From unknown Thu Jun 12 08:41:13 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#38438: Fcgiwrap service has no supplementary groups
Resent-From: "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Sat, 30 Nov 2019 18:50:02 +0000
Resent-Message-ID: <handler.38438.B.15751397712404@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 38438
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 38438@debbugs.gnu.org
X-Debbugs-Original-To: bug-guix@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.15751397712404
          (code B ref -1); Sat, 30 Nov 2019 18:50:02 +0000
Received: (at submit) by debbugs.gnu.org; 30 Nov 2019 18:49:31 +0000
Received: from localhost ([127.0.0.1]:35149 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1ib7oB-0000ch-KY
	for submit@debbugs.gnu.org; Sat, 30 Nov 2019 13:49:31 -0500
Received: from lists.gnu.org ([209.51.188.17]:45230)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <pelzflorian@pelzflorian.de>) id 1ib7oA-0000ca-Cj
 for submit@debbugs.gnu.org; Sat, 30 Nov 2019 13:49:30 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:47319)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <pelzflorian@pelzflorian.de>) id 1ib7o8-0000mV-R8
 for bug-guix@gnu.org; Sat, 30 Nov 2019 13:49:30 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,URIBL_BLOCKED
 autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <pelzflorian@pelzflorian.de>) id 1ib7o7-0006ay-Lv
 for bug-guix@gnu.org; Sat, 30 Nov 2019 13:49:28 -0500
Received: from pelzflorian.de ([5.45.111.108]:47004 helo=mail.pelzflorian.de)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <pelzflorian@pelzflorian.de>)
 id 1ib7o7-0006aZ-6h
 for bug-guix@gnu.org; Sat, 30 Nov 2019 13:49:27 -0500
Received: from pelzflorian.localdomain (unknown [5.45.111.108])
 by mail.pelzflorian.de (Postfix) with ESMTPSA id E42D73604DA
 for <bug-guix@gnu.org>; Sat, 30 Nov 2019 19:49:24 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=pelzflorian.de;
 s=mail; t=1575139764;
 bh=kNe4Yd5X5bZorIsT18r4cyN6glLkHBDLo/XpZTsWtUg=;
 h=Date:From:To:Subject;
 b=1XeAhFtSYr3fB87PjpgvWimD/vyoqWO7Ck0FeJMTJb0EegCbJgdlLBCnl3qVsMQt8
 gV7LS5wgZurl1x6tO0a7T/Y3GgD6dQyNBkTcvekXZc18A1Tjk+pkJQU4lzlVEdl23N
 oe76biFR40n/5ZFGlRWag9oeyg4P/GcbhmFQoAcQ=
Date: Sat, 30 Nov 2019 19:49:24 +0100
From: "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de>
Message-ID: <20191130184924.io5qmo6ujyy2xeyy@pelzflorian.localdomain>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-Received-From: 5.45.111.108
X-Spam-Score: -1.4 (-)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

Fcgiwrap should be started with the supplementary groups of its user.
Shepherd=E2=80=99s make-forkexec-constructor does not currently appear to
support this.

Upstream fcgiwrap ships with a systemd service with the User=3D setting.

Systemd confers this user=E2=80=99s supplementary groups by default:
<https://www.freedesktop.org/software/systemd/man/systemd.exec.html>:
> If the User=3D setting is used the supplementary group list is
> initialized from the specified user's default group list, as defined
> in the system's user and group database. Additional groups may be
> configured through the SupplementaryGroups=3D setting (see below).

Not starting with supplementary groups sometimes causes problems.

Namely the Guix manual claims for Gitolite=E2=80=99s umask:
> A value like =E2=80=98#o0027=E2=80=99 will give read access to the grou=
p used
> by Gitolite (by default: =E2=80=98git=E2=80=99).  This is necessary whe=
n using
> Gitolite with software like cgit or gitweb.

But this does not work because giving a supplementary group git to the
fcgiwrap user does not confer the supplementary group git to fcgiwrap.
This is visible when looking at the fcgiwrap process in
`ps -eo pid,supgrp,args`.  It is also visible by configuring nginx to

fastcgi_param SCRIPT_FILENAME /test/test.sh;

and making test.sh a script that prints "Content-Type: text/plain\n\n"
followed by the output of the id command.

