From mboxrd@z Thu Jan  1 00:00:00 1970
From: James Richardson <james@jamestechnotes.com>
Subject: Re: nginx service modify user
Date: Mon, 19 Jun 2017 08:51:44 -0400
Message-ID: <87wp882l9b.fsf@jamestechnotes.com>
References: <87d1a3kw0m.fsf@jamestechnotes.com> <874lvc1av3.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Return-path: <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:43217)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <james@jamestechnotes.com>) id 1dMw9x-00045l-3y
	for help-guix@gnu.org; Mon, 19 Jun 2017 08:52:02 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <james@jamestechnotes.com>) id 1dMw9t-0005or-V9
	for help-guix@gnu.org; Mon, 19 Jun 2017 08:52:01 -0400
In-reply-to: <874lvc1av3.fsf@gnu.org>
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/help-guix/>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: help-guix <help-guix@gnu.org>


Ludovic Courtès writes:

> Hi James,
>
> James Richardson <james@jamestechnotes.com> skribis:
>
>> I've managed to get nginx running as service (I'm running GuixSD). I
>> would like the nginx user to be in supplementary groups, obviously
>> usermod and vim /etc/group are not the proper solution.
>>
>> %nginx-accounts seems not to be exported from (gnu services web).
>>
>> Is there a way to add supplementary groups to the nginx user?
>
> Not yet, but this kind of customization is what’s being discussed at
> <https://bugs.gnu.org/27155>, so it’s good that you’re sharing this use
> case now.
>
> Out of curiosity, what’s the desired effect of adding these
> supplementary groups?

I have files, mostly pictures and videos, whose access is controlled at
the group level on the file system. I typically add that group to the
nginx user, so I provide web access, security is controlled via basic
authentication. I set this up a long time ago (probably 10 years or
more, but it was probably apache then). There are probably better
ways to do this now with better solutions (mediagoblin and nextcloud
come to mind) today. My quick workaround was to move move most things to
the nginx group and open permissions on a few others.

My use case was to give nginx read permissions to a group files by
adding the group to the nginx user. I think I would not do this the same
today (I've a bit in the last decade or so ;).

Apparently, I don't have a use case for this, or least not one I can
justify at the moment (I think I've fell into the "we've always done it
this way trap"). Now it is feasible to achieve isolation by
spinning up a container or vps rather than trying to use groups to
achieve isolation on the same host.

Thanks,
James