From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id IFNtBuZrDV+IVAAA0tVLHw (envelope-from ) for ; Tue, 14 Jul 2020 08:25:10 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 6FJPAuZrDV9lMAAAB5/wlQ (envelope-from ) for ; Tue, 14 Jul 2020 08:25:10 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1B8109403EE for ; Tue, 14 Jul 2020 08:25:08 +0000 (UTC) Received: from localhost ([::1]:48162 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jvGFO-0002pu-5P for larch@yhetil.org; Tue, 14 Jul 2020 04:25:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35178) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jvGFE-0002oD-G8 for help-guix@gnu.org; Tue, 14 Jul 2020 04:24:56 -0400 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:42923) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jvGFC-0000aP-1W for help-guix@gnu.org; Tue, 14 Jul 2020 04:24:56 -0400 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 5E7AC5C01FC; Tue, 14 Jul 2020 04:24:53 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Tue, 14 Jul 2020 04:24:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pantherx.org; h= date:from:to:cc:subject:message-id:in-reply-to:references :mime-version:content-type:content-transfer-encoding; s=fm3; bh= juEqJ/TqdZS6JCc7OyrdHfu2NJ1jGOxqcTHiBBGg0LY=; b=m6Xsl2nyVIyucKuR 0jsH7oAe/kuy6kkD/jLA0kaVC2po73BWMsU/5zX15u8FfUQlIYQJSYoRqoeZHPYJ vugc8AnUTRChAy5zxuS17LO/yuDZoeMo/I7fShmsVdCV6ogpXqyeiBant1YezZZ1 vMfZHlu7uiQfi9Qj7Js93bDrgwz3Mdv6uGvQAp2aYKdUGwLEbydIpbXDmQM2wxZ5 8Mmv+tRyVmljH5H1NOr4WnLZlxwQd5+ysbD/wwFNZJ7BoqDMBpbYcHqsz2VTskn6 SpOPaDiPJeOv75/UWEx2oSIBjZTGTVxS3t7zyWBrZrdUGs8NotYoYkIcemXRyaIb KNNpbA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=juEqJ/TqdZS6JCc7OyrdHfu2NJ1jGOxqcTHiBBGg0 LY=; b=YdzoQ2eOo6xA7pxAUZFIOjwPrmBsx17DD/nZ8/R2L/oGaCKxaguAjkR0I m6+LpiTf0m66AmKt4tyKMcijHyb9Bp21rof7urBfPzflRZjld/SAUaBLi++qIEvM Ybh/il7+ELBhnp3BBGB4zuaV8JXBs0D/Q0tMY8eJ+5wiiylbjPKFttNOZWo22EBa +YQjrSScpPoXeyT7lfgnWVj2H9C33yKs1Zs3k8zCqIEaJy6pRVf1OmnE0ZOxBsF5 i60O2DqGNAXs+jI6aDJAqQUdDPtMODzErtJISpiMv8Ebk7nGdW4mbTWt4NJ6uoKC ceem95RM0B5fIA/kMyf2mc7S3Y3tg== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrfedtgddtgecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpeffhffvuffkjghfohfogggtgfesthhqredtredtjeenucfhrhhomheptfgviigr ucetlhhiiigruggvhhcuofgrjhguuceorhdrmhgrjhgusehprghnthhhvghrgidrohhrgh eqnecuggftrfgrthhtvghrnhepgfegvdektddthfeileffuedtieehgfdvteevgeevjeei jeevheelheffgefgtdejnecuffhomhgrihhnpehprghnthhhvghrgidrohhrghenucfkph epudekhedrvddtledrudeliedrudeikeenucevlhhushhtvghrufhiiigvpedtnecurfgr rhgrmhepmhgrihhlfhhrohhmpehrrdhmrghjugesphgrnhhthhgvrhigrdhorhhg X-ME-Proxy: Received: from panther-arch.localdomain (unknown [185.209.196.168]) by mail.messagingengine.com (Postfix) with ESMTPA id 1C19B3280060; Tue, 14 Jul 2020 04:24:51 -0400 (EDT) Date: Tue, 14 Jul 2020 12:54:56 +0430 From: Reza Alizadeh Majd To: Julien Lepiller Subject: Re: set permission/ownership for files generated by service Message-ID: <20200714125456.314ac748@panther-arch.localdomain> In-Reply-To: <058F2A5B-1B2D-449E-9556-7D19625C8D8C@lepiller.eu> References: <20200714044809.5ffc4553@panther-arch.localdomain> <058F2A5B-1B2D-449E-9556-7D19625C8D8C@lepiller.eu> Organization: PantherX X-Mailer: Claws Mail 3.17.5 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=66.111.4.29; envelope-from=r.majd@pantherx.org; helo=out5-smtp.messagingengine.