From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <help-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp1 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id 6OR8Ltt2DV+DZwAA0tVLHw
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 14 Jul 2020 09:11:55 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1 with LMTPS
	id UPA1Ktt2DV+5HAAAbx9fmQ
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 14 Jul 2020 09:11:55 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id ED209940276
	for <larch@yhetil.org>; Tue, 14 Jul 2020 09:11:54 +0000 (UTC)
Received: from localhost ([::1]:40878 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1jvGyf-0001Du-VN
	for larch@yhetil.org; Tue, 14 Jul 2020 05:11:53 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:45684)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <efraim@flashner.co.il>)
 id 1jvGyT-0001CQ-83
 for help-guix@gnu.org; Tue, 14 Jul 2020 05:11:41 -0400
Received: from flashner.co.il ([178.62.234.194]:54474)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <efraim@flashner.co.il>) id 1jvGyR-0006k8-A5
 for help-guix@gnu.org; Tue, 14 Jul 2020 05:11:40 -0400
Received: from localhost (unknown [141.226.9.208])
 by flashner.co.il (Postfix) with ESMTPSA id 77E714001D;
 Tue, 14 Jul 2020 09:11:06 +0000 (UTC)
Date: Tue, 14 Jul 2020 12:10:29 +0300
From: Efraim Flashner <efraim@flashner.co.il>
To: Reza Alizadeh Majd <r.majd@pantherx.org>
Subject: Re: set permission/ownership for files generated by service
Message-ID: <20200714091029.GG10256@E5400>
References: <20200714044809.5ffc4553@panther-arch.localdomain>
 <058F2A5B-1B2D-449E-9556-7D19625C8D8C@lepiller.eu>
 <20200714125456.314ac748@panther-arch.localdomain>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="gvF4niNJ+uBMJnEh"
Content-Disposition: inline
In-Reply-To: <20200714125456.314ac748@panther-arch.localdomain>
X-PGP-Key-ID: 0x41AAE7DCCA3D8351
X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc
X-PGP-Fingerprint: A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Received-SPF: pass client-ip=178.62.234.194;
 envelope-from=efraim@flashner.co.il; helo=flashner.co.il
X-detected-operating-system: by eggs.gnu.org: First seen = 2020/07/14 05:11:07
X-ACL-Warn: Detected OS   = ???
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: help-guix@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/help-guix>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=subscribe>
Cc: help-guix@gnu.org
Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+larch=yhetil.org@gnu.org>
X-Scanner: scn0
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org
X-Spam-Score: 0.69
X-TUID: NqCB6tH3nroU


