From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp10.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms9.migadu.com with LMTPS
	id 4PPOL30+bmRoUgEASxT56A
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 24 May 2023 18:42:37 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp10.migadu.com with LMTPS
	id AMroLn0+bmRtAAEAG6o9tA
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 24 May 2023 18:42:37 +0200
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 9126C13C9F
	for <larch@yhetil.org>; Wed, 24 May 2023 18:42:37 +0200 (CEST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-guix-bounces@gnu.org>)
	id 1q1rYw-0004DR-0A; Wed, 24 May 2023 12:42:10 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1q1rYo-000495-UC
 for bug-guix@gnu.org; Wed, 24 May 2023 12:42:02 -0400
Received: from debbugs.gnu.org ([209.51.188.43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1q1rYo-0003q1-JZ
 for bug-guix@gnu.org; Wed, 24 May 2023 12:42:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1q1rYo-0007VO-Df
 for bug-guix@gnu.org; Wed, 24 May 2023 12:42:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: bug#63082: [PATCH v3 10/16] services: mpd: Let Shepherd effect the
 user/group change.
Resent-From: Bruno Victal <mirai@makinata.eu>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Wed, 24 May 2023 16:42:02 +0000
Resent-Message-ID: <handler.63082.B63082.168494649028810@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 63082
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Cc: 63082@debbugs.gnu.org
Received: via spool by 63082-submit@debbugs.gnu.org id=B63082.168494649028810
 (code B ref 63082); Wed, 24 May 2023 16:42:02 +0000
Received: (at 63082) by debbugs.gnu.org; 24 May 2023 16:41:30 +0000
Received: from localhost ([127.0.0.1]:44772 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1q1rYH-0007Uc-RI
 for submit@debbugs.gnu.org; Wed, 24 May 2023 12:41:30 -0400
Received: from smtpm4.myservices.hosting ([185.26.105.235]:56030)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mirai@makinata.eu>) id 1q1rYF-0007US-ID
 for 63082@debbugs.gnu.org; Wed, 24 May 2023 12:41:28 -0400
Received: from mail1.netim.hosting (unknown [185.26.106.173])
 by smtpm4.myservices.hosting (Postfix) with ESMTP id D3F2B20CC8;
 Wed, 24 May 2023 18:41:24 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
 by mail1.netim.hosting (Postfix) with ESMTP id 395ED8009C;
 Wed, 24 May 2023 18:41:24 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mail1.netim.hosting
Received: from mail1.netim.hosting ([127.0.0.1])
 by localhost (mail1-2.netim.hosting [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id e-UEmlNhXff4; Wed, 24 May 2023 18:41:23 +0200 (CEST)
Received: from [192.168.1.239] (unknown [10.192.1.83])
 (Authenticated sender: lumen@makinata.eu)
 by mail1.netim.hosting (Postfix) with ESMTPSA id 962B38009B;
 Wed, 24 May 2023 18:41:23 +0200 (CEST)
Message-ID: <aa58f421-0e51-5a17-865e-031ec7b5724c@makinata.eu>
Date: Wed, 24 May 2023 17:41:23 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.10.1
Content-Language: en-US
References: <cover.1683299528.git.maxim.cournoyer@gmail.com>
 <5c6d38ec1621cf031175df6e05c027285d0acaae.1683299529.git.maxim.cournoyer@gmail.com>
From: Bruno Victal <mirai@makinata.eu>
In-Reply-To: <5c6d38ec1621cf031175df6e05c027285d0acaae.1683299529.git.maxim.cournoyer@gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-guix@gnu.org
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org
Sender: bug-guix-bounces+larch=yhetil.org@gnu.org
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1684946557; a=rsa-sha256; cv=none;
	b=uooiaBPh9e8XvscTfIA8b/MWrAwv7jYQ6jC8lJt4G7j5ytLcSyQSZ/InIiDwYaM8lj2gYN
	kue3erR0wk1q5sIlWH3oUok4jMjb/puNeBEVcJGWmRCY7B1mscCdojmKnr/mbcBrieJWbJ
	bOOnAJoHamScxqCjE18B+LNheCfMce5O5BfajHzLNezWSo9tBzI6TYjvnS4fh8+4iCCwUF
	1c0asmsaIT3X8RRidlZMSMwMy0BKeZr+06c/I+ga+QQzRN5m376bKK9tyjywYygOenb8V9
	I/x8aE3iMCAeA+Mh+v5t1g3n6NkE4GdBtBNh8XAfyyVJV1uVkC9Bdfk/hOKmZA==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1684946557;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:resent-cc:
	 resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post; bh=Ye8JDGsiS05K7J5CqJ/EFvt3N/D57UDBDmCJRivwvIo=;
	b=awFXUOrkL9tubRsxiTp2YOo9VNhrtVP3yH10sj166lu8lw9UcmDSMEOBG1P206WQ2kU6Sg
	CjeaaMVhdF59Hen+p6CnGLJUS+ssD/xUIlcxTW1OkeQvVvmkbW2d7sgCIus91wo+34nE3R
	0IILzpLRv42gh9o4uFXJLyZPZUp0Ys7c8MVBzRZPE3+JLL8VOEUJ62NG+7T2Ov8vI2u0pg
	cPBoERiELBw9FELlWe82mcMNc0P2EWGsC+2aibeTtsSJ65kjZN+JgW3i1c92cMbDQyEsE9
	SaCgLCjHFzCweQGHPJW1Q8ba9NkP302nJeeIQB3Mulw/SqQGTGvdQ4hdE4SCEA==
X-Migadu-Scanner: scn1.migadu.com
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Spam-Score: -3.17
X-Spam-Score: -3.17
X-Migadu-Queue-Id: 9126C13C9F
X-TUID: WFO+Js/yOlXm

On 2023-05-05 19:29, Maxim Cournoyer wrote:
> Relates to <https://issues.guix.gnu.org/63082>.
> 
> Quoting a MPD developer, regarding MPD's feature to switch user itself:
> "that's legacy for the dark ages when proper service managers did not exist"
> :-).
> 
> * gnu/services/audio.scm (mpd-serialize-user-account)
> (mpd-serialize-user-group): Delete procedures.
> * gnu/services/audio.scm (mpd-configuration) [user]: Do not serialize.
> [group]: Likewise.
> (mpd-shepherd-service): Provide the #:user, #:group and #:supplementary-groups
> arguments.
> (mympd-shepherd-service): Likewise, and remove the '--user' argument.
> * doc/guix.texi (Audio Services): Update doc.
> (mympd-configuration) [port]: Change default value to 8080.
> [ssl-port]: Change default value to 443.
> * gnu/tests/audio.scm (run-mympd-test): Adjust accordingly.
> ---
>  doc/guix.texi          | 12 +++++-----
>  gnu/services/audio.scm | 52 +++++++++++++++++++++++++-----------------
>  gnu/tests/audio.scm    |  4 ++--
>  3 files changed, 39 insertions(+), 29 deletions(-)

This contains a submarine change that isn't easily spotted from the
commit message, that mympd is getting its default port changed and that
it can no longer bind to privileged ports, since although mympd can
start as root in order to bind to possibly privileged ports, it will
explicitly refuse to continue running as root afterwards.

I think we can have shepherd effect for mympd, but only if (and after)
shepherd gets support for POSIX capabilities (CAP_NET_BIND_SERVICE) or
a suitable way to specify that “yes, the program invoked by the service
should have CAP_NET_BIND_SERVICE” is provided.


-- 
Furthermore, I consider that nonfree software must be eradicated.

Cheers,
Bruno.