From debbugs-submit-bounces@debbugs.gnu.org Tue Dec 21 14:30:24 2021 Received: (at 52454) by debbugs.gnu.org; 21 Dec 2021 19:30:25 +0000 Received: from localhost ([127.0.0.1]:55682 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mzkq8-00057f-K7 for submit@debbugs.gnu.org; Tue, 21 Dec 2021 14:30:24 -0500 Received: from relay1-d.mail.gandi.net ([217.70.183.193]:36885) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mzkq6-0004yI-CU for 52454@debbugs.gnu.org; Tue, 21 Dec 2021 14:30:23 -0500 Received: (Authenticated sender: brice@waegenei.re) by relay1-d.mail.gandi.net (Postfix) with ESMTPSA id 1B0D9240005; Tue, 21 Dec 2021 19:30:15 +0000 (UTC) From: Brice Waegeneire To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: [PATCH v2 0/4] Ensure correct ownership of directory trees in services In-Reply-To: <87zgoxmway.fsf_-_@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s?= =?utf-8?Q?=22's?= message of "Sat, 18 Dec 2021 22:34:45 +0100") References: <87h7bdad9o.fsf@waegenei.re> <20211212183614.19730-1-brice@waegenei.re> <87zgoxmway.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.90 (gnu/linux) Date: Tue, 21 Dec 2021 20:30:11 +0100 Message-ID: <8735mleoxo.fsf_-_@waegenei.re> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 52454 Cc: 52454@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hello Ludo=E2=80=99, Here is a second version of the patch set. Ludovic Court=C3=A8s writes: > [...] > > This has been discussed a few times: I wonder if we should simply chown > service home directories systematically? #45571=C2=B9 is one of such discussion. For services' home, I guess that's = what we should do, but it probably won't be sufficient as log or chache directories usualy aren't in a home, but still need to chowned. The easiest and probab= ly least controversion would be to just replace current `chown` calls on directories by `lchown-recursive`. Seeing that we don't want static UID/GID mapping, like most other distros d= o, we could try to implement something like systemd's dynamic users=C2=B2 approch. > Brice Waegeneire skribis: > >> * guix/build/syscalls.scm (lchown): New procedure. > > Would be nice to add even trivial tests to tests/syscalls.scm. I wrote 4 tests, however the last two, the ones actually testing 'lchown' f= ail bescause "/tmp" has it's sticky bit set, which prevent changing ownership of files there. I tried to workaround this but didn't managed to. > Unfortunately, this doesn=E2=80=99t work for service activation because w= hen > booting, activation snippets are run from the initrd=E2=80=99s Guile, whi= ch is > statically linked and lacks dlopen. > > [...] > > For this strategy to work, you need to add =E2=80=98lchown=E2=80=99 in > =E2=80=98guile-3.0-linux-syscalls.patch=E2=80=99 and to use =E2=80=98defi= ne-as-needed=E2=80=99 in (guix > build syscalls). Done and it fixes the check system for postgresql service. =C2=B9 =C2=B2 Cheers, - Brice Brice Waegeneire (4): syscalls: Add 'lchown'. activation: Add 'lchown-recursive'. services: postgresql: Ensure correct ownership of directory trees. services: cuirass: Ensure correct ownership of directory trees. gnu/build/activation.scm | 20 +++++- .../patches/guile-3.0-linux-syscalls.patch | 33 ++++++++++ gnu/services/cuirass.scm | 18 +++--- gnu/services/databases.scm | 14 +++-- guix/build/syscalls.scm | 16 +++++ tests/syscalls.scm | 62 +++++++++++++++++++ 6 files changed, 150 insertions(+), 13 deletions(-) base-commit: 87e5502d406bfb44b61f7577b241602e02a3498e --=20 2.34.0