Regards,
Florian




From unknown Thu Jun 12 08:41:13 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#38438: Fcgiwrap service has no supplementary groups
Resent-From: "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Wed, 04 Dec 2019 10:23:01 +0000
Resent-Message-ID: <handler.38438.B38438.157545494110838@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 38438
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 38438@debbugs.gnu.org
Received: via spool by 38438-submit@debbugs.gnu.org id=B38438.157545494110838
          (code B ref 38438); Wed, 04 Dec 2019 10:23:01 +0000
Received: (at 38438) by debbugs.gnu.org; 4 Dec 2019 10:22:21 +0000
Received: from localhost ([127.0.0.1]:41469 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1icRnZ-0002oi-Br
	for submit@debbugs.gnu.org; Wed, 04 Dec 2019 05:22:21 -0500
Received: from pelzflorian.de ([5.45.111.108]:42280 helo=mail.pelzflorian.de)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <pelzflorian@pelzflorian.de>) id 1icRnU-0002oW-ES
 for 38438@debbugs.gnu.org; Wed, 04 Dec 2019 05:22:19 -0500
Received: from pelzflorian.localdomain (unknown [5.45.111.108])
 by mail.pelzflorian.de (Postfix) with ESMTPSA id 1C7333604DA
 for <38438@debbugs.gnu.org>; Wed,  4 Dec 2019 11:22:12 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=pelzflorian.de;
 s=mail; t=1575454933;
 bh=HZK1vwdb7iFBjq7LxN5Q3orrczQxTJaTlhqB7DfLE4Q=;
 h=Date:From:To:Subject:References:In-Reply-To;
 b=NxFfxXnE7hSJCwYshcf7RLekCSXT9AoAemGtqoqQLCEsqaf/G2S9czOYLUCi9FCqW
 YZlyP1w8hscKIbq2SETiFys3/mwKCmfnDxPozkDS0JjQdBtASP1epfWb0IIkAB9kKc
 Fx2ngbPlpqrCUnOTu2iwxaKocgn+Y0bAEvFeMdHA=
Date: Wed, 4 Dec 2019 11:22:12 +0100
From: "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de>
Message-ID: <20191204102212.ldt6w4whzfz6ceq5@pelzflorian.localdomain>
References: <20191130184924.io5qmo6ujyy2xeyy@pelzflorian.localdomain>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="yoqzqu7dmymt7t7k"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20191130184924.io5qmo6ujyy2xeyy@pelzflorian.localdomain>
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


--yoqzqu7dmymt7t7k
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

I had hoped the attached quick hack would fix my issue when testing
with the attached vm-image config from
<https://lists.gnu.org/archive/html/guix-devel/2019-11/msg00421.html>.
That is, I wanted it to suffice to set Gitolite’s umask to #o0027 as
described in the manual instead of #o0022, after I do `usermod -aG git
fcgiwrap`.  But instead I get “Operation not permitted” error from
setgroups.  I will try again later with the position of setuid and
setgroups call swapped.

The hack makes make-forkexec-constructor use the supplementary groups
from the user.  Systemd uses them by default.  However they should be
made more configurable.

Regards,
Florian

--yoqzqu7dmymt7t7k
Content-Type: text/plain; charset=utf-8
Content-Disposition: attachment; filename="quick-hack.patch"
Content-Transfer-Encoding: 8bit

>From ddf372637089957e8c62d53c7eca07cfa9155a04 Mon Sep 17 00:00:00 2001
From: Florian Pelz <pelzflorian@pelzflorian.de>
Date: Wed, 4 Dec 2019 09:33:08 +0100
Subject: [PATCH] gnu: shepherd: Patch Shepherd to set supplementary groups to
 those of #:user.

Fixes <https://bugs.gnu.org/38438>.

