From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI
	autolearn=ham autolearn_force=no version=3.4.4
Received: (qmail 15258 invoked from network); 15 Feb 2021 14:56:47 -0000
Received: from alyss.skarnet.org (95.142.172.232)
  by inbox.vuxu.org with ESMTPUTF8; 15 Feb 2021 14:56:47 -0000
Received: (qmail 13544 invoked by uid 89); 15 Feb 2021 14:57:10 -0000
Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm
Sender: <supervision@list.skarnet.org>
Precedence: bulk
List-Post: <mailto:supervision@list.skarnet.org>
List-Help: <mailto:supervision-help@list.skarnet.org>
List-Unsubscribe: <mailto:supervision-unsubscribe@list.skarnet.org>
List-Subscribe: <mailto:supervision-subscribe@list.skarnet.org>
List-Id: <supervision.list.skarnet.org>
Received: (qmail 13537 invoked from network); 15 Feb 2021 14:57:10 -0000
From: "Laurent Bercot" <ska-supervision@skarnet.org>
To: "Colin Booth" <colin@heliocat.net>, supervision@list.skarnet.org
Subject: Re: [s6-svperms] Handling service permissions at creation time.
Date: Mon, 15 Feb 2021 14:56:45 +0000
Message-Id: <emd14d34b9-5cdf-4a75-9377-6d3addd47d9b@elzian>
In-Reply-To: <20210215122156.GA22296@cathexis.xen.prgmr.com>
References: <em841024f5-1b59-4374-a48f-b184b57f3e80@elzian>
 <20210215133730.a09af2eda8df7b965188285f@obarun.org>
 <em5fb8e2ef-95df-4c40-91b5-ea5d01e47455@elzian>
 <20210215122156.GA22296@cathexis.xen.prgmr.com>
Reply-To: "Laurent Bercot" <ska-supervision@skarnet.org>
User-Agent: eM_Client/8.1.1054.0
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: -100
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduledrieekgdeihecutefuodetggdotffvucfrrhhofhhilhgvmecupfgfoffgtffkveetuefngfdpqfgfvfenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhephffvufffkfgjfhhrfgggtgfgsehtqhertddtreejnecuhfhrohhmpedfnfgruhhrvghnthcuuegvrhgtohhtfdcuoehskhgrqdhsuhhpvghrvhhishhiohhnsehskhgrrhhnvghtrdhorhhgqeenucggtffrrghtthgvrhhnpedvgfevffeuleegvdektdffteegvdeiieefkeetgfeuheffheelheejhfevueeijeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphhouhht

>Services can fix their own permissions so if s6-rc is going to grow that
>functionality it should be in the generated run, not in some rarely used
>outboard helper service.

  As answered on IRC, for ML completeness: no, because permissions should
be fixed when the supervisor starts, not when the service starts. So a
oneshot that runs right after the supervisors are started is the
correct solution.

--
  Laurent