From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: nginx service modify user
Date: Mon, 19 Jun 2017 16:47:27 +0200
Message-ID: <87tw3cuj9c.fsf@gnu.org>
References: <87d1a3kw0m.fsf@jamestechnotes.com> <874lvc1av3.fsf@gnu.org>
	<87wp882l9b.fsf@jamestechnotes.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:46269)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1dMxxn-0004Pl-Bq
	for help-guix@gnu.org; Mon, 19 Jun 2017 10:47:36 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1dMxxi-0005f0-UO
	for help-guix@gnu.org; Mon, 19 Jun 2017 10:47:35 -0400
In-Reply-To: <87wp882l9b.fsf@jamestechnotes.com> (James Richardson's message
	of "Mon, 19 Jun 2017 08:51:44 -0400")
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/help-guix/>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
To: James Richardson <james@jamestechnotes.com>
Cc: help-guix <help-guix@gnu.org>

James Richardson <james@jamestechnotes.com> skribis:

> Ludovic Court=C3=A8s writes:
>
>> Hi James,
>>
>> James Richardson <james@jamestechnotes.com> skribis:
>>
>>> I've managed to get nginx running as service (I'm running GuixSD). I
>>> would like the nginx user to be in supplementary groups, obviously
>>> usermod and vim /etc/group are not the proper solution.
>>>
>>> %nginx-accounts seems not to be exported from (gnu services web).
>>>
>>> Is there a way to add supplementary groups to the nginx user?
>>
>> Not yet, but this kind of customization is what=E2=80=99s being discusse=
d at
>> <https://bugs.gnu.org/27155>, so it=E2=80=99s good that you=E2=80=99re s=
haring this use
>> case now.
>>
>> Out of curiosity, what=E2=80=99s the desired effect of adding these
>> supplementary groups?
>
> I have files, mostly pictures and videos, whose access is controlled at
> the group level on the file system. I typically add that group to the
> nginx user, so I provide web access, security is controlled via basic
> authentication. I set this up a long time ago (probably 10 years or
> more, but it was probably apache then). There are probably better
> ways to do this now with better solutions (mediagoblin and nextcloud
> come to mind) today. My quick workaround was to move move most things to
> the nginx group and open permissions on a few others.

I see, that makes sense.

> Apparently, I don't have a use case for this, or least not one I can
> justify at the moment (I think I've fell into the "we've always done it
> this way trap"). Now it is feasible to achieve isolation by
> spinning up a container or vps rather than trying to use groups to
> achieve isolation on the same host.

Yeah, but GuixSD should not prevent this other approach IMO.

Thanks for explaining,
Ludo=E2=80=99.