From patchwork Tue Dec 21 19:30:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Brice Waegeneire X-Patchwork-Id: 516 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 923F927BBEA; Tue, 21 Dec 2021 19:31:51 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 4E8FA27BBE9 for ; Tue, 21 Dec 2021 19:31:51 +0000 (GMT) Received: from localhost ([::1]:59950 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mzkrV-0007Au-8Q for patchwork@mira.cbaines.net; Tue, 21 Dec 2021 14:31:49 -0500 Received: from eggs.gnu.org ([209.51.188.92]:34492) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mzkqo-00078u-Os for guix-patches@gnu.org; Tue, 21 Dec 2021 14:31:07 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:44136) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mzkqj-0003LV-OP for guix-patches@gnu.org; Tue, 21 Dec 2021 14:31:06 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mzkqj-0005gM-Kt for guix-patches@gnu.org; Tue, 21 Dec 2021 14:31:01 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#52454] [PATCH v2 0/4] Ensure correct ownership of directory trees in services Resent-From: Brice Waegeneire Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 21 Dec 2021 19:31:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 52454 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?utf-8?q?Court=C3=A8s?= Cc: 52454@debbugs.gnu.org Received: via spool by 52454-submit@debbugs.gnu.org id=B52454.164011502519726 (code B ref 52454); Tue, 21 Dec 2021 19:31:01 +0000 Received: (at 52454) by debbugs.gnu.org; 21 Dec 2021 19:30:25 +0000 Received: from localhost ([127.0.0.1]:55682 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mzkq8-00057f-K7 for submit@debbugs.gnu.org; Tue, 21 Dec 2021 14:30:24 -0500 Received: from relay1-d.mail.gandi.net ([217.70.183.193]:36885) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mzkq6-0004yI-CU for 52454@debbugs.gnu.org; Tue, 21 Dec 2021 14:30:23 -0500 Received: (Authenticated sender: brice@waegenei.re) by relay1-d.mail.gandi.net (Postfix) with ESMTPSA id 1B0D9240005; Tue, 21 Dec 2021 19:30:15 +0000 (UTC) From: Brice Waegeneire In-Reply-To: <87zgoxmway.fsf_-_@gnu.org> ("Ludovic =?utf-8?q?Court=C3=A8s?= "'s message of "Sat, 18 Dec 2021 22:34:45 +0100") References: <87h7bdad9o.fsf@waegenei.re> <20211212183614.19730-1-brice@waegenei.re> <87zgoxmway.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.90 (gnu/linux) Date: Tue, 21 Dec 2021 20:30:11 +0100 Message-ID: <8735mleoxo.fsf_-_@waegenei.re> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches Hello Ludo’, Here is a second version of the patch set. Ludovic Courtès writes: > [...] > > This has been discussed a few times: I wonder if we should simply chown > service home directories systematically? #45571¹ is one of such discussion. For services' home, I guess that's what we should do, but it probably won't be sufficient as log or chache directories usualy aren't in a home, but still need to chowned. The easiest and probably least controversion would be to just replace current `chown` calls on directories by `lchown-recursive`. Seeing that we don't want static UID/GID mapping, like most other distros do, we could try to implement something like systemd's dynamic users² approch. > Brice Waegeneire skribis: > >> * guix/build/syscalls.scm (lchown): New procedure. > > Would be nice to add even trivial tests to tests/syscalls.scm. I wrote 4 tests, however the last two, the ones actually testing 'lchown' fail bescause "/tmp" has it's sticky bit set, which prevent changing ownership of files there. I tried to workaround this but didn't managed to. > Unfortunately, this doesn’t work for service activation because when > booting, activation snippets are run from the initrd’s Guile, which is > statically linked and lacks dlopen. > > [...] > > For this strategy to work, you need to add ‘lchown’ in > ‘guile-3.0-linux-syscalls.patch’ and to use ‘define-as-needed’ in (guix > build syscalls). Done and it fixes the check system for postgresql service. ¹ ² Cheers, - Brice Brice Waegeneire (4): syscalls: Add 'lchown'. activation: Add 'lchown-recursive'. services: postgresql: Ensure correct ownership of directory trees. services: cuirass: Ensure correct ownership of directory trees. gnu/build/activation.scm | 20 +++++- .../patches/guile-3.0-linux-syscalls.patch | 33 ++++++++++ gnu/services/cuirass.scm | 18 +++--- gnu/services/databases.scm | 14 +++-- guix/build/syscalls.scm | 16 +++++ tests/syscalls.scm | 62 +++++++++++++++++++ 6 files changed, 150 insertions(+), 13 deletions(-) base-commit: 87e5502d406bfb44b61f7577b241602e02a3498e