From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 71jnIUFCDV/UZgAA0tVLHw (envelope-from ) for ; Tue, 14 Jul 2020 05:27:29 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id INZfHUFCDV+KcQAA1q6Kng (envelope-from ) for ; Tue, 14 Jul 2020 05:27:29 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id B3D2F9400B7 for ; Tue, 14 Jul 2020 05:27:28 +0000 (UTC) Received: from localhost ([::1]:58034 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jvDTS-0007aN-9p for larch@yhetil.org; Tue, 14 Jul 2020 01:27:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49438) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jvDTL-0007aF-Ai for help-guix@gnu.org; Tue, 14 Jul 2020 01:27:19 -0400 Received: from lepiller.eu ([2a00:5884:8208::1]:60282) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jvDTJ-0001PN-At for help-guix@gnu.org; Tue, 14 Jul 2020 01:27:19 -0400 Received: from lepiller.eu (localhost [127.0.0.1]) by lepiller.eu (OpenSMTPD) with ESMTP id df8f490d; Tue, 14 Jul 2020 05:27:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lepiller.eu; h=date :in-reply-to:references:mime-version:content-type :content-transfer-encoding:subject:to:from:message-id; s=dkim; bh=WVvbjej+XduI910n0LC4bIhIAX1lhbJ8UeEKsx+zJdk=; b=Fm2B/dQBUR3z PQvFxklloiJ1g9utejDRDOAX9eLgEk/mwS99YiJ+SYoqrlfsTEhqitxv2tWLFKsi IMgqiofvJoTHcIaEFhOqNzshtkacr4wHa5cvsDclmQxD58hoWV1JjFePqby/0qag mjza/VcKqosXdfuzpnRu+FqPk9oig6O0jmUN5QFmvOM/C9vRxCw47IICmY/dP6Eb yz/iTwrrBpbuxjm8QlHetAC5ev/dE6fdvEC6wv4yB+uCv1g+rcFHsCJLyaAn9rTq 174jOYqG/noma9wU0oUqRZEBH2gaPjqLwGUorEdWhzh4iLdLKl+nLNHnZYTeH89b f/wb1T/xrg== Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id 7d3c7945 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Tue, 14 Jul 2020 05:27:09 +0000 (UTC) Date: Mon, 13 Jul 2020 22:01:47 -0400 User-Agent: K-9 Mail for Android In-Reply-To: <20200714044809.5ffc4553@panther-arch.localdomain> References: <20200714044809.5ffc4553@panther-arch.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: set permission/ownership for files generated by service To: help-guix@gnu.org,Reza Alizadeh Majd From: Julien Lepiller Message-ID: <058F2A5B-1B2D-449E-9556-7D19625C8D8C@lepiller.eu> Received-SPF: none client-ip=2a00:5884:8208::1; envelope-from=julien@lepiller.eu; helo=lepiller.eu X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -4 X-Spam_score: -0.5 X-Spam_bar: / X-Spam_report: (-0.5 / 5.0 requ) BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=lepiller.eu header.s=dkim header.b=Fm2B/dQB; dmarc=pass (policy=none) header.from=lepiller.eu; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: -1.71 X-TUID: 50cf5MgdxXY0 Le 13 juillet 2020 20:18:09 GMT-04:00, Reza Alizadeh Majd a =C3=A9crit : >Hi Guix,=20 > >I'm working on a custom service for an application, this application >use a unix socket for communication, and for security purpose I change >the owner group for this socket file and only applications that run by >members of this specific group can access to this socket file=2E > >running the application manually, everything is OK and socket file is >created with desired permissions, but when I try to run this >application as a service, I receive permission error during ownership >modification=2E > >my service definition is as follows: > > >--8<---------------cut here---------------start------------->8--- >(define-record-type* > kyc-configuration make-kyc-configuration > kyc-configuration? > (package kyc-configuration-package > (default kyc)) > (user kyc-configuration-user > (default "kyc-service")) > (group kyc-configuration-group > (default "kyc-service"))) > >(define %kyc-accounts > (list (user-group (name "kyc-service")) > (user-group (name "kyc-rpc")) > (user-account > (name "kyc-service") > (group "kyc-service") > (system? #f) > (supplementary-groups '("wheel" "kyc-rpc" "video")) > (comment "KYC service user")))) > >(define kyc-shepherd-service > (match-lambda > (($ package user group) > (list (shepherd-service > (provision '(kyc)) > (documentation "Run KYC as a daemon=2E") > (requirement '(networking user-processes)) > (modules `((srfi srfi-1) > (srfi srfi-26) > ,@%default-modules)) > (start #~(make-forkexec-constructor > (list > (string-append #$package "/bin/kyc")) > #:user #$user > #:group #$group > #:environment-variables > (list (string-append "PATH=3D" #$coreutils "/bin:" (getenv "PATH")) > (string-append "HOME=3D" "/home/" #$user)))) > (stop #~(make-kill-destructor))))))) > >(define kyc-service-type > (service-type > (name 'kyc) > (extensions (list (service-extension shepherd-root-service-type > kyc-shepherd-service) > (service-extension account-service-type > (const %kyc-accounts)))) > (default-value (kyc-configuration)))) > >--8<---------------cut here---------------end--------------->8--- > >is there anything that I missed for this service definition?=20 I don't see in your snippet where you create the socket or where you chang= e ownership of it, so I don't really understand what is going wrong=2E Maybe the service itself is responsible for creating the socket and changi= ng ownership? In that case, I wouldn't use #:uses or #:group, as these will= run the service as the unpriviledged user from the start, instead of runni= ng it as root and letting it change user after it's set up things=2E If you want to create the socket yourself, why not use an activation-servi= ce-type?