GNU bug report logs -
#38438
Fcgiwrap service has no supplementary groups
Previous Next
To reply to this bug, email your comments to 38438 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#38438; Package
guix.
(Sat, 30 Nov 2019 18:50:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
"pelzflorian (Florian Pelz)" <pelzflorian <at> pelzflorian.de>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Sat, 30 Nov 2019 18:50:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Fcgiwrap should be started with the supplementary groups of its user.
Shepherd’s make-forkexec-constructor does not currently appear to
support this.
Upstream fcgiwrap ships with a systemd service with the User= setting.
Systemd confers this user’s supplementary groups by default:
<https://www.freedesktop.org/software/systemd/man/systemd.exec.html>:
> If the User= setting is used the supplementary group list is
> initialized from the specified user's default group list, as defined
> in the system's user and group database. Additional groups may be
> configured through the SupplementaryGroups= setting (see below).
Not starting with supplementary groups sometimes causes problems.
Namely the Guix manual claims for Gitolite’s umask:
> A value like ‘#o0027’ will give read access to the group used
> by Gitolite (by default: ‘git’). This is necessary when using
> Gitolite with software like cgit or gitweb.
But this does not work because giving a supplementary group git to the
fcgiwrap user does not confer the supplementary group git to fcgiwrap.
This is visible when looking at the fcgiwrap process in
`ps -eo pid,supgrp,args`. It is also visible by configuring nginx to
fastcgi_param SCRIPT_FILENAME /test/test.sh;
and making test.sh a script that prints "Content-Type: text/plain\n\n"
followed by the output of the id command.
Regards,
Florian
Information forwarded
to
bug-guix <at> gnu.org:
bug#38438; Package
guix.
(Wed, 04 Dec 2019 10:23:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 38438 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
I had hoped the attached quick hack would fix my issue when testing
with the attached vm-image config from
<https://lists.gnu.org/archive/html/guix-devel/2019-11/msg00421.html>.
That is, I wanted it to suffice to set Gitolite’s umask to #o0027 as
described in the manual instead of #o0022, after I do `usermod -aG git
fcgiwrap`. But instead I get “Operation not permitted” error from
setgroups. I will try again later with the position of setuid and
setgroups call swapped.
The hack makes make-forkexec-constructor use the supplementary groups
from the user. Systemd uses them by default. However they should be
made more configurable.
Regards,
Florian
[quick-hack.patch (text/plain, attachment)]
[test-vm-config.scm (application/vnd.lotus-screencam, attachment)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#38438; Package
guix.
(Wed, 04 Dec 2019 11:33:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 38438 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Wed, Dec 04, 2019 at 11:22:13AM +0100, pelzflorian (Florian Pelz) wrote:
> I had hoped the attached quick hack would fix my issue when testing
The now attached patch works now (after doing `usermod -aG git
fcgiwrap`, `herd stop fcgiwrap` and `herd start fcgiwrap`).
Regards,
Florian
[quick-hack-fixed.patch (text/plain, attachment)]
This bug report was last modified 5 years and 78 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.