From: raingloom <raingloom@riseup.net>
To: "help-guix@gnu.org" <help-guix@gnu.org>
Subject: FUSE works as non-root user but not in Shepherd service under same user
Date: Sun, 16 May 2021 20:16:58 +0200 [thread overview]
Message-ID: <20210516201658.6eda8e42@riseup.net> (raw)
So, I've been struggling with this for a few days now.
I have a Chez script that waits until a SQL dump is written, cleanly
shuts down the FUSE file system that uses the corresponding database,
deletes the database, undumps it from the newly written SQL script, and
waits for the next write, all in an infinite loop.
To make the system a bit more secure, I run it as the gmnisrv user.
It works fine when I run it with su as:
su -s $(guix build memex-runner)/bin/memex-runner.sps gmnisrv
/path/to/gemini/document/root
Translation, because su's syntax is a bit weird:
`su -s <executable> <username> [args...]`
runs <executable> [args...] as username.
So, should have the same effect as specifying user and group in the
service description, right? But when I run the service I get this error:
```
Mounting to "wiki/tags"
Forked into background PID 1478
fusermount: mount failed: Operation not permitted
```
I have no clue what's going wrong. The mount point is owned by gmnisrv,
the database file too, /dev/fuse has read and write access for user,
group, and other, looking at the strace output doesn't reveal anything
obviously wrong or different between running it with su or with
Shepherd.
I also thought that I might be wrapping memex-runner.sps wrong and it
finding the binaries in /gnu/store before the ones in
/run/setuid-programs, so now wrap-program suffixes the PATH of inputs
instead of prefixing it, but that still didn't fix anything.
I'm out of ideas. Any idea how to proceed, short of going through the
source code for everything that's involved here, including FUSE,
Shepherd, Linux, and Supertag?
Here is my channel, look for raingloom/services/gemini.scm and
raingloom/packages/scheme.scm.
https://git.sr.ht/~raingloom/guix-packages/
My machine configs are private but if needed I can share the relevant
bits, but I don't think there is anything relevant. It's a pretty basic
web server setup with Nginx and Molly Brown.
reply other threads:[~2021-05-16 20:07 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210516201658.6eda8e42@riseup.net \
--to=raingloom@riseup.net \
--cc=help-guix@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).