Brice Waegeneire <brice@HIDDEN>
to control <at> debbugs.gnu.org
.
Full text available.Brice Waegeneire <brice@HIDDEN>
to control <at> debbugs.gnu.org
.
Full text available.Brice Waegeneire <brice@HIDDEN>
to control <at> debbugs.gnu.org
.
Full text available.Brice Waegeneire <brice@HIDDEN>
to control <at> debbugs.gnu.org
.
Full text available.Received: (at 52454) by debbugs.gnu.org; 21 Dec 2021 19:30:25 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Dec 21 14:30:24 2021 Received: from localhost ([127.0.0.1]:55682 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1mzkq8-00057f-K7 for submit <at> debbugs.gnu.org; Tue, 21 Dec 2021 14:30:24 -0500 Received: from relay1-d.mail.gandi.net ([217.70.183.193]:36885) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <brice@HIDDEN>) id 1mzkq6-0004yI-CU for 52454 <at> debbugs.gnu.org; Tue, 21 Dec 2021 14:30:23 -0500 Received: (Authenticated sender: brice@HIDDEN) by relay1-d.mail.gandi.net (Postfix) with ESMTPSA id 1B0D9240005; Tue, 21 Dec 2021 19:30:15 +0000 (UTC) From: Brice Waegeneire <brice@HIDDEN> To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN> Subject: [PATCH v2 0/4] Ensure correct ownership of directory trees in services In-Reply-To: <87zgoxmway.fsf_-_@HIDDEN> ("Ludovic =?utf-8?Q?Court=C3=A8s?= =?utf-8?Q?=22's?= message of "Sat, 18 Dec 2021 22:34:45 +0100") References: <87h7bdad9o.fsf@HIDDEN> <20211212183614.19730-1-brice@HIDDEN> <87zgoxmway.fsf_-_@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.90 (gnu/linux) Date: Tue, 21 Dec 2021 20:30:11 +0100 Message-ID: <8735mleoxo.fsf_-_@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 52454 Cc: 52454 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) Hello Ludo=E2=80=99, Here is a second version of the patch set. Ludovic Court=C3=A8s <ludo@HIDDEN> writes: > [...] > > This has been discussed a few times: I wonder if we should simply chown > service home directories systematically? #45571=C2=B9 is one of such discussion. For services' home, I guess that's = what we should do, but it probably won't be sufficient as log or chache directories usualy aren't in a home, but still need to chowned. The easiest and probab= ly least controversion would be to just replace current `chown` calls on directories by `lchown-recursive`. Seeing that we don't want static UID/GID mapping, like most other distros d= o, we could try to implement something like systemd's dynamic users=C2=B2 approch. > Brice Waegeneire <brice@HIDDEN> skribis: > >> * guix/build/syscalls.scm (lchown): New procedure. > > Would be nice to add even trivial tests to tests/syscalls.scm. I wrote 4 tests, however the last two, the ones actually testing 'lchown' f= ail bescause "/tmp" has it's sticky bit set, which prevent changing ownership of files there. I tried to workaround this but didn't managed to. > Unfortunately, this doesn=E2=80=99t work for service activation because w= hen > booting, activation snippets are run from the initrd=E2=80=99s Guile, whi= ch is > statically linked and lacks dlopen. > > [...] > > For this strategy to work, you need to add =E2=80=98lchown=E2=80=99 in > =E2=80=98guile-3.0-linux-syscalls.patch=E2=80=99 and to use =E2=80=98defi= ne-as-needed=E2=80=99 in (guix > build syscalls). Done and it fixes the check system for postgresql service. =C2=B9 <https://issues.guix.gnu.org/45571> =C2=B2 <https://0pointer.net/blog/dynamic-users-with-systemd.html> Cheers, - Brice Brice Waegeneire (4): syscalls: Add 'lchown'. activation: Add 'lchown-recursive'. services: postgresql: Ensure correct ownership of directory trees. services: cuirass: Ensure correct ownership of directory trees. gnu/build/activation.scm | 20 +++++- .../patches/guile-3.0-linux-syscalls.patch | 33 ++++++++++ gnu/services/cuirass.scm | 18 +++--- gnu/services/databases.scm | 14 +++-- guix/build/syscalls.scm | 16 +++++ tests/syscalls.scm | 62 +++++++++++++++++++ 6 files changed, 150 insertions(+), 13 deletions(-) base-commit: 87e5502d406bfb44b61f7577b241602e02a3498e --=20 2.34.0
guix-patches@HIDDEN
:bug#52454
; Package guix-patches
.
