* set permission/ownership for files generated by service
@ 2020-07-14 0:18 Reza Alizadeh Majd
2020-07-14 2:01 ` Julien Lepiller
0 siblings, 1 reply; 8+ messages in thread
From: Reza Alizadeh Majd @ 2020-07-14 0:18 UTC (permalink / raw)
To: help-guix
Hi Guix,
I'm working on a custom service for an application, this application
use a unix socket for communication, and for security purpose I change
the owner group for this socket file and only applications that run by
members of this specific group can access to this socket file.
running the application manually, everything is OK and socket file is
created with desired permissions, but when I try to run this
application as a service, I receive permission error during ownership
modification.
my service definition is as follows:
--8<---------------cut here---------------start------------->8---
(define-record-type* <kyc-configuration>
kyc-configuration make-kyc-configuration
kyc-configuration?
(package kyc-configuration-package
(default kyc))
(user kyc-configuration-user
(default "kyc-service"))
(group kyc-configuration-group
(default "kyc-service")))
(define %kyc-accounts
(list (user-group (name "kyc-service"))
(user-group (name "kyc-rpc"))
(user-account
(name "kyc-service")
(group "kyc-service")
(system? #f)
(supplementary-groups '("wheel" "kyc-rpc" "video"))
(comment "KYC service user"))))
(define kyc-shepherd-service
(match-lambda
(($ <kyc-configuration> package user group)
(list (shepherd-service
(provision '(kyc))
(documentation "Run KYC as a daemon.")
(requirement '(networking user-processes))
(modules `((srfi srfi-1)
(srfi srfi-26)
,@%default-modules))
(start #~(make-forkexec-constructor
(list
(string-append #$package "/bin/kyc"))
#:user #$user
#:group #$group
#:environment-variables
(list (string-append "PATH=" #$coreutils "/bin:" (getenv "PATH"))
(string-append "HOME=" "/home/" #$user))))
(stop #~(make-kill-destructor)))))))
(define kyc-service-type
(service-type
(name 'kyc)
(extensions (list (service-extension shepherd-root-service-type
kyc-shepherd-service)
(service-extension account-service-type
(const %kyc-accounts))))
(default-value (kyc-configuration))))
--8<---------------cut here---------------end--------------->8---
is there anything that I missed for this service definition?
--
Reza Alizadeh Majd
PantherX Team
https://www.pantherx.org/
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: set permission/ownership for files generated by service 2020-07-14 0:18 set permission/ownership for files generated by service Reza Alizadeh Majd @ 2020-07-14 2:01 ` Julien Lepiller 2020-07-14 8:24 ` Reza Alizadeh Majd 0 siblings, 1 reply; 8+ messages in thread From: Julien Lepiller @ 2020-07-14 2:01 UTC (permalink / raw) To: help-guix, Reza Alizadeh Majd Le 13 juillet 2020 20:18:09 GMT-04:00, Reza Alizadeh Majd <r.majd@pantherx.org> a écrit : >Hi Guix, > >I'm working on a custom service for an application, this application >use a unix socket for communication, and for security purpose I change >the owner group for this socket file and only applications that run by >members of this specific group can access to this socket file. > >running the application manually, everything is OK and socket file is >created with desired permissions, but when I try to run this >application as a service, I receive permission error during ownership >modification. > >my service definition is as follows: > > >--8<---------------cut here---------------start------------->8--- >(define-record-type* <kyc-configuration> > kyc-configuration make-kyc-configuration > kyc-configuration? > (package kyc-configuration-package > (default kyc)) > (user kyc-configuration-user > (default "kyc-service")) > (group kyc-configuration-group > (default "kyc-service"))) > >(define %kyc-accounts > (list (user-group (name "kyc-service")) > (user-group (name "kyc-rpc")) > (user-account > (name "kyc-service") > (group "kyc-service") > (system? #f) > (supplementary-groups '("wheel" "kyc-rpc" "video")) > (comment "KYC service user")))) > >(define kyc-shepherd-service > (match-lambda > (($ <kyc-configuration> package user group) > (list (shepherd-service > (provision '(kyc)) > (documentation "Run KYC as a daemon.") > (requirement '(networking user-processes)) > (modules `((srfi srfi-1) > (srfi