[bug#52454,v2,0/4] Ensure correct ownership of directory trees in services

Message ID	8735mleoxo.fsf_-_@waegenei.re
Headers	show Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> Subject: [bug#52454] [PATCH v2 0/4] Ensure correct ownership of directory trees in services Resent-From: Brice Waegeneire <brice@waegenei.re> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 21 Dec 2021 19:31:01 +0000 Resent-Message-ID: <handler.52454.B52454.164011502519726@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org To: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org> Cc: 52454@debbugs.gnu.org sender: brice@waegenei.re) by relay1-d.mail.gandi.net (Postfix) with ESMTPSA id 1B0D9240005; Tue, 21 Dec 2021 19:30:15 +0000 (UTC) From: Brice Waegeneire <brice@waegenei.re> In-Reply-To: <87zgoxmway.fsf_-_@gnu.org> ("Ludovic =?utf-8?q?Court=C3=A8s?= "'s message of "Sat, 18 Dec 2021 22:34:45 +0100") References: <87h7bdad9o.fsf@waegenei.re> <20211212183614.19730-1-brice@waegenei.re> <87zgoxmway.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.90 (gnu/linux) Date: Tue, 21 Dec 2021 20:30:11 +0100 Message-ID: <8735mleoxo.fsf_-_@waegenei.re> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Precedence: list Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-getmail-retrieved-from-mailbox: Patches
Series	Ensure correct ownership of directory trees in services \| expand [bug#52454,v2,0/4] Ensure correct ownership of directory trees in services [bug#52715,v2,1/4] syscalls: Add 'lchown'. [bug#52713,v2,2/4] activation: Add 'lchown-recursive'. [bug#52714,v2,3/4] services: postgresql: Ensure correct ownership of directory trees. [bug#52712,v2,4/4] services: cuirass: Ensure correct ownership of directory trees.

Message ID

8735mleoxo.fsf_-_@waegenei.re

Headers

Subject: [bug#52454] [PATCH v2 0/4] Ensure correct ownership of directory
 trees in services
Resent-From: Brice Waegeneire <brice@waegenei.re>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Tue, 21 Dec 2021 19:31:01 +0000
Resent-Message-ID: <handler.52454.B52454.164011502519726@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
To: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>
Cc: 52454@debbugs.gnu.org
From: Brice Waegeneire <brice@waegenei.re>
In-Reply-To: <87zgoxmway.fsf_-_@gnu.org> ("Ludovic =?utf-8?q?Court=C3=A8s?=
 "'s message of "Sat, 18 Dec 2021 22:34:45 +0100")
References: <87h7bdad9o.fsf@waegenei.re>
 <20211212183614.19730-1-brice@waegenei.re> <87zgoxmway.fsf_-_@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.90 (gnu/linux)
Date: Tue, 21 Dec 2021 20:30:11 +0100
Message-ID: <8735mleoxo.fsf_-_@waegenei.re>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Precedence: list
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: "Guix-patches"
 <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>

Series

Ensure correct ownership of directory trees in services | expand

Message

Brice Waegeneire Dec. 21, 2021, 7:30 p.m. UTC

Hello Ludo’,

Here is a second version of the patch set.

Ludovic Courtès <ludo@gnu.org> writes:

> [...]
>
> This has been discussed a few times: I wonder if we should simply chown
> service home directories systematically?

#45571¹ is one of such discussion. For services' home, I guess that's what we
 should do, but it probably won't be sufficient as log or chache directories
 usualy aren't in a home, but still need to chowned. The easiest and probably
 least controversion would be to just replace current `chown` calls on
 directories by `lchown-recursive`.

Seeing that we don't want static UID/GID mapping, like most other distros do, we
could try to implement something like systemd's dynamic users² approch.

> Brice Waegeneire <brice@waegenei.re> skribis:
>
>> * guix/build/syscalls.scm (lchown): New procedure.
>
> Would be nice to add even trivial tests to tests/syscalls.scm.

I wrote 4 tests, however the last two, the ones actually testing 'lchown' fail
bescause "/tmp" has it's sticky bit set, which prevent changing ownership of
files there.  I tried to workaround this but didn't managed to.

> Unfortunately, this doesn’t work for service activation because when
> booting, activation snippets are run from the initrd’s Guile, which is
> statically linked and lacks dlopen.
>
> [...]
>
> For this strategy to work, you need to add ‘lchown’ in
> ‘guile-3.0-linux-syscalls.patch’ and to use ‘define-as-needed’ in (guix
> build syscalls).

Done and it fixes the check system for postgresql service.

¹ <https://issues.guix.gnu.org/45571>
² <https://0pointer.net/blog/dynamic-users-with-systemd.html>

Cheers,
- Brice

Brice Waegeneire (4):
  syscalls: Add 'lchown'.
  activation: Add 'lchown-recursive'.
  services: postgresql: Ensure correct ownership of directory trees.
  services: cuirass: Ensure correct ownership of directory trees.

 gnu/build/activation.scm                      | 20 +++++-
 .../patches/guile-3.0-linux-syscalls.patch    | 33 ++++++++++
 gnu/services/cuirass.scm                      | 18 +++---
 gnu/services/databases.scm                    | 14 +++--
 guix/build/syscalls.scm                       | 16 +++++
 tests/syscalls.scm                            | 62 +++++++++++++++++++
 6 files changed, 150 insertions(+), 13 deletions(-)

base-commit: 87e5502d406bfb44b61f7577b241602e02a3498e