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/07/14 04:14:03 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix@gnu.org Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=pantherx.org header.s=fm3 header.b=m6Xsl2ny; dkim=pass header.d=messagingengine.com header.s=fm3 header.b=YdzoQ2eO; dmarc=none; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: -1.21 X-TUID: cMWda0UJokCL On Mon, 13 Jul 2020 22:01:47 -0400 Julien Lepiller wrote: > Le 13 juillet 2020 20:18:09 GMT-04:00, Reza Alizadeh Majd > a =C3=A9crit : > > > >my service definition is as follows: > > > > > >--8<---------------cut here---------------start------------->8--- > >(define-record-type* > > kyc-configuration make-kyc-configuration > > kyc-configuration? > > (package kyc-configuration-package > > (default kyc)) > > (user kyc-configuration-user > > (default "kyc-service")) > > (group kyc-configuration-group > > (default "kyc-service"))) > > > >(define %kyc-accounts > > (list (user-group (name "kyc-service")) > > (user-group (name "kyc-rpc")) > > (user-account > > (name "kyc-service") > > (group "kyc-service") > > (system? #f) > > (supplementary-groups '("wheel" "kyc-rpc" "video")) > > (comment "KYC service user")))) > > > >(define kyc-shepherd-service > > (match-lambda > > (($ package user group) > > (list (shepherd-service > > (provision '(kyc)) > > (documentation "Run KYC as a daemon.") > > (requirement '(networking user-processes)) > > (modules `((srfi srfi-1) > > (srfi srfi-26) > > ,@%default-modules)) > > (start #~(make-forkexec-constructor > > (list > > (string-append #$package "/bin/kyc")) > > #:user #$user > > #:group #$group > > #:environment-variables > > (list (string-append "PATH=3D" #$coreutils "/bin:" (getenv > > "PATH")) (string-append "HOME=3D" "/home/" #$user)))) > > (stop #~(make-kill-destructor))))))) > > > >(define kyc-service-type > > (service-type > > (name 'kyc) > > (extensions (list (service-extension shepherd-root-service-type > > kyc-shepherd-service) > > (service-extension account-service-type > > (const > > %kyc-accounts)))) (default-value (kyc-configuration)))) > > > >--8<---------------cut here---------------end--------------->8--- > > > >is there anything that I missed for this service definition? =20 >=20 > I don't see in your snippet where you create the socket or where you > change ownership of it, so I don't really understand what is going > wrong. >=20 > Maybe the service itself is responsible for creating the socket and > changing ownership? In that case, I wouldn't use #:uses or #:group, > as these will run the service as the unpriviledged user from the > start, instead of running it as root and letting it change user after > it's set up things. >=20 > If you want to create the socket yourself, why not use an > activation-service-type? Thanks for your response,=20 the application itself is responsible for creation of socket, and the socket is created without problem, but when I try to change the ownership for socket file, I receive "operation not permitted" error.=20 I also logged in to the user responsible for running the service and run the application manually, socket creation and permission set operations were succeed.=20 referring to above snippet, when I perform all these operations manually, everything works without problem: --8<---------------cut here---------------start------------->8--- kyc-service@kyc-station /tmp/rpc$ whoami=20 kyc-service kyc-service@kyc-station /tmp/rpc$ groups=20 kyc-service wheel kyc-rpc kyc-service@kyc-station /tmp/rpc$ ll total 0 srwxr-xr-x 1 kyc-service kyc-service 0 Jul 14 04:22 kyc kyc-service@kyc-station /tmp/rpc$ chown kyc-service:kyc-rpc kyc=20 kyc-service@kyc-station /tmp/rpc$ ll total 0 srwxr-xr-x 1 kyc-service kyc-rpc 0 Jul 14 04:22 kyc --8<---------------cut here---------------end--------------->8--- --=20 Reza Alizadeh Majd PantherX Team https://www.pantherx.org/