From: Julien Lepiller <julien@lepiller.eu>
To: help-guix@gnu.org,Reza Alizadeh Majd <r.majd@pantherx.org>
Subject: Re: set permission/ownership for files generated by service
Date: Mon, 13 Jul 2020 22:01:47 -0400 [thread overview]
Message-ID: <058F2A5B-1B2D-449E-9556-7D19625C8D8C@lepiller.eu> (raw)
In-Reply-To: <20200714044809.5ffc4553@panther-arch.localdomain>
Le 13 juillet 2020 20:18:09 GMT-04:00, Reza Alizadeh Majd <r.majd@pantherx.org> a écrit :
>Hi Guix,
>
>I'm working on a custom service for an application, this application
>use a unix socket for communication, and for security purpose I change
>the owner group for this socket file and only applications that run by
>members of this specific group can access to this socket file.
>
>running the application manually, everything is OK and socket file is
>created with desired permissions, but when I try to run this
>application as a service, I receive permission error during ownership
>modification.
>
>my service definition is as follows:
>
>
>--8<---------------cut here---------------start------------->8---
>(define-record-type* <kyc-configuration>
> kyc-configuration make-kyc-configuration
> kyc-configuration?
> (package kyc-configuration-package
> (default kyc))
> (user kyc-configuration-user
> (default "kyc-service"))
> (group kyc-configuration-group
> (default "kyc-service")))
>
>(define %kyc-accounts
> (list (user-group (name "kyc-service"))
> (user-group (name "kyc-rpc"))
> (user-account
> (name "kyc-service")
> (group "kyc-service")
> (system? #f)
> (supplementary-groups '("wheel" "kyc-rpc" "video"))
> (comment "KYC service user"))))
>
>(define kyc-shepherd-service
> (match-lambda
> (($ <kyc-configuration> package user group)
> (list (shepherd-service
> (provision '(kyc))
> (documentation "Run KYC as a daemon.")
> (requirement '(networking user-processes))
> (modules `((srfi srfi-1)
> (srfi srfi-26)
> ,@%default-modules))
> (start #~(make-forkexec-constructor
> (list
> (string-append #$package "/bin/kyc"))
> #:user #$user
> #:group #$group
> #:environment-variables
> (list (string-append "PATH=" #$coreutils "/bin:" (getenv "PATH"))
> (string-append "HOME=" "/home/" #$user))))
> (stop #~(make-kill-destructor)))))))
>
>(define kyc-service-type
> (service-type
> (name 'kyc)
> (extensions (list (service-extension shepherd-root-service-type
> kyc-shepherd-service)
> (service-extension account-service-type
> (const %kyc-accounts))))
> (default-value (kyc-configuration))))
>
>--8<---------------cut here---------------end--------------->8---
>
>is there anything that I missed for this service definition?
I don't see in your snippet where you create the socket or where you change ownership of it, so I don't really understand what is going wrong.
Maybe the service itself is responsible for creating the socket and changing ownership? In that case, I wouldn't use #:uses or #:group, as these will run the service as the unpriviledged user from the start, instead of running it as root and letting it change user after it's set up things.
If you want to create the socket yourself, why not use an activation-service-type?
next prev parent reply other threads:[~2020-07-14 5:27 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-14 0:18 set permission/ownership for files generated by service Reza Alizadeh Majd
2020-07-14 2:01 ` Julien Lepiller [this message]
2020-07-14 8:24 ` Reza Alizadeh Majd
2020-07-14 9:10 ` Efraim Flashner
2020-07-14 11:24 ` Reza Alizadeh Majd
2020-07-14 12:16 ` Reza Alizadeh Majd
2020-07-14 12:36 ` Efraim Flashner
2020-07-14 20:05 ` Reza Alizadeh Majd
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=058F2A5B-1B2D-449E-9556-7D19625C8D8C@lepiller.eu \
--to=julien@lepiller.eu \
--cc=help-guix@gnu.org \
--cc=r.majd@pantherx.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).