Full text available.Received: (at 52454) by debbugs.gnu.org; 18 Dec 2021 21:34:56 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sat Dec 18 16:34:56 2021 Received: from localhost ([127.0.0.1]:44321 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1myhM0-0005zK-6I for submit <at> debbugs.gnu.org; Sat, 18 Dec 2021 16:34:56 -0500 Received: from eggs.gnu.org ([209.51.188.92]:56312) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1myhLz-0005z7-9k for 52454 <at> debbugs.gnu.org; Sat, 18 Dec 2021 16:34:55 -0500 Received: from [2001:470:142:3::e] (port=40014 helo=fencepost.gnu.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1myhLs-0003kU-Nc; Sat, 18 Dec 2021 16:34:48 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=efKrxVc+jSDDihal86njLlePsclQmACMAubONRbdwWI=; b=DxIel6hhzkmHJbEiGkU4 KMkkl3sP/uzqGeVPBNI8ZIaNfdncisjjyHXH8b5y/pKEGXBNclWAnHP3p5nb/b3dCt1VfRh5KASvR Bka3ag2tzbozR4ngVcZdGVY3XuF6D1jtyybWlmZzSqgIRArD7wcL0dbmj5dXit3wazxQsCuBdcoHv tsazSz/H9ITS8Q0R4Iw0PlzLkEUl2tWulRmL/CU799B3TnEpLavCPD5DAKwvQIKXAavaSxi1+NbnV RcthAPvVn7MhwWJlL8/DGVlWMebOb/c70rbQLgUzSbjowF3tGdAC9OtKhDgy1+6fL4YO7Ei8XshlD aDyiBLn44WitiQ==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201]:59409 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1myhLs-0006ep-Kk; Sat, 18 Dec 2021 16:34:48 -0500 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN> To: Brice Waegeneire <brice@HIDDEN> Subject: Re: bug#52454: [PATCH 0/4] Ensure correct ownership of directory trees in services.Hello Guix, References: <87h7bdad9o.fsf@HIDDEN> <20211212183614.19730-1-brice@HIDDEN> Date: Sat, 18 Dec 2021 22:34:45 +0100 In-Reply-To: <20211212183614.19730-1-brice@HIDDEN> (Brice Waegeneire's message of "Sun, 12 Dec 2021 19:36:11 +0100") Message-ID: <87zgoxmway.fsf_-_@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 52454 Cc: 52454 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Hi! Great patch series! This has been discussed a few times: I wonder if we should simply chown service home directories systematically? Brice Waegeneire <brice@HIDDEN> skribis: > * guix/build/syscalls.scm (lchown): New procedure. Would be nice to add even trivial tests to tests/syscalls.scm. Unfortunately, this doesn=E2=80=99t work for service activation because when booting, activation snippets are run from the initrd=E2=80=99s Guile, which= is statically linked and lacks dlopen. This leads to failures like: --8<---------------cut here---------------start------------->8--- $ make check-system TESTS=3D"postgresql" -j4 [...] populating /etc from /gnu/store/bchxln4wkfmdbsxww9jaxafsyvlpdbmg-etc... Please wait while gathering entropy to generate the key pair; this may take time... warning: failed to chown "/var/lib/postgresql/data": Function not implement= ed warning: failed to chown "/var/run/postgresql": Function not implemented warning: failed to chown "/var/log/postgresql": Function not implemented The files belonging to this database system will be owned by user "postgres= ". This user must also own the server process. [...] fixing permissions on existing directory /var/lib/postgresql/data ... initd= b: could not change permissions of directory "/var/lib/postgresql/data": Op= eration not permitted --8<---------------cut here---------------end--------------->8--- (The ENOSYS error above comes from the =E2=80=98lchown=E2=80=99 wrapper.) For this strategy to work, you need to add =E2=80=98lchown=E2=80=99 in =E2=80=98guile-3.0-linux-syscalls.patch=E2=80=99 and to use =E2=80=98define= -as-needed=E2=80=99 in (guix build syscalls). (I=E2=80=99m surprised we didn=E2=80=99t already have recursive chown.) With this in place, we should be all set! Thanks, Ludo=E2=80=99.
guix-patches@HIDDEN
:bug#52454
; Package guix-patches
.
