Re: Allow to add more than one group for service user

Wed, 19 Aug 2020 22:04:19 -0700 

On Wed, 19 Aug 2020 14:13:43 -0400
Julien Lepiller <jul...@lepiller.eu> wrote:

> From what I understand, the generated /etc/group is correct, but
> loging as kyc-service, even after a reboot, you don't see the
> additional groups?

in order to replicate this issue I had prepared a `test-service` that
provides bash access inside a screen for a test user:

--8<---------------cut here---------------start------------->8---
(use-modules (gnu)
             (gnu system)
             (gnu system shadow)
             (gnu packages admin)
             (gnu packages bash)
             (gnu packages base)
             (gnu packages screen)
             (gnu services shepherd)
             (guix gexp)
             (guix records)
             (ice-9 match))

(define-record-type* <test-configuration>
  test-configuration make-test-configuration
  test-configuration?
  (package test-configuration-package
           (default bash)))

(define test-shepherd-service
  (match-lambda
    (($ <test-configuration> package)
      (list (shepherd-service
              (provision '(test-service))
              (documentation "run a bash instance inside screen")
              (requirement '(user-processes))
              (start #~(make-forkexec-constructor
                        (list (string-append #$screen "/bin/screen")
                              "-D" "-m" "-S" "test-service" 
                              (string-append #$package "/bin/sh"))
                        #:user "test"
                        #:group "users"))
              (stop #~(make-kill-destructor)))))))

(define (test-accounts config)
  "return the user accounts for test-service"
  (list (user-group (name "testgrp"))
        (user-account
          (name "test")
          (group "testgrp")
          (system? #t)
          (comment "test user")
          (supplementary-groups '("users" "wheel"))
          (home-directory "/home/test"))))

(define test-service-type
  (service-type
    (name 'test-service)
    (extensions (list (service-extension shepherd-root-service-type
                                         test-shepherd-service)
                      (service-extension account-service-type
                                         test-accounts)))
    (default-value (test-configuration))))

--8<---------------cut here---------------end--------------->8---

using above snippet, I realized that the only group which is set to
`#:group` parameter of `make-forkexec-constructor` (`users` in this
test) is available for service.

--8<---------------cut here---------------start------------->8---
root@panther ~# su - test
-bash-5.0$ groups
testgrp users wheel

-bash-5.0$ screen -r test-service
sh-5.0$ groups
users
--8<---------------cut here---------------end--------------->8--- 

-- 
Reza Alizadeh Majd
PantherX Team
https://www.pantherx.org/

Reply via email to