[s6-svperms] Handling service permissions at creation time.

supervision - discussion about system services, daemon supervision, init, runlevel management, and tools such as s6 and runit
 help / color / mirror / Atom feed

From: eric vidal <eric@obarun.org>
To: supervision@list.skarnet.org
Subject: [s6-svperms] Handling service permissions at creation time.
Date: Mon, 15 Feb 2021 13:37:30 +1100	[thread overview]
Message-ID: <20210215133730.a09af2eda8df7b965188285f@obarun.org> (raw)
In-Reply-To: <em841024f5-1b59-4374-a48f-b184b57f3e80@elzian>

Hi there,

The s6-svperms is a great feature but it only handle permissions control of a service at runtime. That means that we need to change the permissions of the service everytime that a reboot occurs.
For a server, this is not really a big deal but for a desktop machine this can be really hard to handle as far as the runtime services can be different at each boot (user can activate or disactivate service for his purpose).

Obviously, a script launched at some point of the boot (or after) can change the permissions on the necessary services. However, i think this is not easier and not flexible. 

I thought about a practical solution. 

S6-supervise create the control, status and event directory with the uid:gid of the owner of the process (correct me if i'm wrong).
So, If we have a e.g <service>/data/perms/rules/uid/<uid>/allow file and if s6-supervise check this directory at the creation time and create the necessary file/directory with the respective uid/gid found at that directory, we can configure a service permissions permanently.

What's your thought about that?

-- 
eric vidal <eric@obarun.org>

next prev parent reply	other threads:[~2021-02-15  2:33 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-25 16:50 [announce] skalibs-2.10.0.1, execline-2.7.0.1, s6-2.10.0.1 Laurent Bercot
2021-01-26  3:11 ` Alexis
2021-02-15  2:37 ` eric vidal [this message]
2021-02-15 11:58   ` [s6-svperms] Handling service permissions at creation time Laurent Bercot
2021-02-15 12:21     ` Colin Booth
2021-02-15 14:56       ` Laurent Bercot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210215133730.a09af2eda8df7b965188285f@obarun.org \
    --to=eric@obarun.org \
    --cc=supervision@list.skarnet.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).