* set permission/ownership for files generated by service
@ 2020-07-14 0:18 Reza Alizadeh Majd
2020-07-14 2:01 ` Julien Lepiller
0 siblings, 1 reply; 8+ messages in thread
From: Reza Alizadeh Majd @ 2020-07-14 0:18 UTC (permalink / raw)
To: help-guix
Hi Guix,
I'm working on a custom service for an application, this application
use a unix socket for communication, and for security purpose I change
the owner group for this socket file and only applications that run by
members of this specific group can access to this socket file.
running the application manually, everything is OK and socket file is
created with desired permissions, but when I try to run this
application as a service, I receive permission error during ownership
modification.
my service definition is as follows:
--8<---------------cut here---------------start------------->8---
(define-record-type* <kyc-configuration>
kyc-configuration make-kyc-configuration
kyc-configuration?
(package kyc-configuration-package
(default kyc))
(user kyc-configuration-user
(default "kyc-service"))
(group kyc-configuration-group
(default "kyc-service")))
(define %kyc-accounts
(list (user-group (name "kyc-service"))
(user-group (name "kyc-rpc"))
(user-account
(name "kyc-service")
(group "kyc-service")
(system? #f)
(supplementary-groups '("wheel" "kyc-rpc" "video"))
(comment "KYC service user"))))
(define kyc-shepherd-service
(match-lambda
(($ <kyc-configuration> package user group)
(list (shepherd-service
(provision '(kyc))
(documentation "Run KYC as a daemon.")
(requirement '(networking user-processes))
(modules `((srfi srfi-1)
(srfi srfi-26)
,@%default-modules))
(start #~(make-forkexec-constructor
(list
(string-append #$package "/bin/kyc"))
#:user #$user
#:group #$group
#:environment-variables
(list (string-append "PATH=" #$coreutils "/bin:" (getenv "PATH"))
(string-append "HOME=" "/home/" #$user))))
(stop #~(make-kill-destructor)))))))
(define kyc-service-type
(service-type
(name 'kyc)
(extensions (list (service-extension shepherd-root-service-type
kyc-shepherd-service)
(service-extension account-service-type
(const %kyc-accounts))))
(default-value (kyc-configuration))))
--8<---------------cut here---------------end--------------->8---
is there anything that I missed for this service definition?
--
Reza Alizadeh Majd
PantherX Team
https://www.pantherx.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: set permission/ownership for files generated by service
2020-07-14 0:18 set permission/ownership for files generated by service Reza Alizadeh Majd
@ 2020-07-14 2:01 ` Julien Lepiller
2020-07-14 8:24 ` Reza Alizadeh Majd
0 siblings, 1 reply; 8+ messages in thread
From: Julien Lepiller @ 2020-07-14 2:01 UTC (permalink / raw)
To: help-guix, Reza Alizadeh Majd
Le 13 juillet 2020 20:18:09 GMT-04:00, Reza Alizadeh Majd <r.majd@pantherx.org> a écrit :
>Hi Guix,
>
>I'm working on a custom service for an application, this application
>use a unix socket for communication, and for security purpose I change
>the owner group for this socket file and only applications that run by
>members of this specific group can access to this socket file.
>
>running the application manually, everything is OK and socket file is
>created with desired permissions, but when I try to run this
>application as a service, I receive permission error during ownership
>modification.
>
>my service definition is as follows:
>
>
>--8<---------------cut here---------------start------------->8---
>(define-record-type* <kyc-configuration>
> kyc-configuration make-kyc-configuration
> kyc-configuration?
> (package kyc-configuration-package
> (default kyc))
> (user kyc-configuration-user
> (default "kyc-service"))
> (group kyc-configuration-group
> (default "kyc-service")))
>
>(define %kyc-accounts
> (list (user-group (name "kyc-service"))
> (user-group (name "kyc-rpc"))
> (user-account
> (name "kyc-service")
> (group "kyc-service")
> (system? #f)
> (supplementary-groups '("wheel" "kyc-rpc" "video"))
> (comment "KYC service user"))))
>
>(define kyc-shepherd-service
> (match-lambda
> (($ <kyc-configuration> package user group)
> (list (shepherd-service
> (provision '(kyc))
> (documentation "Run KYC as a daemon.")
