[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#63082: [PATCH v3 10/16] services: mpd: Let Shepherd effect the user/
From: |
Maxim Cournoyer |
Subject: |
bug#63082: [PATCH v3 10/16] services: mpd: Let Shepherd effect the user/group change. |
Date: |
Wed, 26 Jul 2023 11:54:31 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) |
Hello,
Bruno Victal <mirai@makinata.eu> writes:
> On 2023-05-05 19:29, Maxim Cournoyer wrote:
>> Relates to <https://issues.guix.gnu.org/63082>.
>>
>> Quoting a MPD developer, regarding MPD's feature to switch user itself:
>> "that's legacy for the dark ages when proper service managers did not exist"
>> :-).
>>
>> * gnu/services/audio.scm (mpd-serialize-user-account)
>> (mpd-serialize-user-group): Delete procedures.
>> * gnu/services/audio.scm (mpd-configuration) [user]: Do not serialize.
>> [group]: Likewise.
>> (mpd-shepherd-service): Provide the #:user, #:group and
>> #:supplementary-groups
>> arguments.
>> (mympd-shepherd-service): Likewise, and remove the '--user' argument.
>> * doc/guix.texi (Audio Services): Update doc.
>> (mympd-configuration) [port]: Change default value to 8080.
>> [ssl-port]: Change default value to 443.
>> * gnu/tests/audio.scm (run-mympd-test): Adjust accordingly.
>> ---
>> doc/guix.texi | 12 +++++-----
>> gnu/services/audio.scm | 52 +++++++++++++++++++++++++-----------------
>> gnu/tests/audio.scm | 4 ++--
>> 3 files changed, 39 insertions(+), 29 deletions(-)
>
> This contains a submarine change that isn't easily spotted from the
> commit message, that mympd is getting its default port changed and that
> it can no longer bind to privileged ports, since although mympd can
> start as root in order to bind to possibly privileged ports, it will
> explicitly refuse to continue running as root afterwards.
>
> I think we can have shepherd effect for mympd, but only if (and after)
> shepherd gets support for POSIX capabilities (CAP_NET_BIND_SERVICE) or
> a suitable way to specify that “yes, the program invoked by the service
> should have CAP_NET_BIND_SERVICE” is provided.
As mentioned before, I've let go of this commit for now (though that
means supplementary-groups on a user-account are not honored anymore)
and other commits touching the current group mechanism until we've
implemented support for POSIX capabilities as mentioned in
https://issues.guix.gnu.org/64862.
We can thus close this issue for now, keeping on mind that some bits
could be salvaged at a later time when 64862 is done.
--
Thanks,
Maxim
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- bug#63082: [PATCH v3 10/16] services: mpd: Let Shepherd effect the user/group change.,
Maxim Cournoyer <=