* gnu/packages/patches/shepherd-set-supplementary-groups.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/admin.scm (shepherd): Use it.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/admin.scm                        |  4 +-
 .../shepherd-set-supplementary-groups.patch   | 43 +++++++++++++++++++
 3 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/shepherd-set-supplementary-groups.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 9ddd1349da..b807e3879c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1348,6 +1348,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/seahorse-gkr-use-0-on-empty-flags.patch	\
   %D%/packages/patches/seq24-rename-mutex.patch			\
   %D%/packages/patches/sharutils-CVE-2018-1000097.patch		\
+  %D%/packages/patches/shepherd-set-supplementary-groups.patch	\
   %D%/packages/patches/shishi-fix-libgcrypt-detection.patch	\
   %D%/packages/patches/slim-session.patch			\
   %D%/packages/patches/slim-config.patch			\
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 6e5648d159..3f94b45623 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -201,7 +201,9 @@ and provides a \"top-like\" mode (monitoring).")
                                   version ".tar.gz"))
               (sha256
                (base32
-                "1xn6mb5bh8bpfgdrh09ja31jk0ln7bmxbbf0vjcqxkkixs2wl6sk"))))
+                "1xn6mb5bh8bpfgdrh09ja31jk0ln7bmxbbf0vjcqxkkixs2wl6sk"))
+              (patches
+               (search-patches "shepherd-set-supplementary-groups.patch"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags '("--localstatedir=/var")))
diff --git a/gnu/packages/patches/shepherd-set-supplementary-groups.patch b/gnu/packages/patches/shepherd-set-supplementary-groups.patch
new file mode 100644
index 0000000000..8cac24417d
--- /dev/null
+++ b/gnu/packages/patches/shepherd-set-supplementary-groups.patch
@@ -0,0 +1,43 @@
+diff --git a/modules/shepherd/service.scm b/modules/shepherd/service.scm
+index bd7e379..2344915 100644
+--- a/modules/shepherd/service.scm
++++ b/modules/shepherd/service.scm
+@@ -758,6 +758,28 @@ daemon writing FILE is running in a separate PID namespace."
+               (try-again)
+               (apply throw args)))))))
+ 
++(define (supplementary-gids user)
++  "Return a vector with the gid for each supplementary group USER belongs to.
++USER is the user name as a string."
++  ;; TODO: To find them, we loop through the group database, but maybe using
++  ;; glibc’s getgrouplist would be better.  But it is not exported from Guile
++  ;; and it seems it is not part of POSIX (?).
++  (list->vector
++   (delete-duplicates
++    (dynamic-wind
++        (lambda () (setgrent))
++        (lambda ()
++          (let loop ((supgids '()))
++            (let ((group (getgrent)))
++              (define (user-among-group? group)
++                (member user (group:mem group)))
++              (match group
++                     (#f supgids)
++                     ((? user-among-group?)
++                      (loop (cons (group:gid group) supgids)))
++                     (else (loop supgids))))))
++        (lambda () (endgrent))))))
++
+ (define* (exec-command command
+                        #:key
+                        (user #f)
+@@ -826,7 +848,8 @@ false."
+      (when user
+        (catch #t
+          (lambda ()
+-           (setuid (passwd:uid (getpw user))))
++           (setuid (passwd:uid (getpw user)))
++           (setgroups (supplementary-gids user)))
+          (lambda (key . args)
+            (format (current-error-port)
+                    "failed to change to user ~s:~%" user)
-- 
2.24.0


--yoqzqu7dmymt7t7k
Content-Type: application/vnd.lotus-screencam
Content-Disposition: attachment; filename="test-vm-config.scm"
Content-Transfer-Encoding: quoted-printable

