unofficial mirror of help-guix@gnu.org 
 help / color / mirror / Atom feed
From: Reza Alizadeh Majd <r.majd@pantherx.org>
To: Efraim Flashner <efraim@flashner.co.il>
Cc: help-guix@gnu.org
Subject: Re: set permission/ownership for files generated by service
Date: Tue, 14 Jul 2020 15:54:14 +0430	[thread overview]
Message-ID: <20200714155414.458b478e@panther-arch.localdomain> (raw)
In-Reply-To: <20200714091029.GG10256@E5400>

On Tue, 14 Jul 2020 12:10:29 +0300
Efraim Flashner <efraim@flashner.co.il> wrote:

> On Tue, Jul 14, 2020 at 12:54:56PM +0430, Reza Alizadeh Majd wrote:
> > On Mon, 13 Jul 2020 22:01:47 -0400
> > Julien Lepiller <julien@lepiller.eu> wrote:
> >   
> > > Le 13 juillet 2020 20:18:09 GMT-04:00, Reza Alizadeh Majd
> > > <r.majd@pantherx.org> a écrit :  
> > > >
> > > >my service definition is as follows:
> > > >
> > > >
> > > >--8<---------------cut here---------------start------------->8---
> > > >(define-record-type* <kyc-configuration>
> > > >  kyc-configuration make-kyc-configuration
> > > >  kyc-configuration?
> > > >  (package kyc-configuration-package
> > > >           (default kyc))
> > > >  (user kyc-configuration-user
> > > >        (default "kyc-service"))
> > > >  (group kyc-configuration-group
> > > >         (default "kyc-service")))
> > > >
> > > >(define %kyc-accounts
> > > >  (list (user-group (name "kyc-service"))
> > > >        (user-group (name "kyc-rpc"))
> > > >        (user-account
> > > >          (name "kyc-service")
> > > >          (group "kyc-service")
> > > >          (system? #f)
> > > >          (supplementary-groups '("wheel" "kyc-rpc" "video"))
> > > >          (comment "KYC service user"))))
> > > >
> > > >(define kyc-shepherd-service
> > > >  (match-lambda
> > > >    (($ <kyc-configuration> package user group)
> > > >      (list (shepherd-service
> > > >              (provision '(kyc))
> > > >              (documentation "Run KYC as a daemon.")
> > > >              (requirement '(networking user-processes))
> > > >              (modules `((srfi srfi-1)
> > > >                                (srfi srfi-26)
> > > >                                ,@%default-modules))
> > > >              (start #~(make-forkexec-constructor
> > > >                        (list
> > > >                           (string-append #$package "/bin/kyc"))
> > > >                        #:user #$user
> > > >                        #:group #$group
> > > >                        #:environment-variables
> > > >     (list  (string-append "PATH=" #$coreutils "/bin:" (getenv
> > > > "PATH")) (string-append "HOME=" "/home/" #$user))))
> > > >              (stop #~(make-kill-destructor)))))))
> > > >
> > > >(define kyc-service-type
> > > >  (service-type
> > > >    (name 'kyc)
> > > >    (extensions (list (service-extension
> > > > shepherd-root-service-type kyc-shepherd-service)
> > > >                             (service-extension
> > > > account-service-type (const
> > > > %kyc-accounts)))) (default-value (kyc-configuration))))
> > > >
> > > >--8<---------------cut here---------------end--------------->8---
> > > >
> > > >is there anything that I missed for this service definition?     
> > > 
> > > I don't see in your snippet where you create the socket or where
> > > you change ownership of it, so I don't really understand what is
> > > going wrong.
> > > 
> > > Maybe the service itself is responsible for creating the socket
> > > and changing ownership? In that case, I wouldn't use #:uses or
> > > #:group, as these will run the service as the unpriviledged user
> > > from the start, instead of running it as root and letting it
> > > change user after it's set up things.
> > > 
> > > If you want to create the socket yourself, why not use an
> > > activation-service-type?  
> > 
> > Thanks for your response, 
> > 
> > the application itself is responsible for creation of socket, and
> > the socket is created without problem, but when I try to change the
> > ownership for socket file, I receive "operation not permitted"
> > error. 
> > 
> > I also logged in to the user responsible for running the service and
> > run the application manually, socket creation and permission set
> > operations were succeed. 
> > 
> > referring to above snippet, when I perform all these operations
> > manually, everything works without problem:
> > 
> > --8<---------------cut here---------------start------------->8---
> > kyc-service@kyc-station /tmp/rpc$ whoami 
> > kyc-service
> > kyc-service@kyc-station /tmp/rpc$ groups 
> > kyc-service wheel kyc-rpc
> > kyc-service@kyc-station /tmp/rpc$ ll
> > total 0
> > srwxr-xr-x 1 kyc-service kyc-service 0 Jul 14 04:22 kyc
> > kyc-service@kyc-station /tmp/rpc$ chown kyc-service:kyc-rpc kyc 
> > kyc-service@kyc-station /tmp/rpc$ ll
> > total 0
> > srwxr-xr-x 1 kyc-service kyc-rpc 0 Jul 14 04:22 kyc
> > --8<---------------cut here---------------end--------------->8---
> >   
> 
> I don't remember what the default directory for running services is. I
> see that kyc-service has a home directory so IIRC it should be there,
> but if it isn't then it might be trying to run from '/'. Can you add
> '#:directory "/tmp/rpc"' to your start snippet? Then it'll try to run
> from that directory.
> 

I don't think if this is related to set the '#:directory' since my
application succeeds about creating the `/tmp/rpc` directory
and the `kyc` socket file. but later when it tries to set the
permission using the `chown` function, I receive "operation not
permitted" error.  

by the way, I also added the '#:directory' for start, and issue still
exists. 

-- 
Reza Alizadeh Majd
PantherX Team
https://www.pantherx.org/


  reply	other threads:[~2020-07-14 11:24 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-07-14  0:18 set permission/ownership for files generated by service Reza Alizadeh Majd
2020-07-14  2:01 ` Julien Lepiller
2020-07-14  8:24   ` Reza Alizadeh Majd
2020-07-14  9:10     ` Efraim Flashner
2020-07-14 11:24       ` Reza Alizadeh Majd [this message]
2020-07-14 12:16       ` Reza Alizadeh Majd
2020-07-14 12:36         ` Efraim Flashner
2020-07-14 20:05           ` Reza Alizadeh Majd

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200714155414.458b478e@panther-arch.localdomain \
    --to=r.majd@pantherx.org \
    --cc=efraim@flashner.co.il \
    --cc=help-guix@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).