From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id een8FnV7oWDsTwAAgWs5BA (envelope-from ) for ; Sun, 16 May 2021 22:07:17 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id II8bEnV7oWDpNQAAbx9fmQ (envelope-from ) for ; Sun, 16 May 2021 20:07:17 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 82DBF14AA4 for ; Sun, 16 May 2021 22:07:12 +0200 (CEST) Received: from localhost ([::1]:36852 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1liMMP-0005wm-4C for larch@yhetil.org; Sun, 16 May 2021 15:23:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36506) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1liMM2-0005XP-W8 for help-guix@gnu.org; Sun, 16 May 2021 15:23:11 -0400 Received: from mx1.riseup.net ([198.252.153.129]:36560) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1liMM0-0000l1-Gq for help-guix@gnu.org; Sun, 16 May 2021 15:23:10 -0400 Received: from fews1.riseup.net (fews1-pn.riseup.net [10.0.1.83]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4FjscB4D00zDsJX for ; Sun, 16 May 2021 12:23:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1621192986; bh=jBwXr6uDwFEmAICsB8vRgMcYjBPBKopqCoypU59A9nc=; h=Date:From:To:Subject:From; b=Gys1RwFV9I+OcFba39Wki1h2LcngFOHPd+6/yJ4Ol9XwQ2/PYipRob39GC/TeRYSV k7b8ZSaont3Ffo8mdVw3H2vqp/6nI5SiWey09ETBRLVOQBR7Jrkl5K6QegqLCA9RVE tzsF2tW7b58YUTna5GgyS+KLOrBXgdkFxT9ody0Q= X-Riseup-User-ID: 128F17E38AD9E951E48934BBDE0DBF2593BE4F8881EC1600BB10902BAC43E031 Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews1.riseup.net (Postfix) with ESMTPSA id 4Fjsc963HWz5vbC for ; Sun, 16 May 2021 12:23:05 -0700 (PDT) Date: Sun, 16 May 2021 20:16:58 +0200 From: raingloom To: "help-guix@gnu.org" Subject: FUSE works as non-root user but not in Shepherd service under same user Message-ID: <20210516201658.6eda8e42@riseup.net> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=198.252.153.129; envelope-from=raingloom@riseup.net; helo=mx1.riseup.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1621195633; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=jBwXr6uDwFEmAICsB8vRgMcYjBPBKopqCoypU59A9nc=; b=EeDmrlY0hdGoXsHb+t59PBPbzrXshYCddEyNJORVizTKYo3vDCFFi2Lup1BzfQJt2/+tVc 8iGNWaRNB6cCkK44rngjCIFyAaGHMzJSbO2hP+X8z+7d3FflhhAzCA84EYVKyeLMTtMBn8 3b0QeGZhn2L3MIXRYkaU7Xz3xqX+t/26rKpSWIWLs0YVQjieX4X2Ejs7hUPk96gXq9j/mE fiL15iLx28MtWuYlgHAcID02CHvkIGOxjMR3XJLLf0pLEQeC/u1mqlvKF4efZ1sFP36FEx tE5Y0wkctMy2dLT8Xlc7sACUxRLAAs9KS9N3K4S5yb34P+EUFrS7RnpR7lKZwg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1621195633; a=rsa-sha256; cv=none; b=gVKFI3S76GpePZj+x1NlV9g5NDPBJ0KsbgAlkZuVtAH7je8JreTRngxwD7j8BuT1kRrVzn dC09ADBIJb/GJBgHQtjXI+CtRnacXQAec6rpQK38QfK9gwpOdVh6sLxHZ6m+MwA995eBsB NIP45k9bKV6mG8FoCDXGIYr8C9/0msOLVXqQvBtFu+1pV70YGVl2Z+4/iYy8N3bhA/PcYP PMUrioYNUg8dpD4OXtiKStJjfJ9u6ov4OIF4NgqcdXsum5ugpGU1vduyEwvqjijuy3Xehc BxfoyRv09zMHM91ggKjR8bIiUH2cEVFVD3s0cA6VVNQA2b4LpURMbcXxIexiMA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=riseup.net header.s=squak header.b=Gys1RwFV; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Spam-Score: -1.04 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=riseup.net header.s=squak header.b=Gys1RwFV; dmarc=pass (policy=none) header.from=riseup.net; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Queue-Id: 82DBF14AA4 X-Spam-Score: -1.04 X-Migadu-Scanner: scn0.migadu.com X-TUID: dpfXUrA+Tio+ So, I've been struggling with this for a few days now. I have a Chez script that waits until a SQL dump is written, cleanly shuts down the FUSE file system that uses the corresponding database, deletes the database, undumps it from the newly written SQL script, and waits for the next write, all in an infinite loop. To make the system a bit more secure, I run it as the gmnisrv user. It works fine when I run it with su as: su -s $(guix build memex-runner)/bin/memex-runner.sps gmnisrv /path/to/gemini/document/root Translation, because su's syntax is a bit weird: `su -s [args...]` runs [args...] as username. So, should have the same effect as specifying user and group in the service description, right? But when I run the service I get this error: ``` Mounting to "wiki/tags" Forked into background PID 1478 fusermount: mount failed: Operation not permitted ``` I have no clue what's going wrong. The mount point is owned by gmnisrv, the database file too, /dev/fuse has read and write access for user, group, and other, looking at the strace output doesn't reveal anything obviously wrong or different between running it with su or with Shepherd. I also thought that I might be wrapping memex-runner.sps wrong and it finding the binaries in /gnu/store before the ones in /run/setuid-programs, so now wrap-program suffixes the PATH of inputs instead of prefixing it, but that still didn't fix anything. I'm out of ideas. Any idea how to proceed, short of going through the source code for everything that's involved here, including FUSE, Shepherd, Linux, and Supertag? Here is my channel, look for raingloom/services/gemini.scm and raingloom/packages/scheme.scm. https://git.sr.ht/~raingloom/guix-packages/ My machine configs are private but if needed I can share the relevant bits, but I don't think there is anything relevant. It's a pretty basic web server setup with Nginx and Molly Brown.