From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id wGC5KngbxGOdiQAAbAwnHQ (envelope-from ) for ; Sun, 15 Jan 2023 16:27:52 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id MADNKngbxGOutAAA9RJhRA (envelope-from ) for ; Sun, 15 Jan 2023 16:27:52 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1C1B3119B9 for ; Sun, 15 Jan 2023 16:24:39 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pH4rh-0005am-O4; Sun, 15 Jan 2023 10:24:09 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pH4rg-0005a0-8E for help-guix@gnu.org; Sun, 15 Jan 2023 10:24:08 -0500 Received: from sv-2s11.infcs.de ([194.95.66.48] helo=ux-2s-mailproxy.inf.h-brs.de) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pH4rb-0004ny-SV for help-guix@gnu.org; Sun, 15 Jan 2023 10:24:08 -0500 Received: from gyps.h-brs.de (i5C7517B9.versanet.de [92.117.23.185]) (authenticated bits=0) by ux-2s-mailproxy.inf.h-brs.de (8.15.2/8.15.2/Debian-8ska0) with ESMTPSA id 30FFNvJD011725 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 15 Jan 2023 16:23:57 +0100 References: <87pmbgyrlz.fsf@h-brs.de> <86lem43pro.fsf@riseup.net> User-agent: mu4e 1.8.11; emacs 28.2 From: Alexander Asteroth To: Csepp Cc: help-guix@gnu.org Subject: Re: guix shell set user groups to access security token Date: Sun, 15 Jan 2023 16:20:04 +0100 In-reply-to: <86lem43pro.fsf@riseup.net> Message-ID: <87bkmzlt2q.fsf@h-brs.de> MIME-Version: 1.0 Content-Type: text/plain X-Auth: by SMTP AUTH @ ux-2s11 X-MIMEDefang-Info-ge: Gescannt in Inf@FH-BRS, Regeln s. MiniFAQ E-Mail/Mailscanner X-Scanned-By: MIMEDefang @ FB02 @ H-BRS Received-SPF: pass client-ip=194.95.66.48; envelope-from=alexander.asteroth@h-brs.de; helo=ux-2s-mailproxy.inf.h-brs.de X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: help-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Seal: i=1; s=key1; d=yhetil.org; t=1673796279; a=rsa-sha256; cv=none; b=a5S+kMB542rW1XFJZRw6ArfYDn98eCb3IF13k3JV9NyESsbRV9I5/Psu+LevqExITk6c07 k1GNHlPmY0q8IdcO86XVSSfoiSgNHH2mHbZxqcHT6b6MqQxwK6sc3GcHXhkWwhwdja/HJW xEwxGu43tt01CHB36pigFtDNinx1crCi/6dgdQ8xfiT5Ml0AE/GTc5tcIvtkJxf7+S1+D/ R2Np4VgTm6YZ20F4QA3I91VZa1IMcvLGvXkFD+B82CU63KLsK0le2/pA9upy+aqiN3JCvd 1hlHpD0Iw9alQt35WvClF4H7C7bjINtvHtIjNLd0uxfrKBFSmQ0Pmiqs1mH++Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=h-brs.de (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1673796279; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=v5upyYbaKBIiezo7kzk0pZm6+GcauhzEJGb5Le1vf18=; b=N2c0PNlYXaItXuWnUp2o3z4/k/PkOP4U8zfNyMxSq4zeYVB8EegNdNIoothRbYD+7JW6zn G9zuXSE/1TqmcsSdBMhyrXzCKgRZQsgrf4Pt2IqPVsWxVL1wDNGJQETBtf8viaiqSWXIRs Ns+d5CFCnrpAsNEnp/sBVAvQ3+sa/bwq3slevvESC9w+u0VsGP+MeRrxuyQZf5Ltn/15/P f5D2//CjZtbAwr/PuovF4NWNCCAXnXs2kTAPVrWq/HfK8T/HRGmysVLq44GyuytRyj3e4Y xwY9mJiDhRbrBQL+jI2B6zK5T5Tv5+H1YLqKzuwzgC28NNYgDRbBm2fgpJHpnw== X-Migadu-Spam-Score: -2.82 X-Spam-Score: -2.82 X-Migadu-Queue-Id: 1C1B3119B9 X-Migadu-Scanner: scn1.migadu.com Authentication-Results: aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=h-brs.de (policy=none) X-TUID: scDWTukX5f+X Thank's for the simple workaround. It helped to find out that the error is not caused by the user's group ids. In fact it's related to missing network access. I solved it by providing --network to the shell but unfortunately this only worked exactly one single time. Now as soon as I enable the network, the usb-connection to the token vis /dev/sg0 is not estblished at all. Very strange (in particular, that it worked one time). On Sun, Jan 15 2023, 14:11:45, Csepp wrote: > Alexander Asteroth writes: > >> Dear all, >> >> I'm trying to get my security token software (sealone) to work under >> guix SD. The software is unfortunately not available in source and seems >> to expect a FSH filesystem. I therefore tried to run it in guix shell. A >> first trial was: >> >> guix shell -CFD ungoogled-chromium gcc:lib --expose=/dev >> >> in this environment I can execute the software and the tokes get's >> connected but reports some error condition and is not usable. It might >> have to do with the user not beeing in group cdrom which usually is >> necessary to access /dev/sg0. >> >> Any idea how to set the groups the user is member of in guix shell? >> Or any other idea how I could get such software to work under guix? >> >> Cheers, >> Alex > > Bit of an ugly hack but what I usually do is chown devices I'm working > with to myself. > Haven't tried that in a guix container but in theory it should work.