> (requirement '(networking user-processes))
> (modules `((srfi srfi-1)
> (srfi srfi-26)
> ,@%default-modules))
> (start #~(make-forkexec-constructor
> (list
> (string-append #$package "/bin/kyc"))
> #:user #$user
> #:group #$group
> #:environment-variables
> (list (string-append "PATH=" #$coreutils "/bin:" (getenv "PATH"))
> (string-append "HOME=" "/home/" #$user))))
> (stop #~(make-kill-destructor)))))))
>
>(define kyc-service-type
> (service-type
> (name 'kyc)
> (extensions (list (service-extension shepherd-root-service-type
> kyc-shepherd-service)
> (service-extension account-service-type
> (const %kyc-accounts))))
> (default-value (kyc-configuration))))
>
>--8<---------------cut here---------------end--------------->8---
>
>is there anything that I missed for this service definition?
I don't see in your snippet where you create the socket or where you change ownership of it, so I don't really understand what is going wrong.
Maybe the service itself is responsible for creating the socket and changing ownership? In that case, I wouldn't use #:uses or #:group, as these will run the service as the unpriviledged user from the start, instead of running it as root and letting it change user after it's set up things.
If you want to create the socket yourself, why not use an activation-service-type?
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: set permission/ownership for files generated by service
2020-07-14 2:01 ` Julien Lepiller
@ 2020-07-14 8:24 ` Reza Alizadeh Majd
2020-07-14 9:10 ` Efraim Flashner
0 siblings, 1 reply; 8+ messages in thread
From: Reza Alizadeh Majd @ 2020-07-14 8:24 UTC (permalink / raw)
To: Julien Lepiller; +Cc: help-guix
On Mon, 13 Jul 2020 22:01:47 -0400
Julien Lepiller <julien@lepiller.eu> wrote:
> Le 13 juillet 2020 20:18:09 GMT-04:00, Reza Alizadeh Majd
> <r.majd@pantherx.org> a écrit :
> >
> >my service definition is as follows:
> >
> >
> >--8<---------------cut here---------------start------------->8---
> >(define-record-type* <kyc-configuration>
> > kyc-configuration make-kyc-configuration
> > kyc-configuration?
> > (package kyc-configuration-package
> > (default kyc))
> > (user kyc-configuration-user
> > (default "kyc-service"))
> > (group kyc-configuration-group
> > (default "kyc-service")))
> >
> >(define %kyc-accounts
> > (list (user-group (name "kyc-service"))
> > (user-group (name "kyc-rpc"))
> > (user-account
> > (name "kyc-service")
> > (group "kyc-service")
> > (system? #f)
> > (supplementary-groups '("wheel" "kyc-rpc" "video"))
> > (comment "KYC service user"))))
> >
> >(define kyc-shepherd-service
> > (match-lambda
> > (($ <kyc-configuration> package user group)
> > (list (shepherd-service
> > (provision '(kyc))
> > (documentation "Run KYC as a daemon.")
> > (requirement '(networking user-processes))
> > (modules `((srfi srfi-1)
> > (srfi srfi-26)
> > ,@%default-modules))
> > (start #~(make-forkexec-constructor
> > (list
> > (string-append #$package "/bin/kyc"))
> > #:user #$user
> > #:group #$group
> > #:environment-variables
> > (list (string-append "PATH=" #$coreutils "/bin:" (getenv
> > "PATH")) (string-append "HOME=" "/home/" #$user))))
> > (stop #~(make-kill-destructor)))))))
> >
> >(define kyc-service-type
> > (service-type
> > (name 'kyc)
> > (extensions (list (service-extension shepherd-root-service-type
> > kyc-shepherd-service)
> > (service-extension account-service-type
> > (const
> > %kyc-accounts)))) (default-value (kyc-configuration))))
> >
> >--8<---------------cut here---------------end--------------->8---
> >
> >is there anything that I missed for this service definition?
