unofficial mirror of help-guix@gnu.org 
 help / color / mirror / Atom feed
* nginx service modify user
@ 2017-06-17  5:45 James Richardson
  2017-06-19 11:21 ` Ludovic Courtès
  0 siblings, 1 reply; 4+ messages in thread
From: James Richardson @ 2017-06-17  5:45 UTC (permalink / raw)
  To: help-guix

[-- Attachment #1: Type: text/plain, Size: 459 bytes --]

Hello,

I've managed to get nginx running as service (I'm running GuixSD). I
would like the nginx user to be in supplementary groups, obviously
usermod and vim /etc/group are not the proper solution.

%nginx-accounts seems not to be exported from (gnu services web).

Is there a way to add supplementary groups to the nginx user?

Thanks,
James
-- 
I prefer encrypted email.
GPG Fingerprint = 8FD2 7619 C19A 2201 CB1D  E131 EA1C F14B D846 7AFB

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 800 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: nginx service modify user
  2017-06-17  5:45 nginx service modify user James Richardson
@ 2017-06-19 11:21 ` Ludovic Courtès
  2017-06-19 12:51   ` James Richardson
  0 siblings, 1 reply; 4+ messages in thread
From: Ludovic Courtès @ 2017-06-19 11:21 UTC (permalink / raw)
  To: James Richardson; +Cc: help-guix

Hi James,

James Richardson <james@jamestechnotes.com> skribis:

> I've managed to get nginx running as service (I'm running GuixSD). I
> would like the nginx user to be in supplementary groups, obviously
> usermod and vim /etc/group are not the proper solution.
>
> %nginx-accounts seems not to be exported from (gnu services web).
>
> Is there a way to add supplementary groups to the nginx user?

Not yet, but this kind of customization is what’s being discussed at
<https://bugs.gnu.org/27155>, so it’s good that you’re sharing this use
case now.

Out of curiosity, what’s the desired effect of adding these
supplementary groups?

Thanks,
Ludo’.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: nginx service modify user
  2017-06-19 11:21 ` Ludovic Courtès
@ 2017-06-19 12:51   ` James Richardson
  2017-06-19 14:47     ` Ludovic Courtès
  0 siblings, 1 reply; 4+ messages in thread
From: James Richardson @ 2017-06-19 12:51 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: help-guix


Ludovic Courtès writes:

> Hi James,
>
> James Richardson <james@jamestechnotes.com> skribis:
>
>> I've managed to get nginx running as service (I'm running GuixSD). I
>> would like the nginx user to be in supplementary groups, obviously
>> usermod and vim /etc/group are not the proper solution.
>>
>> %nginx-accounts seems not to be exported from (gnu services web).
>>
>> Is there a way to add supplementary groups to the nginx user?
>
> Not yet, but this kind of customization is what’s being discussed at
> <https://bugs.gnu.org/27155>, so it’s good that you’re sharing this use
> case now.
>
> Out of curiosity, what’s the desired effect of adding these
> supplementary groups?

I have files, mostly pictures and videos, whose access is controlled at
the group level on the file system. I typically add that group to the
nginx user, so I provide web access, security is controlled via basic
authentication. I set this up a long time ago (probably 10 years or
more, but it was probably apache then). There are probably better
ways to do this now with better solutions (mediagoblin and nextcloud
come to mind) today. My quick workaround was to move move most things to
the nginx group and open permissions on a few others.

My use case was to give nginx read permissions to a group files by
adding the group to the nginx user. I think I would not do this the same
today (I've a bit in the last decade or so ;).

Apparently, I don't have a use case for this, or least not one I can
justify at the moment (I think I've fell into the "we've always done it
this way trap"). Now it is feasible to achieve isolation by
spinning up a container or vps rather than trying to use groups to
achieve isolation on the same host.

Thanks,
James

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: nginx service modify user
  2017-06-19 12:51   ` James Richardson
@ 2017-06-19 14:47     ` Ludovic Courtès
  0 siblings, 0 replies; 4+ messages in thread
From: Ludovic Courtès @ 2017-06-19 14:47 UTC (permalink / raw)
  To: James Richardson; +Cc: help-guix

James Richardson <james@jamestechnotes.com> skribis:

> Ludovic Courtès writes:
>
>> Hi James,
>>
>> James Richardson <james@jamestechnotes.com> skribis:
>>
>>> I've managed to get nginx running as service (I'm running GuixSD). I
>>> would like the nginx user to be in supplementary groups, obviously
>>> usermod and vim /etc/group are not the proper solution.
>>>
>>> %nginx-accounts seems not to be exported from (gnu services web).
>>>
>>> Is there a way to add supplementary groups to the nginx user?
>>
>> Not yet, but this kind of customization is what’s being discussed at
>> <https://bugs.gnu.org/27155>, so it’s good that you’re sharing this use
>> case now.
>>
>> Out of curiosity, what’s the desired effect of adding these
>> supplementary groups?
>
> I have files, mostly pictures and videos, whose access is controlled at
> the group level on the file system. I typically add that group to the
> nginx user, so I provide web access, security is controlled via basic
> authentication. I set this up a long time ago (probably 10 years or
> more, but it was probably apache then). There are probably better
> ways to do this now with better solutions (mediagoblin and nextcloud
> come to mind) today. My quick workaround was to move move most things to
> the nginx group and open permissions on a few others.

I see, that makes sense.

> Apparently, I don't have a use case for this, or least not one I can
> justify at the moment (I think I've fell into the "we've always done it
> this way trap"). Now it is feasible to achieve isolation by
> spinning up a container or vps rather than trying to use groups to
> achieve isolation on the same host.

Yeah, but GuixSD should not prevent this other approach IMO.

Thanks for explaining,
Ludo’.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2017-06-19 14:47 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-17  5:45 nginx service modify user James Richardson
2017-06-19 11:21 ` Ludovic Courtès
2017-06-19 12:51   ` James Richardson
2017-06-19 14:47     ` Ludovic Courtès

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).