From: "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de>
To: 38438@debbugs.gnu.org
Subject: bug#38438: Fcgiwrap service has no supplementary groups
Date: Wed, 4 Dec 2019 11:22:12 +0100 [thread overview]
Message-ID: <20191204102212.ldt6w4whzfz6ceq5@pelzflorian.localdomain> (raw)
In-Reply-To: <20191130184924.io5qmo6ujyy2xeyy@pelzflorian.localdomain>
[-- Attachment #1: Type: text/plain, Size: 665 bytes --]
I had hoped the attached quick hack would fix my issue when testing
with the attached vm-image config from
<https://lists.gnu.org/archive/html/guix-devel/2019-11/msg00421.html>.
That is, I wanted it to suffice to set Gitolite’s umask to #o0027 as
described in the manual instead of #o0022, after I do `usermod -aG git
fcgiwrap`. But instead I get “Operation not permitted” error from
setgroups. I will try again later with the position of setuid and
setgroups call swapped.
The hack makes make-forkexec-constructor use the supplementary groups
from the user. Systemd uses them by default. However they should be
made more configurable.
Regards,
Florian
[-- Attachment #2: quick-hack.patch --]
[-- Type: text/plain, Size: 4039 bytes --]
From ddf372637089957e8c62d53c7eca07cfa9155a04 Mon Sep 17 00:00:00 2001
From: Florian Pelz <pelzflorian@pelzflorian.de>
Date: Wed, 4 Dec 2019 09:33:08 +0100
Subject: [PATCH] gnu: shepherd: Patch Shepherd to set supplementary groups to
those of #:user.
Fixes <https://bugs.gnu.org/38438>.
* gnu/packages/patches/shepherd-set-supplementary-groups.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/admin.scm (shepherd): Use it.
---
gnu/local.mk | 1 +
gnu/packages/admin.scm | 4 +-
.../shepherd-set-supplementary-groups.patch | 43 +++++++++++++++++++
3 files changed, 47 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/shepherd-set-supplementary-groups.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 9ddd1349da..b807e3879c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1348,6 +1348,7 @@ dist_patch_DATA = \
%D%/packages/patches/seahorse-gkr-use-0-on-empty-flags.patch \
%D%/packages/patches/seq24-rename-mutex.patch \
%D%/packages/patches/sharutils-CVE-2018-1000097.patch \
+ %D%/packages/patches/shepherd-set-supplementary-groups.patch \
%D%/packages/patches/shishi-fix-libgcrypt-detection.patch \
%D%/packages/patches/slim-session.patch \
%D%/packages/patches/slim-config.patch \
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 6e5648d159..3f94b45623 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -201,7 +201,9 @@ and provides a \"top-like\" mode (monitoring).")
version ".tar.gz"))
(sha256
(base32
- "1xn6mb5bh8bpfgdrh09ja31jk0ln7bmxbbf0vjcqxkkixs2wl6sk"))))
+ "1xn6mb5bh8bpfgdrh09ja31jk0ln7bmxbbf0vjcqxkkixs2wl6sk"))
+ (patches
+ (search-patches "shepherd-set-supplementary-groups.patch"))))
(build-system gnu-build-system)
(arguments
'(#:configure-flags '("--localstatedir=/var")))
diff --git a/gnu/packages/patches/shepherd-set-supplementary-groups.patch b/gnu/packages/patches/shepherd-set-supplementary-groups.patch
new file mode 100644
index 0000000000..8cac24417d
--- /dev/null
+++ b/gnu/packages/patches/shepherd-set-supplementary-groups.patch
@@ -0,0 +1,43 @@
+diff --git a/modules/shepherd/service.scm b/modules/shepherd/service.scm
+index bd7e379..2344915 100644
+--- a/modules/shepherd/service.scm
++++ b/modules/shepherd/service.scm
+@@ -758,6 +758,28 @@ daemon writing FILE is running in a separate PID namespace."
+ (try-again)
+ (apply throw args)))))))
+
++(define (supplementary-gids user)
++ "Return a vector with the gid for each supplementary group USER belongs to.
++USER is the user name as a string."
++ ;; TODO: To find them, we loop through the group database, but maybe using
++ ;; glibc’s getgrouplist would be better. But it is not exported from Guile
++ ;; and it seems it is not part of POSIX (?).
++ (list->vector
++ (delete-duplicates
++ (dynamic-wind
++ (lambda () (setgrent))
++ (lambda ()
++ (let loop ((supgids '()))
++ (let ((group (getgrent)))
++ (define (user-among-group? group)
++ (member user (group:mem group)))
++ (match group
++ (#f supgids)
++ ((? user-among-group?)
++ (loop (cons (group:gid group) supgids)))
++ (else (loop supgids))))))
++ (lambda () (endgrent))))))
++
+ (define* (exec-command command
+ #:key
+ (user #f)
+@@ -826,7 +848,8 @@ false."
+ (when user
+ (catch #t
+ (lambda ()
+- (setuid (passwd:uid (getpw user))))
++ (setuid (passwd:uid (getpw user)))
++ (setgroups (supplementary-gids user)))
+ (lambda (key . args)
+ (format (current-error-port)
+ "failed to change to user ~s:~%" user)
--
2.24.0
[-- Attachment #3: test-vm-config.scm --]
[-- Type: application/vnd.lotus-screencam, Size: 1514 bytes --]
next prev parent reply other threads:[~2019-12-04 10:23 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-30 18:49 bug#38438: Fcgiwrap service has no supplementary groups pelzflorian (Florian Pelz)
2019-12-04 10:22 ` pelzflorian (Florian Pelz) [this message]
2019-12-04 11:32 ` pelzflorian (Florian Pelz)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191204102212.ldt6w4whzfz6ceq5@pelzflorian.localdomain \
--to=pelzflorian@pelzflorian.de \
--cc=38438@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.