>
> I don't see in your snippet where you create the socket or where you
> change ownership of it, so I don't really understand what is going
> wrong.
>
> Maybe the service itself is responsible for creating the socket and
> changing ownership? In that case, I wouldn't use #:uses or #:group,
> as these will run the service as the unpriviledged user from the
> start, instead of running it as root and letting it change user after
> it's set up things.
>
> If you want to create the socket yourself, why not use an
> activation-service-type?
Thanks for your response,
the application itself is responsible for creation of socket, and the
socket is created without problem, but when I try to change the
ownership for socket file, I receive "operation not permitted" error.
I also logged in to the user responsible for running the service and
run the application manually, socket creation and permission set
operations were succeed.
referring to above snippet, when I perform all these operations
manually, everything works without problem:
--8<---------------cut here---------------start------------->8---
kyc-service@kyc-station /tmp/rpc$ whoami
kyc-service
kyc-service@kyc-station /tmp/rpc$ groups
kyc-service wheel kyc-rpc
kyc-service@kyc-station /tmp/rpc$ ll
total 0
srwxr-xr-x 1 kyc-service kyc-service 0 Jul 14 04:22 kyc
kyc-service@kyc-station /tmp/rpc$ chown kyc-service:kyc-rpc kyc
kyc-service@kyc-station /tmp/rpc$ ll
total 0
srwxr-xr-x 1 kyc-service kyc-rpc 0 Jul 14 04:22 kyc
--8<---------------cut here---------------end--------------->8---
--
Reza Alizadeh Majd
PantherX Team
https://www.pantherx.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: set permission/ownership for files generated by service
2020-07-14 8:24 ` Reza Alizadeh Majd
@ 2020-07-14 9:10 ` Efraim Flashner
2020-07-14 11:24 ` Reza Alizadeh Majd
2020-07-14 12:16 ` Reza Alizadeh Majd
0 siblings, 2 replies; 8+ messages in thread
From: Efraim Flashner @ 2020-07-14 9:10 UTC (permalink / raw)
To: Reza Alizadeh Majd; +Cc: help-guix
[-- Attachment #1: Type: text/plain, Size: 4889 bytes --]
On Tue, Jul 14, 2020 at 12:54:56PM +0430, Reza Alizadeh Majd wrote:
> On Mon, 13 Jul 2020 22:01:47 -0400
> Julien Lepiller <julien@lepiller.eu> wrote:
>
> > Le 13 juillet 2020 20:18:09 GMT-04:00, Reza Alizadeh Majd
> > <r.majd@pantherx.org> a écrit :
> > >
> > >my service definition is as follows:
> > >
> > >
> > >--8<---------------cut here---------------start------------->8---
> > >(define-record-type* <kyc-configuration>
> > > kyc-configuration make-kyc-configuration
> > > kyc-configuration?
> > > (package kyc-configuration-package
> > > (default kyc))
> > > (user kyc-configuration-user
> > > (default "kyc-service"))
> > > (group kyc-configuration-group
> > > (default "kyc-service")))
> > >
> > >(define %kyc-accounts
> > > (list (user-group (name "kyc-service"))
> > > (user-group (name "kyc-rpc"))
> > > (user-account
> > > (name "kyc-service")
> > > (group "kyc-service")
> > > (system? #f)
> > > (supplementary-groups '("wheel" "kyc-rpc" "video"))
> > > (comment "KYC service user"))))
> > >
> > >(define kyc-shepherd-service
> > > (match-lambda
> > > (($ <kyc-configuration> package user group)
> > > (list (shepherd-service
> > > (provision '(kyc))
> > > (documentation "Run KYC as a daemon.")
