Re: [s6-svperms] Handling service permissions at creation time.

supervision - discussion about system services, daemon supervision, init, runlevel management, and tools such as s6 and runit
 help / color / mirror / Atom feed

From: Colin Booth <colin@heliocat.net>
To: supervision@list.skarnet.org
Subject: Re: [s6-svperms] Handling service permissions at creation time.
Date: Mon, 15 Feb 2021 12:21:56 +0000	[thread overview]
Message-ID: <20210215122156.GA22296@cathexis.xen.prgmr.com> (raw)
In-Reply-To: <em5fb8e2ef-95df-4c40-91b5-ea5d01e47455@elzian>

On Mon, Feb 15, 2021 at 11:58:59AM +0000, Laurent Bercot wrote:
> > So, If we have a e.g <service>/data/perms/rules/uid/<uid>/allow file and if s6-supervise check this directory at the creation time and create the necessary file/directory with the respective uid/gid found at that directory, we can configure a service permissions permanently.
> 
>  Typically, if you're using s6-rc, this can be done via a s6-rc
> service running early, before the longruns are started. The "up"
> script can read attributes from a file and set them; the "down"
> script can save all the attributes to a file.
> 
>  Ideally, though, the user would be able to declare the attributes
> in service definition directories, and s6-rc would set them
> automatically at start. That wouldn't help with early services, but
> early services should be few and far between and their permissions
> shouldn't be trifled with.
> 
>  I can add that functionality to the next version of s6-rc. What do
> you think?
> 
Services can fix their own permissions so if s6-rc is going to grow that
functionality it should be in the generated run, not in some rarely used
outboard helper service.
-- 
Colin Booth

next prev parent reply	other threads:[~2021-02-15 12:22 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-25 16:50 [announce] skalibs-2.10.0.1, execline-2.7.0.1, s6-2.10.0.1 Laurent Bercot
2021-01-26  3:11 ` Alexis
2021-02-15  2:37 ` [s6-svperms] Handling service permissions at creation time eric vidal
2021-02-15 11:58   ` Laurent Bercot
2021-02-15 12:21     ` Colin Booth [this message]
2021-02-15 14:56       ` Laurent Bercot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210215122156.GA22296@cathexis.xen.prgmr.com \
    --to=colin@heliocat.net \
    --cc=supervision@list.skarnet.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).