[bug#52454] [PATCH 0/4] Ensure correct ownership of directory trees in services.Hello Guix,

["Ludovic Courtès" <ludo@gnu.org>]

Hi!

Great patch series!

This has been discussed a few times: I wonder if we should simply chown
service home directories systematically?

Brice Waegeneire <brice@waegenei.re> skribis:

> * guix/build/syscalls.scm (lchown): New procedure.

Would be nice to add even trivial tests to tests/syscalls.scm.

Unfortunately, this doesn’t work for service activation because when
booting, activation snippets are run from the initrd’s Guile, which is
statically linked and lacks dlopen.

This leads to failures like:

--8<---------------cut here---------------start------------->8---
$ make check-system TESTS="postgresql" -j4

[...]

populating /etc from /gnu/store/bchxln4wkfmdbsxww9jaxafsyvlpdbmg-etc...
Please wait while gathering entropy to generate the key pair;
this may take time...
warning: failed to chown "/var/lib/postgresql/data": Function not implemented
warning: failed to chown "/var/run/postgresql": Function not implemented
warning: failed to chown "/var/log/postgresql": Function not implemented
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

[...]

fixing permissions on existing directory /var/lib/postgresql/data ... initdb: could not change permissions of directory "/var/lib/postgresql/data": Operation not permitted
--8<---------------cut here---------------end--------------->8---

(The ENOSYS error above comes from the ‘lchown’ wrapper.)

For this strategy to work, you need to add ‘lchown’ in
‘guile-3.0-linux-syscalls.patch’ and to use ‘define-as-needed’ in (guix
build syscalls).

(I’m surprised we didn’t already have recursive chown.)

With this in place, we should be all set!

Thanks,
Ludo’.