* bug#38438: Fcgiwrap service has no supplementary groups @ 2019-11-30 18:49 pelzflorian (Florian Pelz) 2019-12-04 10:22 ` pelzflorian (Florian Pelz) 0 siblings, 1 reply; 3+ messages in thread From: pelzflorian (Florian Pelz) @ 2019-11-30 18:49 UTC (permalink / raw) To: 38438 Fcgiwrap should be started with the supplementary groups of its user. Shepherd’s make-forkexec-constructor does not currently appear to support this. Upstream fcgiwrap ships with a systemd service with the User= setting. Systemd confers this user’s supplementary groups by default: <https://www.freedesktop.org/software/systemd/man/systemd.exec.html>: > If the User= setting is used the supplementary group list is > initialized from the specified user's default group list, as defined > in the system's user and group database. Additional groups may be > configured through the SupplementaryGroups= setting (see below). Not starting with supplementary groups sometimes causes problems. Namely the Guix manual claims for Gitolite’s umask: > A value like ‘#o0027’ will give read access to the group used > by Gitolite (by default: ‘git’). This is necessary when using > Gitolite with software like cgit or gitweb. But this does not work because giving a supplementary group git to the fcgiwrap user does not confer the supplementary group git to fcgiwrap. This is visible when looking at the fcgiwrap process in `ps -eo pid,supgrp,args`. It is also visible by configuring nginx to fastcgi_param SCRIPT_FILENAME /test/test.sh; and making test.sh a script that prints "Content-Type: text/plain\n\n" followed by the output of the id command. Regards, Florian ^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#38438: Fcgiwrap service has no supplementary groups 2019-11-30 18:49 bug#38438: Fcgiwrap service has no supplementary groups pelzflorian (Florian Pelz) @ 2019-12-04 10:22 ` pelzflorian (Florian Pelz) 2019-12-04 11:32 ` pelzflorian (Florian Pelz) 0 siblings, 1 reply; 3+ messages in thread From: pelzflorian (Florian Pelz) @ 2019-12-04 10:22 UTC (permalink / raw) To: 38438 [-- Attachment #1: Type: text/plain, Size: 665 bytes --] I had hoped the attached quick hack would fix my issue when testing with the attached vm-image config from <https://lists.gnu.org/archive/html/guix-devel/2019-11/msg00421.html>. That is, I wanted it to suffice to set Gitolite’s umask to #o0027 as described in the manual instead of #o0022, after I do `usermod -aG git fcgiwrap`. But instead I get “Operation not permitted” error from setgroups. I will try again later with the position of setuid and setgroups call swapped. The hack makes make-forkexec-constructor use the supplementary groups from the user. Systemd uses them by default. However they should be made more configurable. Regards, Florian [-- Attachment #2: quick-hack.patch --] [-- Type: text/plain, Size: 4039 bytes --] From ddf372637089957e8c62d53c7eca07cfa9155a04 Mon Sep 17 00:00:00 2001 From: Florian Pelz <pelzflorian@pelzflorian.de> Date: Wed, 4 Dec 2019 09:33:08 +0100 Subject: [PATCH] gnu: shepherd: Patch Shepherd to set supplementary groups to those of #:user. Fixes <https://bugs.gnu.org/38438>. * gnu/packages/patches/shepherd-set-supplementary-groups.