> > > (requirement '(networking user-processes))
> > > (modules `((srfi srfi-1)
> > > (srfi srfi-26)
> > > ,@%default-modules))
> > > (start #~(make-forkexec-constructor
> > > (list
> > > (string-append #$package "/bin/kyc"))
> > > #:user #$user
> > > #:group #$group
> > > #:environment-variables
> > > (list (string-append "PATH=" #$coreutils "/bin:" (getenv
> > > "PATH")) (string-append "HOME=" "/home/" #$user))))
> > > (stop #~(make-kill-destructor)))))))
> > >
> > >(define kyc-service-type
> > > (service-type
> > > (name 'kyc)
> > > (extensions (list (service-extension shepherd-root-service-type
> > > kyc-shepherd-service)
> > > (service-extension account-service-type
> > > (const
> > > %kyc-accounts)))) (default-value (kyc-configuration))))
> > >
> > >--8<---------------cut here---------------end--------------->8---
> > >
> > >is there anything that I missed for this service definition?
> >
> > I don't see in your snippet where you create the socket or where you
> > change ownership of it, so I don't really understand what is going
> > wrong.
> >
> > Maybe the service itself is responsible for creating the socket and
> > changing ownership? In that case, I wouldn't use #:uses or #:group,
> > as these will run the service as the unpriviledged user from the
> > start, instead of running it as root and letting it change user after
> > it's set up things.
> >
> > If you want to create the socket yourself, why not use an
> > activation-service-type?
>
> Thanks for your response,
>
> the application itself is responsible for creation of socket, and the
> socket is created without problem, but when I try to change the
> ownership for socket file, I receive "operation not permitted" error.
>
> I also logged in to the user responsible for running the service and
> run the application manually, socket creation and permission set
> operations were succeed.
>
> referring to above snippet, when I perform all these operations
> manually, everything works without problem:
>
> --8<---------------cut here---------------start------------->8---
> kyc-service@kyc-station /tmp/rpc$ whoami
> kyc-service
> kyc-service@kyc-station /tmp/rpc$ groups
> kyc-service wheel kyc-rpc
> kyc-service@kyc-station /tmp/rpc$ ll
> total 0
> srwxr-xr-x 1 kyc-service kyc-service 0 Jul 14 04:22 kyc
> kyc-service@kyc-station /tmp/rpc$ chown kyc-service:kyc-rpc kyc
> kyc-service@kyc-station /tmp/rpc$ ll
> total 0
> srwxr-xr-x 1 kyc-service kyc-rpc 0 Jul 14 04:22 kyc
> --8<---------------cut here---------------end--------------->8---
>
I don't remember what the default directory for running services is. I
see that kyc-service has a home directory so IIRC it should be there,
but if it isn't then it might be trying to run from '/'. Can you add
'#:directory "/tmp/rpc"' to your start snippet? Then it'll try to run
from that directory.
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: set permission/ownership for files generated by service
2020-07-14 9:10 ` Efraim Flashner
@ 2020-07-14 11:24 ` Reza Alizadeh Majd
2020-07-14 12:16 ` Reza Alizadeh Majd
1 sibling, 0 replies; 8+ messages in thread
From: Reza Alizadeh Majd @ 2020-07-14 11:24 UTC (permalink / raw)
To: Efraim Flashner; +Cc: help-guix
On Tue, 14 Jul 2020 12:10:29 +0300
Efraim Flashner <efraim@flashner.co.il> wrote:
> On Tue, Jul 14, 2020 at 12:54:56PM +0430, Reza Alizadeh Majd wrote:
> > On Mon, 13 Jul 2020 22:01:47 -0400
> > Julien Lepiller <julien@lepiller.eu> wrote:
> >
> > > Le 13 juillet 2020 20:18:09 GMT-04:00, Reza Alizadeh Majd
> > > <r.majd@pantherx.org> a écrit :
> > > >
> > > >my service definition is as follows:
> > > >
> > > >
> > > >--8<---------------cut here---------------start------------->8---
> > > >(define-record-type* <kyc-configuration>
> > > > kyc-configuration make-kyc-configuration
> > > > kyc-configuration?