srfi-26) > ,@%default-modules)) > (start #~(make-forkexec-constructor > (list > (string-append #$package "/bin/kyc")) > #:user #$user > #:group #$group > #:environment-variables > (list (string-append "PATH=" #$coreutils "/bin:" (getenv "PATH")) > (string-append "HOME=" "/home/" #$user)))) > (stop #~(make-kill-destructor))))))) > >(define kyc-service-type > (service-type > (name 'kyc) > (extensions (list (service-extension shepherd-root-service-type > kyc-shepherd-service) > (service-extension account-service-type > (const %kyc-accounts)))) > (default-value (kyc-configuration)))) > >--8<---------------cut here---------------end--------------->8--- > >is there anything that I missed for this service definition? I don't see in your snippet where you create the socket or where you change ownership of it, so I don't really understand what is going wrong. Maybe the service itself is responsible for creating the socket and changing ownership? In that case, I wouldn't use #:uses or #:group, as these will run the service as the unpriviledged user from the start, instead of running it as root and letting it change user after it's set up things. If you want to create the socket yourself, why not use an activation-service-type? ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: set permission/ownership for files generated by service 2020-07-14 2:01 ` Julien Lepiller @ 2020-07-14 8:24 ` Reza Alizadeh Majd 2020-07-14 9:10 ` Efraim Flashner 0 siblings, 1 reply; 8+ messages in thread From: Reza Alizadeh Majd @ 2020-07-14 8:24 UTC (permalink / raw) To: Julien Lepiller; +Cc: help-guix On Mon, 13 Jul 2020 22:01:47 -0400 Julien Lepiller <julien@lepiller.eu> wrote: > Le 13 juillet 2020 20:18:09 GMT-04:00, Reza Alizadeh Majd > <r.majd@pantherx.org> a écrit : > > > >my service definition is as follows: > > > > > >--8<---------------cut here---------------start------------->8--- > >(define-record-type* <kyc-configuration> > > kyc-configuration make-kyc-configuration > > kyc-configuration? > > (package kyc-configuration-package > > (default kyc)) > > (user kyc-configuration-user > > (default "kyc-service")) > > (group kyc-configuration-group > > (default "kyc-service"))) > > > >(define %kyc-accounts > > (list (user-group (name "kyc-service")) > > (user-group (name "kyc-rpc")) > > (user-account > > (name "kyc-service") > > (group "kyc-service") > > (system? #f) > > (supplementary-groups '("wheel" "kyc-rpc" "video")) > > (comment "KYC service user")))) > > > >(define kyc-shepherd-service > > (match-lambda > > (($ <kyc-configuration> package user group) > > (list (shepherd-service > > (provision '(kyc)) > > (documentation "Run KYC as a daemon.") > > (requirement '(networking user-processes)) > > (modules `((srfi srfi-1) > > (srfi srfi-26) > > ,@%default-modules)) > > (start #~(make-forkexec-constructor > > (list > > (string-append #$package "/bin/kyc")) > > #:user #$user > > #:group #$group > > #:environment-variables > > (list (string-append "PATH=" #$coreutils "/bin:" (getenv > > "PATH")) (string-append "HOME=" "/home/" #$user)))) > > (stop #~(make-kill-destructor))))))) > > > >(define kyc-service-type > > (service-type > > (name 'kyc) > > (extensions (list (service-extension shepherd-root-service-type > > kyc-shepherd-service) > > (service-extension account-service-type > > (const > > %kyc-accounts)))) (default-value (kyc-configuration)))) > > > >--8<---------------cut here---------------end--------------->8--- > > > >is there anything that I missed for this service definition? > > I don't see in your snippet where you create the socket or where you > change ownership of it, so I don't really understand what is going > wrong. > > Maybe the service itself is responsible for creating the socket and > changing ownership? In that case, I wouldn't use #:uses or #:group, > as these will run the service as the unpriviledged user from the > start, instead of running it as root and letting it change user after > it's set up things. > > If you want to create the socket yourself, why not use an > activation-service-type? Thanks for your response, the application itself is responsible for creation of socket, and the socket is created without problem, but when I try to change the ownership for socket file, I receive "operation not permitted" error. I also logged in to the user responsible for running the service and run the application manually, socket creation and permission set operations were succeed. referring to above snippet, when I perform all these operations manually, everything works without problem: --8<---------------cut here---------------start------------->8--- kyc-service@kyc-station /tmp/rpc$ whoami kyc-service kyc-service@kyc-station /tmp/rpc$ groups kyc-service wheel kyc-rpc kyc-service@kyc-station /tmp/rpc$ ll total 0 srwxr-xr-x 1 kyc-service kyc-service 0 Jul 14 04:22 kyc kyc-service@kyc-station /tmp/rpc$ chown kyc-service:kyc-rpc kyc kyc-service@kyc-station /tmp/rpc$ ll total 0 srwxr-xr-x 1 kyc-service kyc-rpc 0 Jul 14 04:22 kyc --8<---------------cut here---------------end--------------->8--- -- Reza Alizadeh Majd PantherX Team https://www.pantherx.org/ ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: set permission/ownership for files generated by service 2020-07-14 8:24 ` Reza Alizadeh Majd @ 2020-07-14 9:10 ` Efraim Flashner 2020-07-14 11:24 ` Reza Alizadeh Majd 2020-07-14 12:16 ` Reza Alizadeh Majd 0 siblings, 2 replies; 8+ messages in thread From: Efraim Flashner @ 2020-07-14 9:10 UTC (permalink / raw) To: Reza Alizadeh Majd; +Cc: help-guix [-- Attachment #1: Type: text/plain, Size: 4889 bytes --] On Tue, Jul 14, 2020 at 12:54:56PM +0430, Reza Alizadeh Majd wrote: > On Mon, 13 Jul 2020 22:01:47 -0400 > Julien Lepiller <julien@lepiller.eu> wrote: > > > Le 13 juillet 2020 20:18:09 GMT-04:00, Reza Alizadeh Majd > > <r.majd@pantherx.org> a écrit : > > > > > >my service definition is as follows: > > > > > > > > >--8<---------------cut here---------------start------------->8--- > > >(define-record-type* <kyc-configuration> > > > kyc-configuration make-kyc-configuration > > > kyc-configuration? > > > (package kyc-configuration-package > > > (default kyc)) > > > (user kyc-configuration-user > > > (default "kyc-service")) > > > (group kyc-configuration-group > > > (default "kyc-service"))) > > > > > >(define %kyc-accounts > > > (list (user-group (name "kyc-service")) > > > (user-group (name "kyc-rpc")) > > > (user-account > > > (name "kyc-service") > > > (group "kyc-service") > > > (system? #f) > > > (supplementary-groups '("wheel" "kyc-rpc" "video")) > > > (comment "KYC service user")))) > > > > > >(define kyc-shepherd-service > > > (match-lambda > > > (($ <kyc-configuration> package user group) > > > (list (shepherd-service > > > (provision '(kyc)) > > > (documentation "Run KYC as a daemon.") > > > (requirement '(networking user-processes)) > > > (modules `((srfi srfi-1) > > > (srfi srfi-26) > > > ,@%default-modules)) > > > (start #~(make-forkexec-constructor > > > (list > > > (string-append #$package "/bin/kyc")) > > > #:user #$user > > > #:group #$group > > > #:environment-variables > > > (list (string-append "PATH=" #$coreutils "/bin:" (getenv > > > "PATH")) (string-append "HOME=" "/home/" #$user)))) > > > (stop #~(make-kill-destructor))))))) > > > > > >(define kyc-service-type > > > (service-type > > > (name 'kyc) > > > (extensions (list (service-extension shepherd-root-service-type > > > kyc-shepherd-service) > > > (service-extension account-service-type > > > (const > > > %kyc-accounts)))) (default-value (kyc-configuration)))) > > > > > >--8<---------------cut here---------------end--------------->8--- > > > > > >is there anything that I missed for this service definition? > > > > I don't see in your snippet where you create the socket or where you > > change ownership of it, so I don't really understand what is going > > wrong. > > > > Maybe the service itself is responsible for creating the socket and > > changing ownership? In that case, I wouldn't use #:uses or #:group, > > as these will run the service as the unpriviledged user from the > > start, instead of running it as root and letting it change user after > > it's set up things. > > > > If you want to create the socket yourself, why not use an > > activation-service-type? > > Thanks for your response, > > the application itself is responsible for creation of socket, and the > socket is created without problem, but when I try to change the > ownership for socket file, I receive "operation not permitted" error. > > I