(use-modules (gnu))=0A;(use-package-modules version-control)=0A(use-service=
-modules cgit networking ssh version-control web)=0A=0A(define git-group-pe=
rmissions-activation=0A  #~(let ((dir "/var/lib/gitolite"))=0A      (if (fi=
le-exists? dir)=0A          (chmod dir #o755)=0A          (format #t "WARNI=
NG: ~a does not exist yet; reconfigure again!"))))=0A=0A(define git-service=
s=0A  (list=0A   (service gitolite-service-type=0A    (gitolite-configurati=
on=0A     (admin-pubkey (plain-file=0A                    "pelzflorian.pub"=
=0A                    "\=0Assh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEkSgMQnpb+=
1p6Z+8ZCm3tOjSA4vz2MQ/qX2XfXQly4l pelzflorian@florianmacbook"))=0A     (rc-=
file=0A      (gitolite-rc-file=0A       (umask #o0027)))))=0A   (service cg=
it-service-type=0A    (cgit-configuration=0A     (repository-directory "/va=
r/lib/gitolite/repositories")))=0A   (simple-service 'git-group-permissions=
 activation-service-type=0A                   git-group-permissions-activat=
ion)))=0A=0A(operating-system=0A (host-name "gittestvm")=0A (timezone "Euro=
pe/Berlin")=0A (services=0A  (append=0A   git-services=0A   (list (service =
dhcp-client-service-type)=0A         (service openssh-service-type) ;; THIS=
 IS NECESSARY FOR GITOLITE=0A         (service nginx-service-type))=0A   %b=
ase-services))=0A (bootloader=0A  (bootloader-configuration=0A   (bootloade=
r grub-bootloader)=0A   (target "/dev/sda")))=0A (file-systems=0A  (cons* (=
file-system=0A          (mount-point "/")=0A          (device "/dev/sda")=
=0A          (type "ext4"))=0A         %base-file-systems)))=0A
--yoqzqu7dmymt7t7k--




From unknown Thu Jun 12 08:41:13 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#38438: Fcgiwrap service has no supplementary groups
Resent-From: "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Wed, 04 Dec 2019 11:33:02 +0000
Resent-Message-ID: <handler.38438.B38438.157545916817781@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 38438
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: 
To: 38438@debbugs.gnu.org
Received: via spool by 38438-submit@debbugs.gnu.org id=B38438.157545916817781
          (code B ref 38438); Wed, 04 Dec 2019 11:33:02 +0000
Received: (at 38438) by debbugs.gnu.org; 4 Dec 2019 11:32:48 +0000
Received: from localhost ([127.0.0.1]:41504 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1icStk-0004cj-1O
	for submit@debbugs.gnu.org; Wed, 04 Dec 2019 06:32:48 -0500
Received: from pelzflorian.de ([5.45.111.108]:42348 helo=mail.pelzflorian.de)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <pelzflorian@pelzflorian.de>) id 1icSte-0004cV-L4
 for 38438@debbugs.gnu.org; Wed, 04 Dec 2019 06:32:46 -0500
Received: from pelzflorian.localdomain (unknown [5.45.111.108])
 by mail.pelzflorian.de (Postfix) with ESMTPSA id 71E853604DA
 for <38438@debbugs.gnu.org>; Wed,  4 Dec 2019 12:32:39 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=pelzflorian.de;
 s=mail; t=1575459159;
 bh=yd7PTM0WBciF8W8OcIqa/RDivNYkGJ58tm8/yAzrhug=;
 h=Date:From:To:Subject:References:In-Reply-To;
 b=LzomrtPz7Cz5f+Aj2fWD3R8v0NvK4WAdWFcSsifTR/uCnYQyACmhqw8uoPPYI839y
 g+oXnUtvPqTBFpOlerZMDI63hj2oQCufRsaEhcu0hWf2yGh03iiDnLAuFj5QB2DIku
 rB8B0YHOAS2cS/JKzExwa/cRvWZj0vcvMlco78YM=
Date: Wed, 4 Dec 2019 12:32:39 +0100
From: "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de>
Message-ID: <20191204113239.immmcpixu2achory@pelzflorian.localdomain>
References: <20191130184924.io5qmo6ujyy2xeyy@pelzflorian.localdomain>
 <20191204102212.ldt6w4whzfz6ceq5@pelzflorian.localdomain>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="n7zqetbqpholimzw"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20191204102212.ldt6w4whzfz6ceq5@pelzflorian.localdomain>
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


--n7zqetbqpholimzw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Wed, Dec 04, 2019 at 11:22:13AM +0100, pelzflorian (Florian Pelz) wrote:
> I had hoped the attached quick hack would fix my issue when testing

The now attached patch works now (after doing `usermod -aG git
fcgiwrap`, `herd stop fcgiwrap` and `herd start fcgiwrap`).

