From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 6OR8Ltt2DV+DZwAA0tVLHw (envelope-from ) for ; Tue, 14 Jul 2020 09:11:55 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id UPA1Ktt2DV+5HAAAbx9fmQ (envelope-from ) for ; Tue, 14 Jul 2020 09:11:55 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id ED209940276 for ; Tue, 14 Jul 2020 09:11:54 +0000 (UTC) Received: from localhost ([::1]:40878 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jvGyf-0001Du-VN for larch@yhetil.org; Tue, 14 Jul 2020 05:11:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:45684) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jvGyT-0001CQ-83 for help-guix@gnu.org; Tue, 14 Jul 2020 05:11:41 -0400 Received: from flashner.co.il ([178.62.234.194]:54474) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jvGyR-0006k8-A5 for help-guix@gnu.org; Tue, 14 Jul 2020 05:11:40 -0400 Received: from localhost (unknown [141.226.9.208]) by flashner.co.il (Postfix) with ESMTPSA id 77E714001D; Tue, 14 Jul 2020 09:11:06 +0000 (UTC) Date: Tue, 14 Jul 2020 12:10:29 +0300 From: Efraim Flashner To: Reza Alizadeh Majd Subject: Re: set permission/ownership for files generated by service Message-ID: <20200714091029.GG10256@E5400> References: <20200714044809.5ffc4553@panther-arch.localdomain> <058F2A5B-1B2D-449E-9556-7D19625C8D8C@lepiller.eu> <20200714125456.314ac748@panther-arch.localdomain> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="gvF4niNJ+uBMJnEh" Content-Disposition: inline In-Reply-To: <20200714125456.314ac748@panther-arch.localdomain> X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Received-SPF: pass client-ip=178.62.234.194; envelope-from=efraim@flashner.co.il; helo=flashner.co.il X-detected-operating-system: by eggs.gnu.org: First seen = 2020/07/14 05:11:07 X-ACL-Warn: Detected OS = ??? X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix@gnu.org Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: 0.69 X-TUID: NqCB6tH3nroU --gvF4niNJ+uBMJnEh Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 14, 2020 at 12:54:56PM +0430, Reza Alizadeh Majd wrote: > On Mon, 13 Jul 2020 22:01:47 -0400 > Julien Lepiller wrote: >=20 > > Le 13 juillet 2020 20:18:09 GMT-04:00, Reza Alizadeh Majd > > a =C3=A9crit : > > > > > >my service definition is as follows: > > > > > > > > >--8<---------------cut here---------------start------------->8--- > > >(define-record-type* > > > kyc-configuration make-kyc-configuration > > > kyc-configuration? > > > (package kyc-configuration-package > > > (default kyc)) > > > (user kyc-configuration-user > > > (default "kyc-service")) > > > (group kyc-configuration-group > > > (default "kyc-service"))) > > > > > >(define %kyc-accounts > > > (list (user-group (name "kyc-service")) > > > (user-group (name "kyc-rpc")) > > > (user-account > > > (name "kyc-service") > > > (group "kyc-service") > > > (system? #f) > > > (supplementary-groups '("wheel" "kyc-rpc" "video")) > > > (comment "KYC service user")))) > > > > > >(define kyc-shepherd-service > > > (match-lambda > > > (($ package user group) > > > (list (shepherd-service > > > (provision '(kyc)) > > > (documentation "Run KYC as a daemon.") > > > (requirement '(networking user-processes)) > > > (modules `((srfi srfi-1) > > > (srfi srfi-26) > > > ,@%default-modules)) > > > (start #~(make-forkexec-constructor > > > (list > > > (string-append #$package "/bin/kyc")) > > > #:user #$user > > > #:group #$group > > > #:environment-variables > > > (list (string-append "PATH=3D" #$coreutils "/bin:" (getenv > > > "PATH")) (string-append "HOME=3D" "/home/" #$user)))) > > > (stop #~(make-kill-destructor))))))) > > > > > >(define kyc-service-type > > > (service-type > > > (name 'kyc) > > > (extensions (list (service-extension shepherd-root-service-type > > > kyc-shepherd-service) > > > (service-extension account-service-type > > > (const > > > %kyc-accounts)))) (default-value (kyc-configuration)))) > > > > > >--8<---------------cut here---------------end--------------->8--- > > > > > >is there anything that I missed for this service definition? =20 > >=20 > > I don't see in your snippet where you create the socket or where you > > change ownership of it, so I don't really understand what is going > > wrong. > >=20 > > Maybe the service itself is responsible for creating the socket and > > changing ownership? In that case, I wouldn't use #:uses or #:group, > > as these will run the service as the unpriviledged user from the > > start, instead of running it as root and letting it change user after > > it's set up things. > >=20 > > If you want to create the socket yourself, why not use an > > activation-service-type? >=20 > Thanks for your response,=20 >=20 > the application itself is responsible for creation of socket, and the > socket is created without problem, but when I try to change the > ownership for socket file, I receive "operation not permitted" error.=20 >=20 > I also logged in to the user responsible for running the service and > run the application manually, socket creation and permission set > operations were succeed.=20 >=20 > referring to above snippet, when I perform all these operations > manually, everything works without problem: >=20 > --8<---------------cut here---------------start------------->8--- > kyc-service@kyc-station /tmp/rpc$ whoami=20 > kyc-service > kyc-service@kyc-station /tmp/rpc$ groups=20 > kyc-service wheel kyc-rpc > kyc-service@kyc-station /tmp/rpc$ ll > total 0 > srwxr-xr-x 1 kyc-service kyc-service 0 Jul 14 04:22 kyc > kyc-service@kyc-station /tmp/rpc$ chown kyc-service:kyc-rpc kyc=20 > kyc-service@kyc-station /tmp/rpc$ ll > total 0 > srwxr-xr-x 1 kyc-service kyc-rpc 0 Jul 14 04:22 kyc > --8<---------------cut here---------------end--------------->8--- >=20 I don't remember what the default directory for running services is. I see that kyc-service has a home directory so IIRC it should be there, but if it isn't then it might be trying to run from '/'. Can you add '#:directory "/tmp/rpc"' to your start snippet? Then it'll try to run =66rom that directory. --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --gvF4niNJ+uBMJnEh Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAl8NdoEACgkQQarn3Mo9 g1HYbg//baMRxlCb/2XjE2V6PGfjAs0y29/I2AgoBwqOFhnmAogULKBpVhv0uXmG FP1bsGSafh7hFHANhME3w8vStb9ZrdAnOuVwegvn7QgtGWaZzVvfJui04YJHX5NB 1uyiq7f5Qel9ohh34e1vDJnIbEysH4RAyyNFLu7VtNDQErjIHcuFB1olEN9ggdfE SoNgISXcy/sNM/6seWj7tRzOIVwzWBNWrzWTjZ6ncHaMl3+6ucCAyM3xkEFcsEOv 4kqEGPgXFX94AgdYeJNaA8elo3pX+uBZeFGUsHd/SjJxcHooDVsxKkTsyfCVol9c gBqM39zzOAF2TvURRZU87sTkpnr5WLrNPDVLRUK2/OMQPzIK1ubRf5Hg6YcVK16+ d+sUs4+yJupA3zNp83pbhONpidY8fUzxTK/z2aSnOEISxdWqXfA1B296ksNfaxVO W29bDkomA+EktpI3PBcVE4aWFrwF7RTzjCGaiJgof0MvPWhs3deNIaBPVDH1lSAO iUYeDs6HyPJPpZ17LHaJOxuxp9AuXp7Eau7lDsNata/wR6DXE6BYNxQlt8lI7BeY K9A9PhaYGqf73VKavGVMYCad34clW26c7fI6LmecWE6tqU5YTOd2GukIBF3/Tuee JCjiA9IGQM6X9oIy8phNMhmdgewMfqIlTg8jPUurOw27XMv1U7U= =XEY0 -----END PGP SIGNATURE----- --gvF4niNJ+uBMJnEh--