From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id yNshHOyVDV86CQAA0tVLHw (envelope-from ) for ; Tue, 14 Jul 2020 11:24:28 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id uNzfF+yVDV9CegAAbx9fmQ (envelope-from ) for ; Tue, 14 Jul 2020 11:24:28 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0E3719403AB for ; Tue, 14 Jul 2020 11:24:27 +0000 (UTC) Received: from localhost ([::1]:37722 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jvJ2u-0007Ti-TH for larch@yhetil.org; Tue, 14 Jul 2020 07:24:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52472) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jvJ2l-0007Tb-E0 for help-guix@gnu.org; Tue, 14 Jul 2020 07:24:15 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:49887) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jvJ2i-0007qr-Tc for help-guix@gnu.org; Tue, 14 Jul 2020 07:24:15 -0400 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 4D8185C0212; Tue, 14 Jul 2020 07:24:12 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Tue, 14 Jul 2020 07:24:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pantherx.org; h= date:from:to:cc:subject:message-id:in-reply-to:references :mime-version:content-type:content-transfer-encoding; s=fm3; bh= IFVfKy9LEQcgm0nIFQwmUBMbOc7ViWejGDf+4tG0uN0=; b=LJ7ATN5bd6QnWSpv SzprxMcDySpaoMEEA43bm7gJcYxOCnikp1iZdSF1gjwgxTnbtU38UsXS11NH2rkJ zR86WSngoTWYoGXvPEkMGHwixrgzTjzqORrR5ps7b+BwrQp/FVDoSzHTrmNcrk4C 2IhGJafwLHgeUSNw6Xlq/i09hyfMa8KYkZNCkE2N6qAGVd2Ceia81ZEB3eBrAtjS cTen46kaMdSmWxQ7w47aEqBoC38b6EKXuPvVR4LqLW9u8TW85edNgMaalai5aqVa EszTc+rliMT13r7Zt1/EIFQuQZ7aIawyppz/8TZ4lgdbGWEIUzb9swOedjtAC6Vc MoDLNA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=IFVfKy9LEQcgm0nIFQwmUBMbOc7ViWejGDf+4tG0u N0=; b=q0oJZj5Hh/Fa7FMAltfCw1hvcrJlogivpEBvNjpGefuZwXK0C7wWaYWse U7M9dhewgj/oBS+Vp+H7Wd1sqBEPPe8jlQkXet+aTp1zfMAT50UGqpelKKuQso4Q aN2iZz2wGYdEceKRN6Uck4lVcDFQpcZR7qtfieP5kKUbQzddO/2fAysr3YLfuedW pHCLiZXIF88nZkuoj2mNDde1oQ25bzVCw0MpZRBx2wJgbdNlUNBFFVH1lxc0lZL0 PDbz8vzoSslDNSftYEilj5g41V+JNtfX9Gb6E8SRHvPmYJlG3JgIxK9zINZyTGHx jrp5twFfAQuwzE2q515ZnQAUWgj2w== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedrfedtgdegudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpeffhffvuffkjghfohfogggtgfesthhqredtredtjeenucfhrhhomheptfgviigr ucetlhhiiigruggvhhcuofgrjhguuceorhdrmhgrjhgusehprghnthhhvghrgidrohhrgh eqnecuggftrfgrthhtvghrnhepgfegvdektddthfeileffuedtieehgfdvteevgeevjeei jeevheelheffgefgtdejnecuffhomhgrihhnpehprghnthhhvghrgidrohhrghenucfkph epudekhedrvddtledrudeliedrudeikeenucevlhhushhtvghrufhiiigvpedtnecurfgr rhgrmhepmhgrihhlfhhrohhmpehrrdhmrghjugesphgrnhhthhgvrhigrdhorhhg X-ME-Proxy: Received: from panther-arch.localdomain (unknown [185.209.196.168]) by mail.messagingengine.com (Postfix) with ESMTPA id 620E7306005F; Tue, 14 Jul 2020 07:24:10 -0400 (EDT) Date: Tue, 14 Jul 2020 15:54:14 +0430 From: Reza Alizadeh Majd To: Efraim Flashner Subject: Re: set permission/ownership for files generated by service Message-ID: <20200714155414.458b478e@panther-arch.localdomain> In-Reply-To: <20200714091029.GG10256@E5400> References: <20200714044809.5ffc4553@panther-arch.localdomain> <058F2A5B-1B2D-449E-9556-7D19625C8D8C@lepiller.eu> <20200714125456.314ac748@panther-arch.localdomain> <20200714091029.GG10256@E5400> Organization: PantherX X-Mailer: Claws Mail 3.17.5 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=66.111.4.25; envelope-from=r.majd@pantherx.org; helo=out1-smtp.messagingengine.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/07/14 07:24:12 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix@gnu.org Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=fail (rsa verify failed) header.d=pantherx.org header.s=fm3 header.b=LJ7ATN5b; dkim=fail (rsa verify failed) header.d=messagingengine.com header.s=fm3 header.b=q0oJZj5H; dmarc=none; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: -0.01 X-TUID: 5Bpa/QWejvbN On Tue, 14 Jul 2020 12:10:29 +0300 Efraim Flashner wrote: > On Tue, Jul 14, 2020 at 12:54:56PM +0430, Reza Alizadeh Majd wrote: > > On Mon, 13 Jul 2020 22:01:47 -0400 > > Julien Lepiller wrote: > > =20 > > > Le 13 juillet 2020 20:18:09 GMT-04:00, Reza Alizadeh Majd > > > a =C3=A9crit : =20 > > > > > > > >my service definition is as follows: > > > > > > > > > > > >--8<---------------cut