Regards,
Florian

--n7zqetbqpholimzw
Content-Type: text/plain; charset=utf-8
Content-Disposition: attachment; filename="quick-hack-fixed.patch"
Content-Transfer-Encoding: 8bit

>From 901f3e0ff52e817344a839a5f7c55c96dd530704 Mon Sep 17 00:00:00 2001
From: Florian Pelz <pelzflorian@pelzflorian.de>
Date: Wed, 4 Dec 2019 09:33:08 +0100
Subject: [PATCH] gnu: shepherd: Patch Shepherd to set supplementary groups to
 those of #:user.

Fixes <https://bugs.gnu.org/38438>.

* gnu/packages/patches/shepherd-set-supplementary-groups.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/admin.scm (shepherd): Use it.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/admin.scm                        |  4 +-
 .../shepherd-set-supplementary-groups.patch   | 41 +++++++++++++++++++
 3 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/shepherd-set-supplementary-groups.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 9ddd1349da..b807e3879c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1348,6 +1348,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/seahorse-gkr-use-0-on-empty-flags.patch	\
   %D%/packages/patches/seq24-rename-mutex.patch			\
   %D%/packages/patches/sharutils-CVE-2018-1000097.patch		\
+  %D%/packages/patches/shepherd-set-supplementary-groups.patch	\
   %D%/packages/patches/shishi-fix-libgcrypt-detection.patch	\
   %D%/packages/patches/slim-session.patch			\
   %D%/packages/patches/slim-config.patch			\
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 6e5648d159..3f94b45623 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -201,7 +201,9 @@ and provides a \"top-like\" mode (monitoring).")
                                   version ".tar.gz"))
               (sha256
                (base32
-                "1xn6mb5bh8bpfgdrh09ja31jk0ln7bmxbbf0vjcqxkkixs2wl6sk"))))
+                "1xn6mb5bh8bpfgdrh09ja31jk0ln7bmxbbf0vjcqxkkixs2wl6sk"))
+              (patches
+               (search-patches "shepherd-set-supplementary-groups.patch"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags '("--localstatedir=/var")))
diff --git a/gnu/packages/patches/shepherd-set-supplementary-groups.patch b/gnu/packages/patches/shepherd-set-supplementary-groups.patch
new file mode 100644
index 0000000000..f72f7329f6
--- /dev/null
+++ b/gnu/packages/patches/shepherd-set-supplementary-groups.patch
@@ -0,0 +1,41 @@
+diff --git a/modules/shepherd/service.scm b/modules/shepherd/service.scm
+index bd7e379..74fed23 100644
+--- a/modules/shepherd/service.scm
++++ b/modules/shepherd/service.scm
+@@ -758,6 +758,28 @@ daemon writing FILE is running in a separate PID namespace."
+               (try-again)
+               (apply throw args)))))))
+ 
++(define (supplementary-gids user)
++  "Return a vector with the gid for each supplementary group USER belongs to.
++USER is the user name as a string."
++  ;; TODO: To find them, we loop through the group database, but maybe using
++  ;; glibc’s getgrouplist would be better.  But it is not exported from Guile
++  ;; and it seems it is not part of POSIX (?).
++  (list->vector
++   (delete-duplicates
++    (dynamic-wind
++        (lambda () (setgrent))
++        (lambda ()
++          (let loop ((supgids '()))
++            (let ((group (getgrent)))
++              (define (user-among-group? group)
++                (member user (group:mem group)))
++              (match group
++                     (#f supgids)
++                     ((? user-among-group?)
++                      (loop (cons (group:gid group) supgids)))
++                     (else (loop supgids))))))
++        (lambda () (endgrent))))))
++
+ (define* (exec-command command
+                        #:key
+                        (user #f)
+@@ -826,6 +848,7 @@ false."
+      (when user
+        (catch #t
+          (lambda ()
++           (setgroups (supplementary-gids user))
+            (setuid (passwd:uid (getpw user))))
+          (lambda (key . args)
+            (format (current-error-port)
-- 
2.24.0


--n7zqetbqpholimzw--