From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: nginx service modify user Date: Mon, 19 Jun 2017 16:47:27 +0200 Message-ID: <87tw3cuj9c.fsf@gnu.org> References: <87d1a3kw0m.fsf@jamestechnotes.com> <874lvc1av3.fsf@gnu.org> <87wp882l9b.fsf@jamestechnotes.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:46269) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dMxxn-0004Pl-Bq for help-guix@gnu.org; Mon, 19 Jun 2017 10:47:36 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dMxxi-0005f0-UO for help-guix@gnu.org; Mon, 19 Jun 2017 10:47:35 -0400 In-Reply-To: <87wp882l9b.fsf@jamestechnotes.com> (James Richardson's message of "Mon, 19 Jun 2017 08:51:44 -0400") List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: James Richardson Cc: help-guix James Richardson skribis: > Ludovic Court=C3=A8s writes: > >> Hi James, >> >> James Richardson skribis: >> >>> I've managed to get nginx running as service (I'm running GuixSD). I >>> would like the nginx user to be in supplementary groups, obviously >>> usermod and vim /etc/group are not the proper solution. >>> >>> %nginx-accounts seems not to be exported from (gnu services web). >>> >>> Is there a way to add supplementary groups to the nginx user? >> >> Not yet, but this kind of customization is what=E2=80=99s being discusse= d at >> , so it=E2=80=99s good that you=E2=80=99re s= haring this use >> case now. >> >> Out of curiosity, what=E2=80=99s the desired effect of adding these >> supplementary groups? > > I have files, mostly pictures and videos, whose access is controlled at > the group level on the file system. I typically add that group to the > nginx user, so I provide web access, security is controlled via basic > authentication. I set this up a long time ago (probably 10 years or > more, but it was probably apache then). There are probably better > ways to do this now with better solutions (mediagoblin and nextcloud > come to mind) today. My quick workaround was to move move most things to > the nginx group and open permissions on a few others. I see, that makes sense. > Apparently, I don't have a use case for this, or least not one I can > justify at the moment (I think I've fell into the "we've always done it > this way trap"). Now it is feasible to achieve isolation by > spinning up a container or vps rather than trying to use groups to > achieve isolation on the same host. Yeah, but GuixSD should not prevent this other approach IMO. Thanks for explaining, Ludo=E2=80=99.