Full text available.Received: (at 52454) by debbugs.gnu.org; 12 Dec 2021 18:36:41 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Dec 12 13:36:41 2021 Received: from localhost ([127.0.0.1]:53107 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1mwTiC-0003q4-UI for submit <at> debbugs.gnu.org; Sun, 12 Dec 2021 13:36:41 -0500 Received: from relay9-d.mail.gandi.net ([217.70.183.199]:37225) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <brice@HIDDEN>) id 1mwTi8-0003pG-SI for 52454 <at> debbugs.gnu.org; Sun, 12 Dec 2021 13:36:37 -0500 Received: (Authenticated sender: brice@HIDDEN) by relay9-d.mail.gandi.net (Postfix) with ESMTPSA id F0BFCFF802 for <52454 <at> debbugs.gnu.org>; Sun, 12 Dec 2021 18:36:30 +0000 (UTC) From: Brice Waegeneire <brice@HIDDEN> To: 52454 <at> debbugs.gnu.org Subject: [PATCH 4/4] services: cuirass: Ensure correct ownership of directory trees. Date: Sun, 12 Dec 2021 19:36:14 +0100 Message-Id: <20211212183614.19730-4-brice@HIDDEN> X-Mailer: git-send-email 2.34.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 52454 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) * gnu/services/cuirass.scm (cuirass-activation): Replace 'chown' calls by 'lchown-recursive'. --- gnu/services/cuirass.scm | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/gnu/services/cuirass.scm b/gnu/services/cuirass.scm index a69c20adb8..116c12063e 100644 --- a/gnu/services/cuirass.scm +++ b/gnu/services/cuirass.scm @@ -5,6 +5,7 @@ ;;; Copyright © 2017 Jan Nieuwenhuizen <janneke@HIDDEN> ;;; Copyright © 2018, 2019 Ricardo Wurmus <rekado@HIDDEN> ;;; Copyright © 2018 Clément Lassieur <clement@HIDDEN> +;;; Copyright © 2021 Brice Waegeneire <brice@HIDDEN> ;;; ;;; This file is part of GNU Guix. ;;; @@ -24,6 +25,7 @@ (define-module (gnu services cuirass) #:use-module (guix channels) #:use-module (guix gexp) + #:use-module (guix modules) #:use-module (guix records) #:use-module (guix store) #:use-module (guix utils) @@ -278,9 +280,11 @@ (define (cuirass-activation config) (profile (string-append "/var/guix/profiles/per-user/" user)) (roots (string-append profile "/cuirass")) (group (cuirass-configuration-group config))) - (with-imported-modules '((guix build utils)) + (with-imported-modules (source-module-closure + '((gnu build activation))) #~(begin - (use-modules (guix build utils)) + (use-modules (guix build utils) + (gnu build activation)) (mkdir-p #$cache) (mkdir-p #$log) @@ -291,13 +295,13 @@ (define (cuirass-activation config) (let ((uid (passwd:uid (getpw #$user))) (gid (group:gid (getgr #$group)))) - (chown #$cache uid gid) - (chown #$log uid gid) - (chown #$roots uid gid) - (chown #$profile uid gid) + (lchown-recursive #$cache uid gid) + (lchown-recursive #$log uid gid) + (lchown-recursive #$profile uid gid) + (lchown-recursive (passwd:dir (getpw #$user)) uid gid) (when #$remote-cache - (chown #$remote-cache uid gid))))))) + (lchown-recursive #$remote-cache uid gid))))))) (define (cuirass-log-rotations config) "Return the list of log rotations that corresponds to CONFIG." -- 2.34.0
guix-patches@HIDDEN
:bug#52454
; Package guix-patches
.
