGFPbZcMJRM65/w6ceawR2vWmh8gxBSuHDeKL27inUVqLg== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1r72qV-00026k-2N; Sat, 25 Nov 2023 19:17:59 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1r72qT-00026Z-DE for guix-patches@gnu.org; Sat, 25 Nov 2023 19:17:57 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1r72qT-0006Ss-5I for guix-patches@gnu.org; Sat, 25 Nov 2023 19:17:57 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1r72qY-0003K8-Eq for guix-patches@gnu.org; Sat, 25 Nov 2023 19:18:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#67288] [PATCH] services: laminar: Add configuration option for supplementary groups Resent-From: "Thompson, David" Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 26 Nov 2023 00:18:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 67288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Arun Isaac Cc: Christopher Baines , Ludovic =?UTF-8?Q?Court=C3=A8s?= , 67288@debbugs.gnu.org Received: via spool by 67288-submit@debbugs.gnu.org id=B67288.170095783212720 (code B ref 67288); Sun, 26 Nov 2023 00:18:02 +0000 Received: (at 67288) by debbugs.gnu.org; 26 Nov 2023 00:17:12 +0000 Received: from localhost ([127.0.0.1]:40488 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r72pj-0003J6-NV for submit@debbugs.gnu.org; Sat, 25 Nov 2023 19:17:12 -0500 Received: from mail-qt1-x82e.google.com ([2607:f8b0:4864:20::82e]:54504) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1r72ph-0003Ip-7h for 67288@debbugs.gnu.org; Sat, 25 Nov 2023 19:17:09 -0500 Received: by mail-qt1-x82e.google.com with SMTP id d75a77b69052e-41eb4210383so15910881cf.0 for <67288@debbugs.gnu.org>; Sat, 25 Nov 2023 16:17:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=worcester-edu.20230601.gappssmtp.com; s=20230601; t=1700957818; x=1701562618; darn=debbugs.gnu.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Fkh07zynDn9f6DZki2P2y4MAFFTkJWInZ+Xbf13fSWk=; b=JvSRtYz81kaK6Oi7PHjcU49OnpkvqH0fwODHkRafkqk3iCO6eIWHk5yj6NGwUoFxRH K89rXo16MKGAjpkyWioyuIQlSVidTCyxDT8NXckuVtoHNl0BpIAfO3vpXAnStQ+Xxl45 3n33uhx/J6EZY13JXiLiTxp9tYHpBkeGoRLiTEWUCGl32dnzOW0R4WSforw2PaXRT3DP 83rtTN5eVxqD3JcmMBBPTm9mmnSyDCmtRQoH0Ic4zavs6VhilbYqqYnn91EwKhUCho4f 2wH05ZpwPjXMzUHH1TNoF/y65nsGxyhV1au/JKaMeQKzew3X6qRtNwSIHKHOYYGMoMTE dDEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700957818; x=1701562618; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Fkh07zynDn9f6DZki2P2y4MAFFTkJWInZ+Xbf13fSWk=; b=um9O00CZQ6yDJqLVQfoIYgW6HFqURT372f1j7jBlSeLVlpBbXYHVF4ah/ls72FL8C6 h1CDLs5/iTSjx+CUlbI6EbUWemsfkWAeG4KKRU6A6IgSIzyNkJkha0HZUXSdN/1WBL5J 0Pts5O0tBk/RJ8GD1eMYCxT7sYr+GZ36ejzNvyj9W/tx2RrcWktc8Xjns6F8t8CT9WpH 67kONcvpz/mGxFqDnpBzFKNX2GV18Qkayk+qY8Q3SbEs7xO5aFMXeaQ0aGcCRke+BJR8 4CIGVZHxVFLMVhziq8kIa5oqHKOES2o0GUsGCNPBkQgaD9qYSecw3SfH4GDRC0MnaVwr DJtw== X-Gm-Message-State: AOJu0Yxm4aKAUtRgkg8aIlusU1H+CHD9OavWe6QRX0WOxR5sx5SLsYx1 vuFYWf4blozsGZzHaZoPGQy4teSDHJPySiJ5ajXcBmb3AjXR5tqc X-Google-Smtp-Source: AGHT+IHdOXUfq4+kmXk3da/yUgQShEerBfgAwjVMzxMN/MjDA2aNZA95IzVwlw0COU26QvjbpCQ4KS00O6SGB+DVXJ4= X-Received: by 2002:ac8:5c04:0:b0:412:c2a:eaef with SMTP id i4-20020ac85c04000000b004120c2aeaefmr8476600qti.11.1700957818194; Sat, 25 Nov 2023 16:16:58 -0800 (PST) MIME-Version: 1.0 References: <87leal4zz1.fsf@gnu.org> <87il5pcrjc.fsf@systemreboot.net> In-Reply-To: <87il5pcrjc.fsf@systemreboot.net> From: "Thompson, David" Date: Sat, 25 Nov 2023 19:16:47 -0500 Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Queue-Id: 5DA175F00B X-Migadu-Scanner: mx12.migadu.com X-Migadu-Spam-Score: -5.12 X-Spam-Score: -5.12 X-TUID: MsbsAtZBvpE+ Hi Arun, On Sat, Nov 25, 2023 at 7:00=E2=80=AFPM Arun Isaac wrote: > > > Hi, > > >> I started using Laminar CI for my personal server, but I had trouble > >> with the current system service. My server is configured to only allow > >> members of the "git" group access to the Git repositories, so the CI > >> job running as the "laminar" user couldn't do anything useful. This > >> patch adds a new configuration field for a list of supplementary > >> groups to be used for the "laminar" user and the service process. > > > > Cc=E2=80=99ing Arun and Chris, who know better than me. Is this a prob= lem they > > worked around so far? > > This kind of problem requiring supplementary groups exists with many of > our services, not just the laminar service. I don't run into trouble > with the laminar service because git repos on my servers are usually > publicly readable by all users (including the laminar user). I figured the existing users of this service had something like this going on. I don't want to make the permissions looser on my own server, though. > To provide another example, I have similar trouble with our nginx > service not being able to access Unix sockets created by our fcgiwrap > service. Now, I work around this by having a special fcgiwrap service in > guix-forge[1]. This special guix-forge fcgiwrap service differs from the > guix fcgiwrap service in that it creates separate fcgiwrap instances for > each web application each with its own explicitly specified permissions. I also hack the nginx service to made the nginx user part of the git group: https://git.dthompson.us/guix-config/tree/takemi-os.scm#n20 This hack causes all sorts of annoying side effects, which is why I didn't want to go through it all again for the laminar service. > [1]: https://git.systemreboot.net/guix-forge/tree/guix/forge/fcgiwrap.scm > > I don't think the solution to this problem is to add a > `supplementary-groups' field to all our services. I'm not sure how, but > we need to compose things better. If we don't, we may find we need to > add some other field in the future and quickly be in a combinatorial > explosion. I agree that this indicates a missing means of composition, but in the short term I think it's fine to do simple things that help people out even though it's not the "right thing". > Thinking out loud, the Guix service configuration system is really a > propagator network. So, maybe, the solution is to allow one service to > *extend* another service by specifying what supplementary groups it > should be a part of. This is more flexible than simply adding a > configuration field. Sorry to be quite vague here. Does this make any > sense? Happy to chat more. Providing a way to modify user accounts in services would be great! It's not a problem I can work on solving, though, at least not now. - Dave