Re: set permission/ownership for files generated by service

[Julien Lepiller <julien@lepiller.eu>]

Le 13 juillet 2020 20:18:09 GMT-04:00, Reza Alizadeh Majd <r.majd@pantherx.org> a écrit :
>Hi Guix, 
>
>I'm working on a custom service for an application, this application
>use a unix socket for communication, and for security purpose I change
>the owner group for this socket file and only applications that run by
>members of this specific group can access to this socket file.
>
>running the application manually, everything is OK and socket file is
>created with desired permissions, but when I try to run this
>application as a service, I receive permission error during ownership
>modification.
>
>my service definition is as follows:
>
>
>--8<---------------cut here---------------start------------->8---
>(define-record-type* <kyc-configuration>
>  kyc-configuration make-kyc-configuration
>  kyc-configuration?
>  (package kyc-configuration-package
>           (default kyc))
>  (user kyc-configuration-user
>        (default "kyc-service"))
>  (group kyc-configuration-group
>         (default "kyc-service")))
>
>(define %kyc-accounts
>  (list (user-group (name "kyc-service"))
>        (user-group (name "kyc-rpc"))
>        (user-account
>          (name "kyc-service")
>          (group "kyc-service")
>          (system? #f)
>          (supplementary-groups '("wheel" "kyc-rpc" "video"))
>          (comment "KYC service user"))))
>
>(define kyc-shepherd-service
>  (match-lambda
>    (($ <kyc-configuration> package user group)
>      (list (shepherd-service
>              (provision '(kyc))
>              (documentation "Run KYC as a daemon.")
>              (requirement '(networking user-processes))
>              (modules `((srfi srfi-1)
>                                (srfi srfi-26)
>                                ,@%default-modules))
>              (start #~(make-forkexec-constructor
>                        (list
>                           (string-append #$package "/bin/kyc"))
>                        #:user #$user
>                        #:group #$group
>                        #:environment-variables
>     (list  (string-append "PATH=" #$coreutils "/bin:" (getenv "PATH"))
>                             (string-append "HOME=" "/home/" #$user))))
>              (stop #~(make-kill-destructor)))))))
>
>(define kyc-service-type
>  (service-type
>    (name 'kyc)
>    (extensions (list (service-extension shepherd-root-service-type
>                                                  kyc-shepherd-service)
>                             (service-extension account-service-type
>                                               (const %kyc-accounts))))
>    (default-value (kyc-configuration))))
>
>--8<---------------cut here---------------end--------------->8---
>
>is there anything that I missed for this service definition? 

I don't see in your snippet where you create the socket or where you change ownership of it, so I don't really understand what is going wrong.

Maybe the service itself is responsible for creating the socket and changing ownership? In that case, I wouldn't use #:uses or #:group, as these will run the service as the unpriviledged user from the start, instead of running it as root and letting it change user after it's set up things.

If you want to create the socket yourself, why not use an activation-service-type?