here---------------start------------->8--- > > > >(define-record-type* > > > > kyc-configuration make-kyc-configuration > > > > kyc-configuration? > > > > (package kyc-configuration-package > > > > (default kyc)) > > > > (user kyc-configuration-user > > > > (default "kyc-service")) > > > > (group kyc-configuration-group > > > > (default "kyc-service"))) > > > > > > > >(define %kyc-accounts > > > > (list (user-group (name "kyc-service")) > > > > (user-group (name "kyc-rpc")) > > > > (user-account > > > > (name "kyc-service") > > > > (group "kyc-service") > > > > (system? #f) > > > > (supplementary-groups '("wheel" "kyc-rpc" "video")) > > > > (comment "KYC service user")))) > > > > > > > >(define kyc-shepherd-service > > > > (match-lambda > > > > (($ package user group) > > > > (list (shepherd-service > > > > (provision '(kyc)) > > > > (documentation "Run KYC as a daemon.") > > > > (requirement '(networking user-processes)) > > > > (modules `((srfi srfi-1) > > > > (srfi srfi-26) > > > > ,@%default-modules)) > > > > (start #~(make-forkexec-constructor > > > > (list > > > > (string-append #$package "/bin/kyc")) > > > > #:user #$user > > > > #:group #$group > > > > #:environment-variables > > > > (list (string-append "PATH=3D" #$coreutils "/bin:" (getenv > > > > "PATH")) (string-append "HOME=3D" "/home/" #$user)))) > > > > (stop #~(make-kill-destructor))))))) > > > > > > > >(define kyc-service-type > > > > (service-type > > > > (name 'kyc) > > > > (extensions (list (service-extension > > > > shepherd-root-service-type kyc-shepherd-service) > > > > (service-extension > > > > account-service-type (const > > > > %kyc-accounts)))) (default-value (kyc-configuration)))) > > > > > > > >--8<---------------cut here---------------end--------------->8--- > > > > > > > >is there anything that I missed for this service definition? =20 > > >=20 > > > I don't see in your snippet where you create the socket or where > > > you change ownership of it, so I don't really understand what is > > > going wrong. > > >=20 > > > Maybe the service itself is responsible for creating the socket > > > and changing ownership? In that case, I wouldn't use #:uses or > > > #:group, as these will run the service as the unpriviledged user > > > from the start, instead of running it as root and letting it > > > change user after it's set up things. > > >=20 > > > If you want to create the socket yourself, why not use an > > > activation-service-type? =20 > >=20 > > Thanks for your response,=20 > >=20 > > the application itself is responsible for creation of socket, and > > the socket is created without problem, but when I try to change the > > ownership for socket file, I receive "operation not permitted" > > error.=20 > >=20 > > I also logged in to the user responsible for running the service and > > run the application manually, socket creation and permission set > > operations were succeed.=20 > >=20 > > referring to above snippet, when I perform all these operations > > manually, everything works without problem: > >=20 > > --8<---------------cut here---------------start------------->8--- > > kyc-service@kyc-station /tmp/rpc$ whoami=20 > > kyc-service > > kyc-service@kyc-station /tmp/rpc$ groups=20 > > kyc-service wheel kyc-rpc > > kyc-service@kyc-station /tmp/rpc$ ll > > total 0 > > srwxr-xr-x 1 kyc-service kyc-service 0 Jul 14 04:22 kyc > > kyc-service@kyc-station /tmp/rpc$ chown kyc-service:kyc-rpc kyc=20 > > kyc-service@kyc-station /tmp/rpc$ ll > > total 0 > > srwxr-xr-x 1 kyc-service kyc-rpc 0 Jul 14 04:22 kyc > > --8<---------------cut here---------------end--------------->8--- > > =20 >=20 > I don't remember what the default directory for running services is. I > see that kyc-service has a home directory so IIRC it should be there, > but if it isn't then it might be trying to run from '/'. Can you add > '#:directory "/tmp/rpc"' to your start snippet? Then it'll try to run > from that directory. >=20 I don't think if this is related to set the '#:directory' since my application succeeds about creating the `/tmp/rpc` directory and the `kyc` socket file. but later when it tries to set the permission using the `chown` function, I receive "operation not permitted" error. =20 by the way, I also added the '#:directory' for start, and issue still exists.=20 --=20 Reza Alizadeh Majd PantherX Team https://www.pantherx.org/