Re: set permission/ownership for files generated by service

[Reza Alizadeh Majd <r.majd@pantherx.org>]

On Tue, 14 Jul 2020 12:10:29 +0300
Efraim Flashner <efraim@flashner.co.il> wrote:

> On Tue, Jul 14, 2020 at 12:54:56PM +0430, Reza Alizadeh Majd wrote:
> > On Mon, 13 Jul 2020 22:01:47 -0400
> > Julien Lepiller <julien@lepiller.eu> wrote:
> >   
> > > Le 13 juillet 2020 20:18:09 GMT-04:00, Reza Alizadeh Majd
> > > <r.majd@pantherx.org> a écrit :  
> > > >
> > > >my service definition is as follows:
> > > >
> > > >
> > > >--8<---------------cut here---------------start------------->8---
> > > >(define-record-type* <kyc-configuration>
> > > >  kyc-configuration make-kyc-configuration
> > > >  kyc-configuration?
> > > >  (package kyc-configuration-package
> > > >           (default kyc))
> > > >  (user kyc-configuration-user
> > > >        (default "kyc-service"))
> > > >  (group kyc-configuration-group
> > > >         (default "kyc-service")))
> > > >
> > > >(define %kyc-accounts
> > > >  (list (user-group (name "kyc-service"))
> > > >        (user-group (name "kyc-rpc"))
> > > >        (user-account
> > > >          (name "kyc-service")
> > > >          (group "kyc-service")
> > > >          (system? #f)
> > > >          (supplementary-groups '("wheel" "kyc-rpc" "video"))
> > > >          (comment "KYC service user"))))
> > > >
> > > >(define kyc-shepherd-service
> > > >  (match-lambda
> > > >    (($ <kyc-configuration> package user group)
> > > >      (list (shepherd-service
> > > >              (provision '(kyc))
> > > >              (documentation "Run KYC as a daemon.")
> > > >              (requirement '(networking user-processes))
> > > >              (modules `((srfi srfi-1)
> > > >                                (srfi srfi-26)
> > > >                                ,@%default-modules))
> > > >              (start #~(make-forkexec-constructor
> > > >                        (list
> > > >                           (string-append #$package "/bin/kyc"))
> > > >                        #:user #$user
> > > >                        #:group #$group
> > > >                        #:environment-variables
> > > >     (list  (string-append "PATH=" #$coreutils "/bin:" (getenv
> > > > "PATH")) (string-append "HOME=" "/home/" #$user))))
> > > >              (stop #~(make-kill-destructor)))))))
> > > >
> > > >(define kyc-service-type
> > > >  (service-type
> > > >    (name 'kyc)
> > > >    (extensions (list (service-extension
> > > > shepherd-root-service-type kyc-shepherd-service)
> > > >                             (service-extension
> > > > account-service-type (const
> > > > %kyc-accounts)))) (default-value (kyc-configuration))))
> > > >
> > > >--8<---------------cut here---------------end--------------->8---
> > > >
> > > >is there anything that I missed for this service definition?     
> > > 
> > > I don't see in your snippet where you create the socket or where
> > > you change ownership of it, so I don't really understand what is
> > > going wrong.
> > > 
> > > Maybe the service itself is responsible for creating the socket
> > > and changing ownership? In that case, I wouldn't use #:uses or
> > > #:group, as these will run the service as the unpriviledged user
> > > from the start, instead of running it as root and letting it
> > > change user after it's set up things.
> > > 
> > > If you want to create the socket yourself, why not use an
> > > activation-service-type?  
> > 
> > Thanks for your response, 
> > 
> > the application itself is responsible for creation of socket, and
> > the socket is created without problem, but when I try to change the
> > ownership for socket file, I receive "operation not permitted"
> > error. 
> > 
> > I also logged in to the user responsible for running the service and
> > run the application manually, socket creation and permission set
> > operations were succeed. 
> > 
> > referring to above snippet, when I perform all these operations
> > manually, everything works without problem:
> > 
> > --8<---------------cut here---------------start------------->8---
> > kyc-service@kyc-station /tmp/rpc$ whoami 
> > kyc-service
> > kyc-service@kyc-station /tmp/rpc$ groups 
> > kyc-service wheel kyc-rpc
> > kyc-service@kyc-station /tmp/rpc$ ll
> > total 0
> > srwxr-xr-x 1 kyc-service kyc-service 0 Jul 14 04:22 kyc
> > kyc-service@kyc-station /tmp/rpc$ chown kyc-service:kyc-rpc kyc 
> > kyc-service@kyc-station /tmp/rpc$ ll
> > total 0
> > srwxr-xr-x 1 kyc-service kyc-rpc 0 Jul 14 04:22 kyc
> > --8<---------------cut here---------------end--------------->8---
> >   
> 
> I don't remember what the default directory for running services is. I
> see that kyc-service has a home directory so IIRC it should be there,
> but if it isn't then it might be trying to run from '/'. Can you add
> '#:directory "/tmp/rpc"' to your start snippet? Then it'll try to run
> from that directory.
> 

I don't think if this is related to set the '#:directory' since my
application succeeds about creating the `/tmp/rpc` directory
and the `kyc` socket file. but later when it tries to set the
permission using the `chown` function, I receive "operation not
permitted" error.  

by the way, I also added the '#:directory' for start, and issue still
exists. 

-- 
Reza Alizadeh Majd
PantherX Team
https://www.pantherx.org/