Full text available.Received: (at 52454) by debbugs.gnu.org; 12 Dec 2021 18:36:41 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Dec 12 13:36:40 2021 Received: from localhost ([127.0.0.1]:53105 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1mwTiB-0003pw-Q2 for submit <at> debbugs.gnu.org; Sun, 12 Dec 2021 13:36:40 -0500 Received: from relay3-d.mail.gandi.net ([217.70.183.195]:55661) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <brice@HIDDEN>) id 1mwTi8-0003pD-RE for 52454 <at> debbugs.gnu.org; Sun, 12 Dec 2021 13:36:37 -0500 Received: (Authenticated sender: brice@HIDDEN) by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id B3F7960006 for <52454 <at> debbugs.gnu.org>; Sun, 12 Dec 2021 18:36:29 +0000 (UTC) From: Brice Waegeneire <brice@HIDDEN> To: 52454 <at> debbugs.gnu.org Subject: [PATCH 2/4] activation: Add 'lchown-recursive'. Date: Sun, 12 Dec 2021 19:36:12 +0100 Message-Id: <20211212183614.19730-2-brice@HIDDEN> X-Mailer: git-send-email 2.34.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 52454 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) * gnu/build/activation.scm (lchown-recursive): New procedure. --- gnu/build/activation.scm | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm index 9f6126023c..79c835a045 100644 --- a/gnu/build/activation.scm +++ b/gnu/build/activation.scm @@ -30,7 +30,7 @@ (define-module (gnu build activation) #:use-module (gnu build accounts) #:use-module (gnu build linux-boot) #:use-module (guix build utils) - #:use-module ((guix build syscalls) #:select (with-file-lock)) + #:use-module ((guix build syscalls) #:select (with-file-lock lchown)) #:use-module (ice-9 ftw) #:use-module (ice-9 match) #:use-module (ice-9 vlist) @@ -46,7 +46,8 @@ (define-module (gnu build activation) activate-firmware activate-ptrace-attach activate-current-system - mkdir-p/perms)) + mkdir-p/perms + lchown-recursive)) ;;; Commentary: ;;; @@ -105,6 +106,23 @@ (define (mkdir-p/perms directory owner bits) (chown directory (passwd:uid owner) (passwd:gid owner)) (chmod directory bits)) +(define (lchown-recursive file owner group) + "As 'lchown' but recursively, change ownership of FILE to the integer values +OWNER and GROUP without dereferencing symbolic links it encounter." + (nftw file + (lambda (filename statinfo flag base level) + (catch 'system-error + (lambda () + (when (member flag '(regular directory symlink)) + (lchown filename owner group))) + (lambda args + (format (current-error-port) + "warning: failed to chown ~s: ~a~%" + filename + (strerror (system-error-errno args))))) + #t) + 'physical)) + (define* (copy-account-skeletons home #:key (directory %skeleton-directory) -- 2.34.0
guix-patches@HIDDEN
:bug#52454
; Package guix-patches
.
Full text available.Received: (at 52454) by debbugs.gnu.org; 12 Dec 2021 18:36:39 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Dec 12 13:36:39 2021 Received: from localhost ([127.0.0.1]:53103 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1mwTiB-0003ps-Fv for submit <at> debbugs.gnu.org; Sun, 12 Dec 2021 13:36:39 -0500 Received: from relay9-d.mail.gandi.net ([217.70.183.199]:53299) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <brice@HIDDEN>) id 1mwTi8-0003pF-QG for 52454 <at> debbugs.gnu.org; Sun, 12 Dec 2021 13:36:37 -0500 Received: (Authenticated sender: brice@HIDDEN) by relay9-d.mail.gandi.net (Postfix) with ESMTPSA id 731FAFF807 for <52454 <at> debbugs.gnu.org>; Sun, 12 Dec 2021 18:36:30 +0000 (UTC) From: Brice Waegeneire <brice@HIDDEN> To: 52454 <at> debbugs.gnu.org Subject: [PATCH 3/4] services: postgresql: Ensure correct ownership of directory trees. Date: Sun, 12 Dec 2021 19:36:13 +0100 Message-Id: <20211212183614.19730-3-brice@HIDDEN> X-Mailer: git-send-email 2.34.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: * gnu/services/databases.scm (postgresql-activation): Replace 'chown' calls by 'lchown-recursive'. --- gnu/services/databases.scm | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/gnu/services/databases.scm b/gnu/services/databases.scm index 8e983ef0be..83f9fe5239 100644 --- a/gnu/services/databases.scm +++ b/gnu/services/databases.scm @@ -8,6 +8,7 @@ ;;; Copyright [...] Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [217.70.183.199 listed in wl.mailspike.net] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [217.70.183.199 listed in list.dnswl.org] 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: selfhosted.xyz (xyz)] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Debbugs-Envelope-To: 52454 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: 0.3 (/) * gnu/services/databases.scm (postgresql-activation): Replace 'chown' calls by 'lchown-recursive'. --- gnu/services/databases.scm | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/gnu/services/databases.scm b/gnu/services/databases.scm index 8e983ef0be..83f9fe5239 100644 --- a/gnu/services/databases.scm +++ b/gnu/services/databases.scm @@ -8,6 +8,7 @@ ;;; Copyright © 2019 Robert Vollmert <rob@HIDDEN> ;;; Copyright © 2020 Marius Bakke <marius@HIDDEN> ;;; Copyright © 2021 David Larsson <david.larsson@HIDDEN> +;;; Copyright © 2021 Brice Waegeneire <brice@HIDDEN> ;;; ;;; This file is part of GNU Guix. ;;; @@ -214,8 +215,11 @@ (define postgresql-activation (($ <postgresql-configuration> postgresql port locale config-file log-directory data-directory extension-packages) - #~(begin + (with-imported-modules (source-module-closure + '((gnu build activation))) + #~(begin (use-modules (guix build utils) + (gnu build activation) (ice-9 match)) (let ((user (getpwnam "postgres")) @@ -230,19 +234,19 @@ (define postgresql-activation '())))) ;; Create db state directory. (mkdir-p #$data-directory) - (chown #$data-directory (passwd:uid user) (passwd:gid user)) + (lchown-recursive #$data-directory (passwd:uid user) (passwd:gid user)) ;; Create the socket directory. (let ((socket-directory #$(postgresql-config-file-socket-directory config-file))) (when (string? socket-directory) (mkdir-p socket-directory) - (chown socket-directory (passwd:uid user) (passwd:gid user)))) + (lchown-recursive socket-directory (passwd:uid user) (passwd:gid user)))) ;; Create the log directory. (when (string? #$log-directory) (mkdir-p #$log-directory) - (chown #$log-directory (passwd:uid user) (passwd:gid user))) + (lchown-recursive #$log-directory (passwd:uid user) (passwd:gid user))) ;; Drop privileges and init state directory in a new ;; process. Wait for it to finish before proceeding. @@ -262,7 +266,7 @@ (define postgresql-activation initdb-args))) (lambda () (primitive-exit 1)))) - (pid (waitpid pid)))))))) + (pid (waitpid pid))))))))) (define postgresql-shepherd-service (match-lambda -- 2.34.0
guix-patches@HIDDEN
:bug#52454
; Package guix-patches
.
Full text available.Received: (at 52454) by debbugs.gnu.org; 12 Dec 2021 18:36:36 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Dec 12 13:36:36 2021 Received: from localhost ([127.0.0.1]:53098 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1mwTi8-0003pS-6f for submit <at> debbugs.gnu.org; Sun, 12 Dec 2021 13:36:36 -0500 Received: from relay1-d.mail.gandi.net ([217.70.183.193]:44385) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <brice@HIDDEN>) id 1mwTi6-0003pB-IU for 52454 <at> debbugs.gnu.org; Sun, 12 Dec 2021 13:36:35 -0500 Received: (Authenticated sender: brice@HIDDEN) by relay1-d.mail.gandi.net (Postfix) with ESMTPSA id E5329240005 for <52454 <at> debbugs.gnu.org>; Sun, 12 Dec 2021 18:36:28 +0000 (UTC) From: Brice Waegeneire <brice@HIDDEN> To: 52454 <at> debbugs.gnu.org Subject: [PATCH 1/4] syscalls: Add 'lchown'. Date: Sun, 12 Dec 2021 19:36:11 +0100 Message-Id: <20211212183614.19730-1-brice@HIDDEN> X-Mailer: git-send-email 2.34.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 52454 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) * guix/build/syscalls.scm (lchown): New procedure. --- guix/build/syscalls.scm | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/guix/build/syscalls.scm b/guix/build/syscalls.scm index 63bd017d1d..1c432507c3 100644 --- a/guix/build/syscalls.scm +++ b/guix/build/syscalls.scm @@ -8,6 +8,7 @@ ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@HIDDEN> ;;; Copyright © 2021 Chris Marusich <cmmarusich@HIDDEN> ;;; Copyright © 2021 Tobias Geerinckx-Rice <me@HIDDEN> +;;; Copyright © 2021 Brice Waegeneire <brice@HIDDEN> ;;; ;;; This file is part of GNU Guix. ;;; @@ -118,6 +119,7 @@ (define-module (guix build syscalls) scandir* getxattr setxattr + lchown fcntl-flock lock-file @@ -1275,6 +1277,20 @@ (define* (scandir* name #:optional (lambda () (closedir* directory))))) +(define lchown + (let ((proc (syscall->procedure int "lchown" (list '* int int)))) + (lambda (file owner group) + "As 'chown', change the ownership and group of the file referred to by +FILE to the integer values OWNER and GROUP but doesn't dereference symbolic +links. Unlike 'chown' this doesn't support port or integer file descriptor +via 'fchown'." + (let-values (((ret err) + (proc (string->pointer file) owner group))) + (unless (zero? ret) + (throw 'system-error "lchown" "~S: ~A" + (list file (strerror err)) + (list err))))))) + ;;; ;;; Advisory file locking. -- 2.34.0
guix-patches@HIDDEN
:bug#52454
; Package guix-patches
.