> > > > (package kyc-configuration-package
> > > > (default kyc))
> > > > (user kyc-configuration-user
> > > > (default "kyc-service"))
> > > > (group kyc-configuration-group
> > > > (default "kyc-service")))
> > > >
> > > >(define %kyc-accounts
> > > > (list (user-group (name "kyc-service"))
> > > > (user-group (name "kyc-rpc"))
> > > > (user-account
> > > > (name "kyc-service")
> > > > (group "kyc-service")
> > > > (system? #f)
> > > > (supplementary-groups '("wheel" "kyc-rpc" "video"))
> > > > (comment "KYC service user"))))
> > > >
> > > >(define kyc-shepherd-service
> > > > (match-lambda
> > > > (($ <kyc-configuration> package user group)
> > > > (list (shepherd-service
> > > > (provision '(kyc))
> > > > (documentation "Run KYC as a daemon.")
> > > > (requirement '(networking user-processes))
> > > > (modules `((srfi srfi-1)
> > > > (srfi srfi-26)
> > > > ,@%default-modules))
> > > > (start #~(make-forkexec-constructor
> > > > (list
> > > > (string-append #$package "/bin/kyc"))
> > > > #:user #$user
> > > > #:group #$group
> > > > #:environment-variables
> > > > (list (string-append "PATH=" #$coreutils "/bin:" (getenv
> > > > "PATH")) (string-append "HOME=" "/home/" #$user))))
> > > > (stop #~(make-kill-destructor)))))))
> > > >
> > > >(define kyc-service-type
> > > > (service-type
> > > > (name 'kyc)
> > > > (extensions (list (service-extension
> > > > shepherd-root-service-type kyc-shepherd-service)
> > > > (service-extension
> > > > account-service-type (const
> > > > %kyc-accounts)))) (default-value (kyc-configuration))))
> > > >
> > > >--8<---------------cut here---------------end--------------->8---
> > > >
> > > >is there anything that I missed for this service definition?
> > >
> > > I don't see in your snippet where you create the socket or where
> > > you change ownership of it, so I don't really understand what is
> > > going wrong.
> > >
> > > Maybe the service itself is responsible for creating the socket
> > > and changing ownership? In that case, I wouldn't use #:uses or
> > > #:group, as these will run the service as the unpriviledged user
> > > from the start, instead of running it as root and letting it
> > > change user after it's set up things.
> > >
> > > If you want to create the socket yourself, why not use an
> > > activation-service-type?
> >
> > Thanks for your response,
> >
> > the application itself is responsible for creation of socket, and
> > the socket is created without problem, but when I try to change the
> > ownership for socket file, I receive "operation not permitted"
> > error.
> >
> > I also logged in to the user responsible for running the service and
> > run the application manually, socket creation and permission set
> > operations were succeed.
> >
> > referring to above snippet, when I perform all these operations
> > manually, everything works without problem:
> >
> > --8<---------------cut here---------------start------------->8---
> > kyc-service@kyc-station /tmp/rpc$ whoami
> > kyc-service
> > kyc-service@kyc-station /tmp/rpc$ groups
> > kyc-service wheel kyc-rpc
> > kyc-service@kyc-station /tmp/rpc$ ll
> > total 0
> > srwxr-xr-x 1 kyc-service kyc-service 0 Jul 14 04:22 kyc
> > kyc-service@kyc-station /tmp/rpc$ chown kyc-service:kyc-rpc kyc
> > kyc-service@kyc-station /tmp/rpc$ ll
> > total 0
> > srwxr-xr-x 1 kyc-service kyc-rpc 0 Jul 14 04:22 kyc
> > --8<---------------cut here---------------end--------------->8---
> >
>
> I don't remember what the default directory for running services is. I
> see that kyc-service has a home directory so IIRC it should be there,
> but if it isn't then it might be trying to run from '/'. Can you add
> '#:directory "/tmp/rpc"' to your start snippet? Then it'll try to run
> from that directory.
