GNU bug report logs - #38438
Fcgiwrap service has no supplementary groups

Previous Next

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: "pelzflorian (Florian Pelz)" <pelzflorian <at> pelzflorian.de>
To: bug-guix <at> gnu.org
Subject: Fcgiwrap service has no supplementary groups
Date: Sat, 30 Nov 2019 19:49:24 +0100

Fcgiwrap should be started with the supplementary groups of its user.
Shepherd’s make-forkexec-constructor does not currently appear to
support this.

Upstream fcgiwrap ships with a systemd service with the User= setting.

Systemd confers this user’s supplementary groups by default:
<https://www.freedesktop.org/software/systemd/man/systemd.exec.html>:
> If the User= setting is used the supplementary group list is
> initialized from the specified user's default group list, as defined
> in the system's user and group database. Additional groups may be
> configured through the SupplementaryGroups= setting (see below).

Not starting with supplementary groups sometimes causes problems.

Namely the Guix manual claims for Gitolite’s umask:
> A value like ‘#o0027’ will give read access to the group used
> by Gitolite (by default: ‘git’).  This is necessary when using
> Gitolite with software like cgit or gitweb.

But this does not work because giving a supplementary group git to the
fcgiwrap user does not confer the supplementary group git to fcgiwrap.
This is visible when looking at the fcgiwrap process in
`ps -eo pid,supgrp,args`.  It is also visible by configuring nginx to

fastcgi_param SCRIPT_FILENAME /test/test.sh;

and making test.sh a script that prints "Content-Type: text/plain\n\n"
followed by the output of the id command.

Regards,
Florian

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.