From mboxrd@z Thu Jan 1 00:00:00 1970 From: "pelzflorian (Florian Pelz)" Subject: bug#38438: Fcgiwrap service has no supplementary groups Date: Sat, 30 Nov 2019 19:49:24 +0100 Message-ID: <20191130184924.io5qmo6ujyy2xeyy@pelzflorian.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:47367) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ib7oh-0000v1-KO for bug-guix@gnu.org; Sat, 30 Nov 2019 13:50:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ib7og-0006ha-DT for bug-guix@gnu.org; Sat, 30 Nov 2019 13:50:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:57409) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ib7og-0006hB-9O for bug-guix@gnu.org; Sat, 30 Nov 2019 13:50:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ib7og-0000df-79 for bug-guix@gnu.org; Sat, 30 Nov 2019 13:50:02 -0500 Sender: "Debbugs-submit" Resent-Message-ID: Received: from eggs.gnu.org ([2001:470:142:3::10]:47319) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ib7o8-0000mV-R8 for bug-guix@gnu.org; Sat, 30 Nov 2019 13:49:30 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ib7o7-0006ay-Lv for bug-guix@gnu.org; Sat, 30 Nov 2019 13:49:28 -0500 Received: from pelzflorian.de ([5.45.111.108]:47004 helo=mail.pelzflorian.de) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ib7o7-0006aZ-6h for bug-guix@gnu.org; Sat, 30 Nov 2019 13:49:27 -0500 Received: from pelzflorian.localdomain (unknown [5.45.111.108]) by mail.pelzflorian.de (Postfix) with ESMTPSA id E42D73604DA for ; Sat, 30 Nov 2019 19:49:24 +0100 (CET) Content-Disposition: inline List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 38438@debbugs.gnu.org Fcgiwrap should be started with the supplementary groups of its user. Shepherd=E2=80=99s make-forkexec-constructor does not currently appear to support this. Upstream fcgiwrap ships with a systemd service with the User=3D setting. Systemd confers this user=E2=80=99s supplementary groups by default: : > If the User=3D setting is used the supplementary group list is > initialized from the specified user's default group list, as defined > in the system's user and group database. Additional groups may be > configured through the SupplementaryGroups=3D setting (see below). Not starting with supplementary groups sometimes causes problems. Namely the Guix manual claims for Gitolite=E2=80=99s umask: > A value like =E2=80=98#o0027=E2=80=99 will give read access to the grou= p used > by Gitolite (by default: =E2=80=98git=E2=80=99). This is necessary whe= n using > Gitolite with software like cgit or gitweb. But this does not work because giving a supplementary group git to the fcgiwrap user does not confer the supplementary group git to fcgiwrap. This is visible when looking at the fcgiwrap process in `ps -eo pid,supgrp,args`. It is also visible by configuring nginx to fastcgi_param SCRIPT_FILENAME /test/test.sh; and making test.sh a script that prints "Content-Type: text/plain\n\n" followed by the output of the id command. Regards, Florian