all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de>
To: 38438@debbugs.gnu.org
Subject: bug#38438: Fcgiwrap service has no supplementary groups
Date: Wed, 4 Dec 2019 11:22:12 +0100	[thread overview]
Message-ID: <20191204102212.ldt6w4whzfz6ceq5@pelzflorian.localdomain> (raw)
In-Reply-To: <20191130184924.io5qmo6ujyy2xeyy@pelzflorian.localdomain>

[-- Attachment #1: Type: text/plain, Size: 665 bytes --]

I had hoped the attached quick hack would fix my issue when testing
with the attached vm-image config from
<https://lists.gnu.org/archive/html/guix-devel/2019-11/msg00421.html>.
That is, I wanted it to suffice to set Gitolite’s umask to #o0027 as
described in the manual instead of #o0022, after I do `usermod -aG git
fcgiwrap`.  But instead I get “Operation not permitted” error from
setgroups.  I will try again later with the position of setuid and
setgroups call swapped.

The hack makes make-forkexec-constructor use the supplementary groups
from the user.  Systemd uses them by default.  However they should be
made more configurable.

Regards,
Florian

[-- Attachment #2: quick-hack.patch --]
[-- Type: text/plain, Size: 4039 bytes --]

From ddf372637089957e8c62d53c7eca07cfa9155a04 Mon Sep 17 00:00:00 2001
From: Florian Pelz <pelzflorian@pelzflorian.de>
Date: Wed, 4 Dec 2019 09:33:08 +0100
Subject: [PATCH] gnu: shepherd: Patch Shepherd to set supplementary groups to
 those of #:user.

Fixes <https://bugs.gnu.org/38438>.

* gnu/packages/patches/shepherd-set-supplementary-groups.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/admin.scm (shepherd): Use it.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/admin.scm                        |  4 +-
 .../shepherd-set-supplementary-groups.patch   | 43 +++++++++++++++++++
 3 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/shepherd-set-supplementary-groups.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 9ddd1349da..b807e3879c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1348,6 +1348,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/seahorse-gkr-use-0-on-empty-flags.patch	\
   %D%/packages/patches/seq24-rename-mutex.patch			\
   %D%/packages/patches/sharutils-CVE-2018-1000097.patch		\
+  %D%/packages/patches/shepherd-set-supplementary-groups.patch	\
   %D%/packages/patches/shishi-fix-libgcrypt-detection.patch	\
   %D%/packages/patches/slim-session.patch			\
   %D%/packages/patches/slim-config.patch			\
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 6e5648d159..3f94b45623 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -201,7 +201,9 @@ and provides a \"top-like\" mode (monitoring).")
                                   version ".tar.gz"))
               (sha256
                (base32
-                "1xn6mb5bh8bpfgdrh09ja31jk0ln7bmxbbf0vjcqxkkixs2wl6sk"))))
+                "1xn6mb5bh8bpfgdrh09ja31jk0ln7bmxbbf0vjcqxkkixs2wl6sk"))
+              (patches
+               (search-patches "shepherd-set-supplementary-groups.patch"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags '("--localstatedir=/var")))
diff --git a/gnu/packages/patches/shepherd-set-supplementary-groups.patch b/gnu/packages/patches/shepherd-set-supplementary-groups.patch
new file mode 100644
index 0000000000..8cac24417d
--- /dev/null
+++ b/gnu/packages/patches/shepherd-set-supplementary-groups.patch
@@ -0,0 +1,43 @@
+diff --git a/modules/shepherd/service.scm b/modules/shepherd/service.scm
+index bd7e379..2344915 100644
+--- a/modules/shepherd/service.scm
++++ b/modules/shepherd/service.scm
+@@ -758,6 +758,28 @@ daemon writing FILE is running in a separate PID namespace."
+               (try-again)
+               (apply throw args)))))))
+ 
++(define (supplementary-gids user)
++  "Return a vector with the gid for each supplementary group USER belongs to.
++USER is the user name as a string."
++  ;; TODO: To find them, we loop through the group database, but maybe using
++  ;; glibc’s getgrouplist would be better.  But it is not exported from Guile
++  ;; and it seems it is not part of POSIX (?).
++  (list->vector
++   (delete-duplicates
++    (dynamic-wind
++        (lambda () (setgrent))
++        (lambda ()
++          (let loop ((supgids '()))
++            (let ((group (getgrent)))
++              (define (user-among-group? group)
++                (member user (group:mem group)))
++              (match group
++                     (#f supgids)
++                     ((? user-among-group?)
++                      (loop (cons (group:gid group) supgids)))
++                     (else (loop supgids))))))
++        (lambda () (endgrent))))))
++
+ (define* (exec-command command
+                        #:key
+                        (user #f)
+@@ -826,7 +848,8 @@ false."
+      (when user
+        (catch #t
+          (lambda ()
+-           (setuid (passwd:uid (getpw user))))
++           (setuid (passwd:uid (getpw user)))
++           (setgroups (supplementary-gids user)))
+          (lambda (key . args)
+            (format (current-error-port)
+                    "failed to change to user ~s:~%" user)
-- 
2.24.0


[-- Attachment #3: test-vm-config.scm --]
[-- Type: application/vnd.lotus-screencam, Size: 1514 bytes --]

  reply	other threads:[~2019-12-04 10:23 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-30 18:49 bug#38438: Fcgiwrap service has no supplementary groups pelzflorian (Florian Pelz)
2019-12-04 10:22 ` pelzflorian (Florian Pelz) [this message]
2019-12-04 11:32   ` pelzflorian (Florian Pelz)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191204102212.ldt6w4whzfz6ceq5@pelzflorian.localdomain \
    --to=pelzflorian@pelzflorian.de \
    --cc=38438@debbugs.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.