[bug#52454] [PATCH v2 0/4] Ensure correct ownership of directory trees in services

[Brice Waegeneire <brice@waegenei.re>]

Hello Ludo’,

Here is a second version of the patch set.

Ludovic Courtès <ludo@gnu.org> writes:

> [...]
>
> This has been discussed a few times: I wonder if we should simply chown
> service home directories systematically?

#45571¹ is one of such discussion. For services' home, I guess that's what we
 should do, but it probably won't be sufficient as log or chache directories
 usualy aren't in a home, but still need to chowned. The easiest and probably
 least controversion would be to just replace current `chown` calls on
 directories by `lchown-recursive`.

Seeing that we don't want static UID/GID mapping, like most other distros do, we
could try to implement something like systemd's dynamic users² approch.

> Brice Waegeneire <brice@waegenei.re> skribis:
>
>> * guix/build/syscalls.scm (lchown): New procedure.
>
> Would be nice to add even trivial tests to tests/syscalls.scm.

I wrote 4 tests, however the last two, the ones actually testing 'lchown' fail
bescause "/tmp" has it's sticky bit set, which prevent changing ownership of
files there.  I tried to workaround this but didn't managed to.

> Unfortunately, this doesn’t work for service activation because when
> booting, activation snippets are run from the initrd’s Guile, which is
> statically linked and lacks dlopen.
>
> [...]
>
> For this strategy to work, you need to add ‘lchown’ in
> ‘guile-3.0-linux-syscalls.patch’ and to use ‘define-as-needed’ in (guix
> build syscalls).

Done and it fixes the check system for postgresql service.

¹ <https://issues.guix.gnu.org/45571>
² <https://0pointer.net/blog/dynamic-users-with-systemd.html>

Cheers,
- Brice

Brice Waegeneire (4):
  syscalls: Add 'lchown'.
  activation: Add 'lchown-recursive'.
  services: postgresql: Ensure correct ownership of directory trees.
  services: cuirass: Ensure correct ownership of directory trees.

 gnu/build/activation.scm                      | 20 +++++-
 .../patches/guile-3.0-linux-syscalls.patch    | 33 ++++++++++
 gnu/services/cuirass.scm                      | 18 +++---
 gnu/services/databases.scm                    | 14 +++--
 guix/build/syscalls.scm                       | 16 +++++
 tests/syscalls.scm                            | 62 +++++++++++++++++++
 6 files changed, 150 insertions(+), 13 deletions(-)


base-commit: 87e5502d406bfb44b61f7577b241602e02a3498e
-- 
2.34.0