>
I don't think if this is related to set the '#:directory' since my
application succeeds about creating the `/tmp/rpc` directory
and the `kyc` socket file. but later when it tries to set the
permission using the `chown` function, I receive "operation not
permitted" error.
by the way, I also added the '#:directory' for start, and issue still
exists.
--
Reza Alizadeh Majd
PantherX Team
https://www.pantherx.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: set permission/ownership for files generated by service
2020-07-14 9:10 ` Efraim Flashner
2020-07-14 11:24 ` Reza Alizadeh Majd
@ 2020-07-14 12:16 ` Reza Alizadeh Majd
2020-07-14 12:36 ` Efraim Flashner
1 sibling, 1 reply; 8+ messages in thread
From: Reza Alizadeh Majd @ 2020-07-14 12:16 UTC (permalink / raw)
To: Efraim Flashner; +Cc: help-guix
I assume that I find the issue source:
> > > >
> > > >--8<---------------cut here---------------start------------->8---
> > > >
> > > >(define %kyc-accounts
> > > > (list (user-group (name "kyc-service"))
> > > > (user-group (name "kyc-rpc"))
> > > > (user-account
> > > > (name "kyc-service")
> > > > (group "kyc-service")
> > > > (system? #f)
> > > > (supplementary-groups '("wheel" "kyc-rpc" "video"))
> > > > (comment "KYC service user"))))
> > > >
> > > >--8<---------------cut here---------------end--------------->8---
> > > >
I modified the service definition to open an empty 'screen', so I can
access shell through service, when I connect to the screen and check
user groups, it seems that the 'supplementary-groups' didn't apply to
the user:
--8<---------------cut here---------------start------------->8---
sh-5.0$ whoami
kyc-service
sh-5.0$ groups
kyc-service
sh-5.0$
--8<---------------cut here---------------end--------------->8---
so, is there any thing that I missed?
--
Reza Alizadeh Majd
PantherX Team
https://www.pantherx.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: set permission/ownership for files generated by service
2020-07-14 12:16 ` Reza Alizadeh Majd
@ 2020-07-14 12:36 ` Efraim Flashner
2020-07-14 20:05 ` Reza Alizadeh Majd
0 siblings, 1 reply; 8+ messages in thread
From: Efraim Flashner @ 2020-07-14 12:36 UTC (permalink / raw)
To: Reza Alizadeh Majd; +Cc: help-guix
[-- Attachment #1: Type: text/plain, Size: 1759 bytes --]
On Tue, Jul 14, 2020 at 04:46:31PM +0430, Reza Alizadeh Majd wrote:
>
> I assume that I find the issue source:
>
> > > > >
> > > > >--8<---------------cut here---------------start------------->8---
> > > > >
> > > > >(define %kyc-accounts
> > > > > (list (user-group (name "kyc-service"))
> > > > > (user-group (name "kyc-rpc"))
> > > > > (user-account
> > > > > (name "kyc-service")
> > > > > (group "kyc-service")
> > > > > (system? #f)
> > > > > (supplementary-groups '("wheel" "kyc-rpc" "video"))
> > > > > (comment "KYC service user"))))
> > > > >
> > > > >--8<---------------cut here---------------end--------------->8---
> > > > >
>
> I modified the service definition to open an empty 'screen', so I can
> access shell through service, when I connect to the screen and check
> user groups, it seems that the 'supplementary-groups' didn't apply to
> the user:
>
> --8<---------------cut here---------------start------------->8---
> sh-5.0$ whoami
> kyc-service
> sh-5.0$ groups
> kyc-service
> sh-5.0$
> --8<---------------cut here---------------end--------------->8---
>
> so, is there any thing that I missed?
