Re: set permission/ownership for files generated by service

[Efraim Flashner <efraim@flashner.co.il>]

[-- Attachment #1: Type: text/plain, Size: 4889 bytes --]

On Tue, Jul 14, 2020 at 12:54:56PM +0430, Reza Alizadeh Majd wrote:
> On Mon, 13 Jul 2020 22:01:47 -0400
> Julien Lepiller <julien@lepiller.eu> wrote:
> 
> > Le 13 juillet 2020 20:18:09 GMT-04:00, Reza Alizadeh Majd
> > <r.majd@pantherx.org> a écrit :
> > >
> > >my service definition is as follows:
> > >
> > >
> > >--8<---------------cut here---------------start------------->8---
> > >(define-record-type* <kyc-configuration>
> > >  kyc-configuration make-kyc-configuration
> > >  kyc-configuration?
> > >  (package kyc-configuration-package
> > >           (default kyc))
> > >  (user kyc-configuration-user
> > >        (default "kyc-service"))
> > >  (group kyc-configuration-group
> > >         (default "kyc-service")))
> > >
> > >(define %kyc-accounts
> > >  (list (user-group (name "kyc-service"))
> > >        (user-group (name "kyc-rpc"))
> > >        (user-account
> > >          (name "kyc-service")
> > >          (group "kyc-service")
> > >          (system? #f)
> > >          (supplementary-groups '("wheel" "kyc-rpc" "video"))
> > >          (comment "KYC service user"))))
> > >
> > >(define kyc-shepherd-service
> > >  (match-lambda
> > >    (($ <kyc-configuration> package user group)
> > >      (list (shepherd-service
> > >              (provision '(kyc))
> > >              (documentation "Run KYC as a daemon.")
> > >              (requirement '(networking user-processes))
> > >              (modules `((srfi srfi-1)
> > >                                (srfi srfi-26)
> > >                                ,@%default-modules))
> > >              (start #~(make-forkexec-constructor
> > >                        (list
> > >                           (string-append #$package "/bin/kyc"))
> > >                        #:user #$user
> > >                        #:group #$group
> > >                        #:environment-variables
> > >     (list  (string-append "PATH=" #$coreutils "/bin:" (getenv
> > > "PATH")) (string-append "HOME=" "/home/" #$user))))
> > >              (stop #~(make-kill-destructor)))))))
> > >
> > >(define kyc-service-type
> > >  (service-type
> > >    (name 'kyc)
> > >    (extensions (list (service-extension shepherd-root-service-type
> > >                                                  kyc-shepherd-service)
> > >                             (service-extension account-service-type
> > >                                               (const
> > > %kyc-accounts)))) (default-value (kyc-configuration))))
> > >
> > >--8<---------------cut here---------------end--------------->8---
> > >
> > >is there anything that I missed for this service definition?   
> > 
> > I don't see in your snippet where you create the socket or where you
> > change ownership of it, so I don't really understand what is going
> > wrong.
> > 
> > Maybe the service itself is responsible for creating the socket and
> > changing ownership? In that case, I wouldn't use #:uses or #:group,
> > as these will run the service as the unpriviledged user from the
> > start, instead of running it as root and letting it change user after
> > it's set up things.
> > 
> > If you want to create the socket yourself, why not use an
> > activation-service-type?
> 
> Thanks for your response, 
> 
> the application itself is responsible for creation of socket, and the
> socket is created without problem, but when I try to change the
> ownership for socket file, I receive "operation not permitted" error. 
> 
> I also logged in to the user responsible for running the service and
> run the application manually, socket creation and permission set
> operations were succeed. 
> 
> referring to above snippet, when I perform all these operations
> manually, everything works without problem:
> 
> --8<---------------cut here---------------start------------->8---
> kyc-service@kyc-station /tmp/rpc$ whoami 
> kyc-service
> kyc-service@kyc-station /tmp/rpc$ groups 
> kyc-service wheel kyc-rpc
> kyc-service@kyc-station /tmp/rpc$ ll
> total 0
> srwxr-xr-x 1 kyc-service kyc-service 0 Jul 14 04:22 kyc
> kyc-service@kyc-station /tmp/rpc$ chown kyc-service:kyc-rpc kyc 
> kyc-service@kyc-station /tmp/rpc$ ll
> total 0
> srwxr-xr-x 1 kyc-service kyc-rpc 0 Jul 14 04:22 kyc
> --8<---------------cut here---------------end--------------->8---
> 

I don't remember what the default directory for running services is. I
see that kyc-service has a home directory so IIRC it should be there,
but if it isn't then it might be trying to run from '/'. Can you add
'#:directory "/tmp/rpc"' to your start snippet? Then it'll try to run
from that directory.

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]