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/admin.scm (shepherd): Use it. --- gnu/local.mk | 1 + gnu/packages/admin.scm | 4 +- .../shepherd-set-supplementary-groups.patch | 43 +++++++++++++++++++ 3 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/shepherd-set-supplementary-groups.patch diff --git a/gnu/local.mk b/gnu/local.mk index 9ddd1349da..b807e3879c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1348,6 +1348,7 @@ dist_patch_DATA = \ %D%/packages/patches/seahorse-gkr-use-0-on-empty-flags.patch \ %D%/packages/patches/seq24-rename-mutex.patch \ %D%/packages/patches/sharutils-CVE-2018-1000097.patch \ + %D%/packages/patches/shepherd-set-supplementary-groups.patch \ %D%/packages/patches/shishi-fix-libgcrypt-detection.patch \ %D%/packages/patches/slim-session.patch \ %D%/packages/patches/slim-config.patch \ diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index 6e5648d159..3f94b45623 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -201,7 +201,9 @@ and provides a \"top-like\" mode (monitoring).") version ".tar.gz")) (sha256 (base32 - "1xn6mb5bh8bpfgdrh09ja31jk0ln7bmxbbf0vjcqxkkixs2wl6sk")))) + "1xn6mb5bh8bpfgdrh09ja31jk0ln7bmxbbf0vjcqxkkixs2wl6sk")) + (patches + (search-patches "shepherd-set-supplementary-groups.patch")))) (build-system gnu-build-system) (arguments '(#:configure-flags '("--localstatedir=/var"))) diff --git a/gnu/packages/patches/shepherd-set-supplementary-groups.patch b/gnu/packages/patches/shepherd-set-supplementary-groups.patch new file mode 100644 index 0000000000..8cac24417d --- /dev/null +++ b/gnu/packages/patches/shepherd-set-supplementary-groups.patch @@ -0,0 +1,43 @@ +diff --git a/modules/shepherd/service.scm b/modules/shepherd/service.scm +index bd7e379..2344915 100644 +--- a/modules/shepherd/service.scm ++++ b/modules/shepherd/service.scm +@@ -758,6 +758,28 @@ daemon writing FILE is running in a separate PID namespace." + (try-again) + (apply throw args))))))) + ++(define (supplementary-gids user) ++ "Return a vector with the gid for each supplementary group USER belongs to. ++USER is the user name as a string." ++ ;; TODO: To find them, we loop through the group database, but maybe using ++ ;; glibc’s getgrouplist would be better. But it is not exported from Guile ++ ;; and it seems it is not part of POSIX (?). ++ (list->vector ++ (delete-duplicates ++ (dynamic-wind ++ (lambda () (setgrent)) ++ (lambda () ++ (let loop ((supgids '())) ++ (let ((group (getgrent))) ++ (define (user-among-group? group) ++ (member user (group:mem group))) ++ (match group ++ (#f supgids) ++ ((? user-among-group?) ++ (loop (cons (group:gid group) supgids))) ++ (else (loop supgids)))))) ++ (lambda () (endgrent)))))) ++ + (define* (exec-command command + #:key + (user #f) +@@ -826,7 +848,8 @@ false." + (when user + (catch #t + (lambda () +- (setuid (passwd:uid (getpw user)))) ++ (setuid (passwd:uid (getpw user))) ++ (setgroups (supplementary-gids user))) + (lambda (key . args) + (format (current-error-port) + "failed to change to user ~s:~%" user) -- 2.24.0 [-- Attachment #3: test-vm-config.scm --] [-- Type: application/vnd.lotus-screencam, Size: 1514 bytes --] ^ permalink raw reply related [flat|nested] 3+ messages in thread
* bug#38438: Fcgiwrap service has no supplementary groups 2019-12-04 10:22 ` pelzflorian (Florian Pelz) @ 2019-12-04 11:32 ` pelzflorian (Florian Pelz) 0 siblings, 0 replies; 3+ messages in thread From: pelzflorian (Florian Pelz) @ 2019-12-04 11:32 UTC (permalink / raw) To: 38438 [-- Attachment #1: Type: text/plain, Size: 288 bytes --] On Wed, Dec 04, 2019 at 11:22:13AM +0100, pelzflorian (Florian Pelz) wrote: > I had hoped the attached quick hack would fix my issue when testing The now attached patch works now (after doing `usermod -aG git fcgiwrap`, `herd stop fcgiwrap` and `herd start fcgiwrap`). Regards, Florian [-- Attachment #2: quick-hack-fixed.patch --] [-- Type: text/plain, Size: 3930 bytes --] From 901f3e0ff52e817344a839a5f7c55c96dd530704 Mon Sep 17 00:00:00 2001 From: Florian Pelz <pelzflorian@pelzflorian.de> Date: Wed, 4 Dec 2019 09:33:08 +0100 Subject: [PATCH] gnu: shepherd: Patch Shepherd to set supplementary groups to those of #:user. Fixes <https://bugs.gnu.org/38438>. * gnu/packages/patches/shepherd-set-supplementary-groups.