On Tue, 14 Jul 2020 12:10:29 +0300
Efraim Flashner <efr...@flashner.co.il> wrote:
> On Tue, Jul 14, 2020 at 12:54:56PM +0430, Reza Alizadeh Majd wrote:
> > On Mon, 13 Jul 2020 22:01:47 -0400
> > Julien Lepiller <jul...@lepiller.eu> wrote:
> >
> > > Le 13 juillet 2020 20:18:09 GMT-04:00, Reza Alizadeh Majd
> > > <r.m...@pantherx.org> a écrit :
> > > >
> > > >my service definition is as follows:
> > > >
> > > >
> > > >--8<---------------cut here---------------start------------->8---
> > > >(define-record-type* <kyc-configuration>
> > > > kyc-configuration make-kyc-configuration
> > > > kyc-configuration?
> > > > (package kyc-configuration-package
> > > > (default kyc))
> > > > (user kyc-configuration-user
> > > > (default "kyc-service"))
> > > > (group kyc-configuration-group
> > > > (default "kyc-service")))
> > > >
> > > >(define %kyc-accounts
> > > > (list (user-group (name "kyc-service"))
> > > > (user-group (name "kyc-rpc"))
> > > > (user-account
> > > > (name "kyc-service")
> > > > (group "kyc-service")
> > > > (system? #f)
> > > > (supplementary-groups '("wheel" "kyc-rpc" "video"))
> > > > (comment "KYC service user"))))
> > > >
> > > >(define kyc-shepherd-service
> > > > (match-lambda
> > > > (($ <kyc-configuration> package user group)
> > > > (list (shepherd-service
> > > > (provision '(kyc))
> > > > (documentation "Run KYC as a daemon.")
> > > > (requirement '(networking user-processes))
> > > > (modules `((srfi srfi-1)
> > > > (srfi srfi-26)
> > > > ,@%default-modules))
> > > > (start #~(make-forkexec-constructor
> > > > (list
> > > > (string-append #$package "/bin/kyc"))
> > > > #:user #$user
> > > > #:group #$group
> > > > #:environment-variables
> > > > (list (string-append "PATH=" #$coreutils "/bin:" (getenv
> > > > "PATH")) (string-append "HOME=" "/home/" #$user))))
> > > > (stop #~(make-kill-destructor)))))))
> > > >
> > > >(define kyc-service-type
> > > > (service-type
> > > > (name 'kyc)
> > > > (extensions (list (service-extension
> > > > shepherd-root-service-type kyc-shepherd-service)
> > > > (service-extension
> > > > account-service-type (const
> > > > %kyc-accounts)))) (default-value (kyc-configuration))))
> > > >
> > > >--8<---------------cut here---------------end--------------->8---
> > > >
> > > >is there anything that I missed for this service definition?
> > >
> > > I don't see in your snippet where you create the socket or where
> > > you change ownership of it, so I don't really understand what is
> > > going wrong.
> > >
> > > Maybe the service itself is responsible for creating the socket
> > > and changing ownership? In that case, I wouldn't use #:uses or
> > > #:group, as these will run the service as the unpriviledged user
> > > from the start, instead of running it as root and letting it
> > > change user after it's set up things.
> > >
> > > If you want to create the socket yourself, why not use an
> > > activation-service-type?
> >
> > Thanks for your response,
> >
> > the application itself is responsible for creation of socket, and
> > the socket is created without problem, but when I try to change the
> > ownership for socket file, I receive "operation not permitted"
> > error.
> >
> > I also logged in to the user responsible for running the service and
> > run the application manually, socket creation and permission set
> > operations were succeed.
> >
> > referring to above snippet, when I perform all these operations
> > manually, everything works without problem:
> >
> > --8<---------------cut here---------------start------------->8---
> > kyc-service@kyc-station /tmp/rpc$ whoami
> > kyc-service
> > kyc-service@kyc-station /tmp/rpc$ groups
> > kyc-service wheel kyc-rpc
> > kyc-service@kyc-station /tmp/rpc$ ll
> > total 0
> > srwxr-xr-x 1 kyc-service kyc-service 0 Jul 14 04:22 kyc
> > kyc-service@kyc-station /tmp/rpc$ chown kyc-service:kyc-rpc kyc
> > kyc-service@kyc-station /tmp/rpc$ ll
> > total 0
> > srwxr-xr-x 1 kyc-service kyc-rpc 0 Jul 14 04:22 kyc
> > --8<---------------cut here---------------end--------------->8---
> >
>
> I don't remember what the default directory for running services is. I
> see that kyc-service has a home directory so IIRC it should be there,
> but if it isn't then it might be trying to run from '/'. Can you add
> '#:directory "/tmp/rpc"' to your start snippet? Then it'll try to run
> from that directory.
>
I don't think if this is related to set the '#:directory' since my
application succeeds about creating the `/tmp/rpc` directory
and the `kyc` socket file. but later when it tries to set the
permission using the `chown` function, I receive "operation not
permitted" error.
by the way, I also added the '#:directory' for start, and issue still
exists.
--
Reza Alizadeh Majd
PantherX Team
https://www.pantherx.org/