>
The only other thing I can think of right now is that you're creating
the kyc-service and kyc-rpc groups AND also using them for the first
time here. It could be that the kyc-service group is created with the
kyc-service user and the kyc-rpc group is 'too slow'. Try your code
again but without the kyc-rpc group.
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: set permission/ownership for files generated by service
2020-07-14 12:36 ` Efraim Flashner
@ 2020-07-14 20:05 ` Reza Alizadeh Majd
0 siblings, 0 replies; 8+ messages in thread
From: Reza Alizadeh Majd @ 2020-07-14 20:05 UTC (permalink / raw)
To: Efraim Flashner; +Cc: help-guix
On Tue, 14 Jul 2020 15:36:41 +0300
Efraim Flashner <efraim@flashner.co.il> wrote:
> On Tue, Jul 14, 2020 at 04:46:31PM +0430, Reza Alizadeh Majd wrote:
> >
> > I assume that I find the issue source:
> >
> > > > > >
> > > > > >--8<---------------cut
> > > > > >here---------------start------------->8---
> > > > > >
> > > > > >(define %kyc-accounts
> > > > > > (list (user-group (name "kyc-service"))
> > > > > > (user-group (name "kyc-rpc"))
> > > > > > (user-account
> > > > > > (name "kyc-service")
> > > > > > (group "kyc-service")
> > > > > > (system? #f)
> > > > > > (supplementary-groups '("wheel" "kyc-rpc" "video"))
> > > > > > (comment "KYC service user"))))
> > > > > >
> > > > > >--8<---------------cut
> > > > > >here---------------end--------------->8---
> > > > > >
> >
> > I modified the service definition to open an empty 'screen', so I
> > can access shell through service, when I connect to the screen and
> > check user groups, it seems that the 'supplementary-groups' didn't
> > apply to the user:
> >
> > --8<---------------cut here---------------start------------->8---
> > sh-5.0$ whoami
> > kyc-service
> > sh-5.0$ groups
> > kyc-service
> > sh-5.0$
> > --8<---------------cut here---------------end--------------->8---
> >
> > so, is there any thing that I missed?
> >
>
> The only other thing I can think of right now is that you're creating
> the kyc-service and kyc-rpc groups AND also using them for the first
> time here. It could be that the kyc-service group is created with the
> kyc-service user and the kyc-rpc group is 'too slow'. Try your code
> again but without the kyc-rpc group.
>
I don't think, since the issue still persists after restarting the
services, or even by rebooting the machine. I also checked the
`/etc/group` and `kyc-service` user exists in all of the supplementary
groups. but the `groups` command shows only the primary group.
--8<---------------cut here---------------start------------->8---
sh-5.0$ cat /etc/group | grep "kyc"
kyc-user:x:30002:
kyc-rpc:x:30001:kyc-user,kyc-service
kyc-service:x:980:
wheel:x:999:kyc-user,kyc-service
video:x:992:kyc-user,kyc-service
--8<---------------cut here---------------end--------------->8---
is it possible that I missed to set any environment variable, so the
permissions wouldn't be loaded correctly?
--
Reza Alizadeh Majd
PantherX Team
https://www.pantherx.org/
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-07-14 20:05 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-14 0:18 set permission/ownership for files generated by service Reza Alizadeh Majd
2020-07-14 2:01 ` Julien Lepiller
2020-07-14 8:24 ` Reza Alizadeh Majd
2020-07-14 9:10 ` Efraim Flashner
2020-07-14 11:24 ` Reza Alizadeh Majd
2020-07-14 12:16 ` Reza Alizadeh Majd
2020-07-14 12:36 ` Efraim Flashner
2020-07-14 20:05 ` Reza Alizadeh Majd
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).