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/admin.scm (shepherd): Use it. --- gnu/local.mk | 1 + gnu/packages/admin.scm | 4 +- .../shepherd-set-supplementary-groups.patch | 41 +++++++++++++++++++ 3 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/shepherd-set-supplementary-groups.patch diff --git a/gnu/local.mk b/gnu/local.mk index 9ddd1349da..b807e3879c 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1348,6 +1348,7 @@ dist_patch_DATA = \ %D%/packages/patches/seahorse-gkr-use-0-on-empty-flags.patch \ %D%/packages/patches/seq24-rename-mutex.patch \ %D%/packages/patches/sharutils-CVE-2018-1000097.patch \ + %D%/packages/patches/shepherd-set-supplementary-groups.patch \ %D%/packages/patches/shishi-fix-libgcrypt-detection.patch \ %D%/packages/patches/slim-session.patch \ %D%/packages/patches/slim-config.patch \ diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm index 6e5648d159..3f94b45623 100644 --- a/gnu/packages/admin.scm +++ b/gnu/packages/admin.scm @@ -201,7 +201,9 @@ and provides a \"top-like\" mode (monitoring).") version ".tar.gz")) (sha256 (base32 - "1xn6mb5bh8bpfgdrh09ja31jk0ln7bmxbbf0vjcqxkkixs2wl6sk")))) + "1xn6mb5bh8bpfgdrh09ja31jk0ln7bmxbbf0vjcqxkkixs2wl6sk")) + (patches + (search-patches "shepherd-set-supplementary-groups.patch")))) (build-system gnu-build-system) (arguments '(#:configure-flags '("--localstatedir=/var"))) diff --git a/gnu/packages/patches/shepherd-set-supplementary-groups.patch b/gnu/packages/patches/shepherd-set-supplementary-groups.patch new file mode 100644 index 0000000000..f72f7329f6 --- /dev/null +++ b/gnu/packages/patches/shepherd-set-supplementary-groups.patch @@ -0,0 +1,41 @@ +diff --git a/modules/shepherd/service.scm b/modules/shepherd/service.scm +index bd7e379..74fed23 100644 +--- a/modules/shepherd/service.scm ++++ b/modules/shepherd/service.scm +@@ -758,6 +758,28 @@ daemon writing FILE is running in a separate PID namespace." + (try-again) + (apply throw args))))))) + ++(define (supplementary-gids user) ++ "Return a vector with the gid for each supplementary group USER belongs to. ++USER is the user name as a string." ++ ;; TODO: To find them, we loop through the group database, but maybe using ++ ;; glibc’s getgrouplist would be better. But it is not exported from Guile ++ ;; and it seems it is not part of POSIX (?). ++ (list->vector ++ (delete-duplicates ++ (dynamic-wind ++ (lambda () (setgrent)) ++ (lambda () ++ (let loop ((supgids '())) ++ (let ((group (getgrent))) ++ (define (user-among-group? group) ++ (member user (group:mem group))) ++ (match group ++ (#f supgids) ++ ((? user-among-group?) ++ (loop (cons (group:gid group) supgids))) ++ (else (loop supgids)))))) ++ (lambda () (endgrent)))))) ++ + (define* (exec-command command + #:key + (user #f) +@@ -826,6 +848,7 @@ false." + (when user + (catch #t + (lambda () ++ (setgroups (supplementary-gids user)) + (setuid (passwd:uid (getpw user)))) + (lambda (key . args) + (format (current-error-port) -- 2.24.0 ^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-12-04 11:33 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2019-11-30 18:49 bug#38438: Fcgiwrap service has no supplementary groups pelzflorian (Florian Pelz) 2019-12-04 10:22 ` pelzflorian (Florian Pelz) 2019-12-04 11:32 ` pelzflorian (Florian Pelz)
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.