also logged in to the user responsible for running the service and > run the application manually, socket creation and permission set > operations were succeed. > > referring to above snippet, when I perform all these operations > manually, everything works without problem: > > --8<---------------cut here---------------start------------->8--- > kyc-service@kyc-station /tmp/rpc$ whoami > kyc-service > kyc-service@kyc-station /tmp/rpc$ groups > kyc-service wheel kyc-rpc > kyc-service@kyc-station /tmp/rpc$ ll > total 0 > srwxr-xr-x 1 kyc-service kyc-service 0 Jul 14 04:22 kyc > kyc-service@kyc-station /tmp/rpc$ chown kyc-service:kyc-rpc kyc > kyc-service@kyc-station /tmp/rpc$ ll > total 0 > srwxr-xr-x 1 kyc-service kyc-rpc 0 Jul 14 04:22 kyc > --8<---------------cut here---------------end--------------->8--- > I don't remember what the default directory for running services is. I see that kyc-service has a home directory so IIRC it should be there, but if it isn't then it might be trying to run from '/'. Can you add '#:directory "/tmp/rpc"' to your start snippet? Then it'll try to run from that directory. -- Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: set permission/ownership for files generated by service 2020-07-14 9:10 ` Efraim Flashner @ 2020-07-14 11:24 ` Reza Alizadeh Majd 2020-07-14 12:16 ` Reza Alizadeh Majd 1 sibling, 0 replies; 8+ messages in thread From: Reza Alizadeh Majd @ 2020-07-14 11:24 UTC (permalink / raw) To: Efraim Flashner; +Cc: help-guix On Tue, 14 Jul 2020 12:10:29 +0300 Efraim Flashner <efraim@flashner.co.il> wrote: > On Tue, Jul 14, 2020 at 12:54:56PM +0430, Reza Alizadeh Majd wrote: > > On Mon, 13 Jul 2020 22:01:47 -0400 > > Julien Lepiller <julien@lepiller.eu> wrote: > > > > > Le 13 juillet 2020 20:18:09 GMT-04:00, Reza Alizadeh Majd > > > <r.majd@pantherx.org> a écrit : > > > > > > > >my service definition is as follows: > > > > > > > > > > > >--8<---------------cut here---------------start------------->8--- > > > >(define-record-type* <kyc-configuration> > > > > kyc-configuration make-kyc-configuration > > > > kyc-configuration? > > > > (package kyc-configuration-package > > > > (default kyc)) > > > > (user kyc-configuration-user > > > > (default "kyc-service")) > > > > (group kyc-configuration-group > > > > (default "kyc-service"))) > > > > > > > >(define %kyc-accounts > > > > (list (user-group (name "kyc-service")) > > > > (user-group (name "kyc-rpc")) > > > > (user-account > > > > (name "kyc-service") > > > > (group "kyc-service") > > > > (system? #f) > > > > (supplementary-groups '("wheel" "kyc-rpc" "video")) > > > > (comment "KYC service user")))) > > > > > > > >(define kyc-shepherd-service > > > > (match-lambda > > > > (($ <kyc-configuration> package user group) > > > > (list (shepherd-service > > > > (provision '(kyc)) > > > > (documentation "Run KYC as a daemon.") > > > > (requirement '(networking user-processes)) > > > > (modules `((srfi srfi-1) > > > > (srfi srfi-26) > > > > ,@%default-modules)) > > > > (start #~(make-forkexec-constructor > > > > (list > > > > (string-append #$package "/bin/kyc")) > > > > #:user #$user > > > > #:group #$group > > > > #:environment-variables > > > > (list (string-append "PATH=" #$coreutils "/bin:" (getenv > > > > "PATH")) (string-append "HOME=" "/home/" #$user)))) > > > > (stop #~(make-kill-destructor))))))) > > > > > > > >(define kyc-service-type > > > > (service-type > > > > (name 'kyc) > > > > (extensions (list (service-extension > > > > shepherd-root-service-type kyc-shepherd-service) > > > > (service-extension > > > > account-service-type (const > > > > %kyc-accounts)))) (default-value (kyc-configuration)))) > > > > > > > >--8<---------------cut here---------------end--------------->8--- > > > > > > > >is there anything that I missed for this service definition? > > > > > > I don't see in your snippet where you create the socket or where > > > you change ownership of it, so I don't really understand what is > > > going wrong. > > > > > > Maybe the service itself is responsible for creating the socket > > > and changing ownership? In that case, I wouldn't use #:uses or > > > #:group, as these will run the service as the unpriviledged user > > > from the start, instead of running it as root and letting