--gvF4niNJ+uBMJnEh
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jul 14, 2020 at 12:54:56PM +0430, Reza Alizadeh Majd wrote:
> On Mon, 13 Jul 2020 22:01:47 -0400
> Julien Lepiller <julien@lepiller.eu> wrote:
>=20
> > Le 13 juillet 2020 20:18:09 GMT-04:00, Reza Alizadeh Majd
> > <r.majd@pantherx.org> a =C3=A9crit :
> > >
> > >my service definition is as follows:
> > >
> > >
> > >--8<---------------cut here---------------start------------->8---
> > >(define-record-type* <kyc-configuration>
> > >  kyc-configuration make-kyc-configuration
> > >  kyc-configuration?
> > >  (package kyc-configuration-package
> > >           (default kyc))
> > >  (user kyc-configuration-user
> > >        (default "kyc-service"))
> > >  (group kyc-configuration-group
> > >         (default "kyc-service")))
> > >
> > >(define %kyc-accounts
> > >  (list (user-group (name "kyc-service"))
> > >        (user-group (name "kyc-rpc"))
> > >        (user-account
> > >          (name "kyc-service")
> > >          (group "kyc-service")
> > >          (system? #f)
> > >          (supplementary-groups '("wheel" "kyc-rpc" "video"))
> > >          (comment "KYC service user"))))
> > >
> > >(define kyc-shepherd-service
> > >  (match-lambda
> > >    (($ <kyc-configuration> package user group)
> > >      (list (shepherd-service
> > >              (provision '(kyc))
> > >              (documentation "Run KYC as a daemon.")
> > >              (requirement '(networking user-processes))
> > >              (modules `((srfi srfi-1)
> > >                                (srfi srfi-26)
> > >                                ,@%default-modules))
> > >              (start #~(make-forkexec-constructor
> > >                        (list
> > >                           (string-append #$package "/bin/kyc"))
> > >                        #:user #$user
> > >                        #:group #$group
> > >                        #:environment-variables
> > >     (list  (string-append "PATH=3D" #$coreutils "/bin:" (getenv
> > > "PATH")) (string-append "HOME=3D" "/home/" #$user))))
> > >              (stop #~(make-kill-destructor)))))))
> > >
> > >(define kyc-service-type
> > >  (service-type
> > >    (name 'kyc)
> > >    (extensions (list (service-extension shepherd-root-service-type
> > >                                                  kyc-shepherd-service)
> > >                             (service-extension account-service-type
> > >                                               (const
> > > %kyc-accounts)))) (default-value (kyc-configuration))))
> > >
> > >--8<---------------cut here---------------end--------------->8---
> > >
> > >is there anything that I missed for this service definition?  =20
> >=20
> > I don't see in your snippet where you create the socket or where you
> > change ownership of it, so I don't really understand what is going
> > wrong.
> >=20
> > Maybe the service itself is responsible for creating the socket and
> > changing ownership? In that case, I wouldn't use #:uses or #:group,
> > as these will run the service as the unpriviledged user from the
> > start, instead of running it as root and letting it change user after
> > it's set up things.
> >=20
> > If you want to create the socket yourself, why not use an
> > activation-service-type?
>=20
> Thanks for your response,=20
>=20
> the application itself is responsible for creation of socket, and the
> socket is created without problem, but when I try to change the
> ownership for socket file, I receive "operation not permitted" error.=20
>=20
> I also logged in to the user responsible for running the service and
> run the application manually, socket creation and permission set
> operations were succeed.=20
>=20
> referring to above snippet, when I perform all these operations
> manually, everything works without problem:
>=20
> --8<---------------cut here---------------start------------->8---
> kyc-service@kyc-station /tmp/rpc$ whoami=20
> kyc-service
> kyc-service@kyc-station /tmp/rpc$ groups=20
> kyc-service wheel kyc-rpc
> kyc-service@kyc-station /tmp/rpc$ ll
> total 0
> srwxr-xr-x 1 kyc-service kyc-service 0 Jul 14 04:22 kyc
> kyc-service@kyc-station /tmp/rpc$ chown kyc-service:kyc-rpc kyc=20
> kyc-service@kyc-station /tmp/rpc$ ll
> total 0
> srwxr-xr-x 1 kyc-service kyc-rpc 0 Jul 14 04:22 kyc
> --8<---------------cut here---------------end--------------->8---
>=20

I don't remember what the default directory for running services is. I
see that kyc-service has a home directory so IIRC it should be there,
but if it isn't then it might be trying to run from '/'. Can you add
'#:directory "/tmp/rpc"' to your start snippet? Then it'll try to run
=66rom that directory.

--=20
Efraim Flashner   <efraim@flashner.co.il>   =D7=90=D7=A4=D7=A8=D7=99=D7=9D =
=D7=A4=D7=9C=D7=A9=D7=A0=D7=A8
GPG key =3D A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

--gvF4niNJ+uBMJnEh
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAl8NdoEACgkQQarn3Mo9
g1HYbg//baMRxlCb/2XjE2V6PGfjAs0y29/I2AgoBwqOFhnmAogULKBpVhv0uXmG
FP1bsGSafh7hFHANhME3w8vStb9ZrdAnOuVwegvn7QgtGWaZzVvfJui04YJHX5NB
1uyiq7f5Qel9ohh34e1vDJnIbEysH4RAyyNFLu7VtNDQErjIHcuFB1olEN9ggdfE
SoNgISXcy/sNM/6seWj7tRzOIVwzWBNWrzWTjZ6ncHaMl3+6ucCAyM3xkEFcsEOv
4kqEGPgXFX94AgdYeJNaA8elo3pX+uBZeFGUsHd/SjJxcHooDVsxKkTsyfCVol9c
gBqM39zzOAF2TvURRZU87sTkpnr5WLrNPDVLRUK2/OMQPzIK1ubRf5Hg6YcVK16+
d+sUs4+yJupA3zNp83pbhONpidY8fUzxTK/z2aSnOEISxdWqXfA1B296ksNfaxVO
W29bDkomA+EktpI3PBcVE4aWFrwF7RTzjCGaiJgof0MvPWhs3deNIaBPVDH1lSAO
iUYeDs6HyPJPpZ17LHaJOxuxp9AuXp7Eau7lDsNata/wR6DXE6BYNxQlt8lI7BeY
K9A9PhaYGqf73VKavGVMYCad34clW26c7fI6LmecWE6tqU5YTOd2GukIBF3/Tuee
JCjiA9IGQM6X9oIy8phNMhmdgewMfqIlTg8jPUurOw27XMv1U7U=
=XEY0
-----END PGP SIGNATURE-----

--gvF4niNJ+uBMJnEh--