Full text available.Received: (at submit) by debbugs.gnu.org; 12 Dec 2021 18:28:50 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Sun Dec 12 13:28:50 2021 Received: from localhost ([127.0.0.1]:53074 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1mwTac-0003bd-2O for submit <at> debbugs.gnu.org; Sun, 12 Dec 2021 13:28:50 -0500 Received: from lists.gnu.org ([209.51.188.17]:45562) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <brice@HIDDEN>) id 1mwTaa-0003bV-Bu for submit <at> debbugs.gnu.org; Sun, 12 Dec 2021 13:28:48 -0500 Received: from eggs.gnu.org ([209.51.188.92]:56358) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <brice@HIDDEN>) id 1mwTaa-0000hR-5y for guix-patches@HIDDEN; Sun, 12 Dec 2021 13:28:48 -0500 Received: from relay10.mail.gandi.net ([217.70.178.230]:51521) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <brice@HIDDEN>) id 1mwTaY-0007jv-7Z for guix-patches@HIDDEN; Sun, 12 Dec 2021 13:28:47 -0500 Received: (Authenticated sender: brice@HIDDEN) by relay10.mail.gandi.net (Postfix) with ESMTPSA id AA6E3240003 for <guix-patches@HIDDEN>; Sun, 12 Dec 2021 18:28:40 +0000 (UTC) From: Brice Waegeneire <brice@HIDDEN> To: guix-patches@HIDDEN Subject: [PATCH 0/4] Ensure correct ownership of directory trees in services.Hello Guix, Date: Sun, 12 Dec 2021 19:28:35 +0100 Message-ID: <87h7bdad9o.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=217.70.178.230; envelope-from=brice@HIDDEN; helo=relay10.mail.gandi.net X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.6 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.6 (--) Hello Guix, A number of times I got hit by newly configured service not starting because of wrong ownership for files they ought to own. This appear when reconfiguring a operating system with a service that was unsed in the past, but not present in previous generation. For example, this time, cuirass and postgresql service wouldn't start because that system had them running before, but a few weeks ago I reconfigured the operating system without them and now that I want to have these services running again they won't start because the activation scripts were only changing the ownership of the runtime, data, log and co. directories but not their content. Concretely /var/lib/postgresql/data/PG_VERSION (and others) wasn't owned by postgresql:postgresql but by an other pair of UID/GID, however /var/lib/postgresql had the correct ownership This patch fix such UID/GID mismatch for the cuirass and postgresql service by recusrivly changing the owner and group of the whole tree these services need. And not just the root directories of theses trees. It is related to the issue <https://issues.guix.gnu.org/45571> about stable UID/GID in Guix's containers. Cheers, - Brice Brice Waegeneire (4): syscalls: Add 'lchown'. activation: Add 'lchown-recursive'. services: postgresql: Ensure correct ownership of directory trees. services: cuirass: Ensure correct ownership of directory trees. gnu/build/activation.scm | 22 ++++++++++++++++++++-- gnu/services/cuirass.scm | 18 +++++++++++------- gnu/services/databases.scm | 14 +++++++++----- guix/build/syscalls.scm | 16 ++++++++++++++++ 4 files changed, 56 insertions(+), 14 deletions(-) base-commit: 604880ae22e1a7662acb1d3f282242470de0cd03 -- 2.34.0
Brice Waegeneire <brice@HIDDEN>
:guix-patches@HIDDEN
.
Full text available.guix-patches@HIDDEN
:bug#52454
; Package guix-patches
.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.