it > > > change user after it's set up things. > > > > > > If you want to create the socket yourself, why not use an > > > activation-service-type? > > > > Thanks for your response, > > > > the application itself is responsible for creation of socket, and > > the socket is created without problem, but when I try to change the > > ownership for socket file, I receive "operation not permitted" > > error. > > > > I also logged in to the user responsible for running the service and > > run the application manually, socket creation and permission set > > operations were succeed. > > > > referring to above snippet, when I perform all these operations > > manually, everything works without problem: > > > > --8<---------------cut here---------------start------------->8--- > > kyc-service@kyc-station /tmp/rpc$ whoami > > kyc-service > > kyc-service@kyc-station /tmp/rpc$ groups > > kyc-service wheel kyc-rpc > > kyc-service@kyc-station /tmp/rpc$ ll > > total 0 > > srwxr-xr-x 1 kyc-service kyc-service 0 Jul 14 04:22 kyc > > kyc-service@kyc-station /tmp/rpc$ chown kyc-service:kyc-rpc kyc > > kyc-service@kyc-station /tmp/rpc$ ll > > total 0 > > srwxr-xr-x 1 kyc-service kyc-rpc 0 Jul 14 04:22 kyc > > --8<---------------cut here---------------end--------------->8--- > > > > I don't remember what the default directory for running services is. I > see that kyc-service has a home directory so IIRC it should be there, > but if it isn't then it might be trying to run from '/'. Can you add > '#:directory "/tmp/rpc"' to your start snippet? Then it'll try to run > from that directory. > I don't think if this is related to set the '#:directory' since my application succeeds about creating the `/tmp/rpc` directory and the `kyc` socket file. but later when it tries to set the permission using the `chown` function, I receive "operation not permitted" error. by the way, I also added the '#:directory' for start, and issue still exists. -- Reza Alizadeh Majd PantherX Team https://www.pantherx.org/ ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: set permission/ownership for files generated by service 2020-07-14 9:10 ` Efraim Flashner 2020-07-14 11:24 ` Reza Alizadeh Majd @ 2020-07-14 12:16 ` Reza Alizadeh Majd 2020-07-14 12:36 ` Efraim Flashner 1 sibling, 1 reply; 8+ messages in thread From: Reza Alizadeh Majd @ 2020-07-14 12:16 UTC (permalink / raw) To: Efraim Flashner; +Cc: help-guix I assume that I find the issue source: > > > > > > > >--8<---------------cut here---------------start------------->8--- > > > > > > > >(define %kyc-accounts > > > > (list (user-group (name "kyc-service")) > > > > (user-group (name "kyc-rpc")) > > > > (user-account > > > > (name "kyc-service") > > > > (group "kyc-service") > > > > (system? #f) > > > > (supplementary-groups '("wheel" "kyc-rpc" "video")) > > > > (comment "KYC service user")))) > > > > > > > >--8<---------------cut here---------------end--------------->8--- > > > > I modified the service definition to open an empty 'screen', so I can access shell through service, when I connect to the screen and check user groups, it seems that the 'supplementary-groups' didn't apply to the user: --8<---------------cut here---------------start------------->8--- sh-5.0$ whoami kyc-service sh-5.0$ groups kyc-service sh-5.0$ --8<---------------cut here---------------end--------------->8--- so, is there any thing that I missed? -- Reza Alizadeh Majd PantherX Team https://www.pantherx.org/ ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: set permission/ownership for files generated by service 2020-07-14 12:16 ` Reza Alizadeh Majd @ 2020-07-14 12:36 ` Efraim Flashner 2020-07-14 20:05 ` Reza Alizadeh Majd 0 siblings, 1 reply; 8+ messages in thread From: Efraim Flashner @ 2020-07-14 12:36 UTC (permalink / raw) To: Reza Alizadeh Majd; +Cc: help-guix [-- Attachment #1: Type: text/plain, Size: 1759 bytes --] On Tue, Jul 14, 2020 at 04:46:31PM +0430, Reza Alizadeh Majd wrote: > > I assume that I find the issue source: > > > > > > > > > > >--8<---------------cut here---------------start------------->8--- > > > > > > > > > >(define %kyc-accounts > > > > > (list (user-group (name "kyc-service")) > > > > > (user-group (name "kyc-rpc")) > > > > > (user-account > > > > > (name "kyc-service") > > > > > (group "kyc-service") > > > > > (system? #f) > > > > > (supplementary-groups '("wheel" "kyc-rpc" "video")) > > > > > (comment "KYC service user")))) > > > > > > > > > >--8<---------------cut here---------------end--------------->8--- > > > > > > > I modified the service definition to open an empty 'screen', so I can > access shell through service, when I connect to the screen and check > user groups, it seems that the 'supplementary-groups' didn't apply to > the user: > > --8<---------------cut here---------------start------------->8--- > sh-5.0$ whoami > kyc-service > sh-5.0$ groups > kyc-service > sh-5.0$ > --8<---------------cut here---------------end--------------->8--- > > so, is there any thing that I missed? > The only other thing I can think of right now is that you're creating the kyc-service and kyc-rpc groups AND also using them for the first time here. It could be that the kyc-service group is created with the kyc-service user and the kyc-rpc group is 'too slow'. Try your code again but without the kyc-rpc group. -- Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: set permission/ownership for files generated by service 2020-07-14 12:36 ` Efraim Flashner @ 2020-07-14 20:05 ` Reza Alizadeh Majd 0 siblings, 0 replies; 8+ messages in thread From: Reza Alizadeh Majd @ 2020-07-14 20:05 UTC (permalink / raw) To: Efraim Flashner; +Cc: help-guix On Tue, 14 Jul 2020 15:36:41 +0300 Efraim Flashner <efraim@flashner.co.il> wrote: > On Tue, Jul 14, 2020 at 04:46:31PM +0430, Reza Alizadeh Majd wrote: > > > > I assume that I find the issue source: > > > > > > > > > > > > > >--8<---------------cut > > > > > >here---------------start------------->8--- > > > > > > > > > > > >(define %kyc-accounts > > > > > > (list (user-group (name "kyc-service")) > > > > > > (user-group (name "kyc-rpc")) > > > > > > (user-account > > > > > > (name "kyc-service") > > > > > > (group "kyc-service") > > > > > > (system? #f) > > > > > > (supplementary-groups '("wheel" "kyc-rpc" "video")) > > > > > > (comment "KYC service user")))) > > > > > > > > > > > >--8<---------------cut > > > > > >here---------------end--------------->8--- > > > > > > > > > > I modified the service definition to open an empty 'screen', so I > > can access shell through service, when I connect to the screen and > > check user groups, it seems that the 'supplementary-groups' didn't > > apply to the user: > > > > --8<---------------cut here---------------start------------->8--- > > sh-5.0$ whoami > > kyc-service > > sh-5.0$ groups > > kyc-service > > sh-5.0$ > > --8<---------------cut here---------------end--------------->8--- > > > > so, is there any thing that I missed? > > > > The only other thing I can think of right now is that you're creating > the kyc-service and kyc-rpc groups AND also using them for the first > time here. It could be that the kyc-service group is created with the > kyc-service user and the kyc-rpc group is 'too slow'. Try your code > again but without the kyc-rpc group. > I don't think, since the issue still persists after restarting the services, or even by rebooting the machine. I also checked the `/etc/group` and `kyc-service` user exists in all of the supplementary groups. but the `groups` command shows only the primary group. --8<---------------cut here---------------start------------->8--- sh-5.0$ cat /etc/group | grep "kyc" kyc-user:x:30002: kyc-rpc:x:30001:kyc-user,kyc-service kyc-service:x:980: wheel:x:999:kyc-user,kyc-service video:x:992:kyc-user,kyc-service --8<---------------cut here---------------end--------------->8--- is it possible that I missed to set any environment variable, so the permissions wouldn't be loaded correctly? -- Reza Alizadeh Majd PantherX Team https://www.pantherx.org/ ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-07-14 20:05 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-07-14 0:18 set permission/ownership for files generated by service Reza Alizadeh Majd 2020-07-14 2:01 ` Julien Lepiller 2020-07-14 8:24 ` Reza Alizadeh Majd 2020-07-14 9:10 ` Efraim Flashner 2020-07-14 11:24 ` Reza Alizadeh Majd 2020-07-14 12:16 ` Reza Alizadeh Majd 2020-07-14 12:36 ` Efraim Flashner 2020-07-14 20:05 ` Reza Alizadeh Majd
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).