[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: nginx service modify user
From: |
Ludovic Courtès |
Subject: |
Re: nginx service modify user |
Date: |
Mon, 19 Jun 2017 16:47:27 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) |
James Richardson <address@hidden> skribis:
> Ludovic Courtès writes:
>
>> Hi James,
>>
>> James Richardson <address@hidden> skribis:
>>
>>> I've managed to get nginx running as service (I'm running GuixSD). I
>>> would like the nginx user to be in supplementary groups, obviously
>>> usermod and vim /etc/group are not the proper solution.
>>>
>>> %nginx-accounts seems not to be exported from (gnu services web).
>>>
>>> Is there a way to add supplementary groups to the nginx user?
>>
>> Not yet, but this kind of customization is what’s being discussed at
>> <https://bugs.gnu.org/27155>, so it’s good that you’re sharing this use
>> case now.
>>
>> Out of curiosity, what’s the desired effect of adding these
>> supplementary groups?
>
> I have files, mostly pictures and videos, whose access is controlled at
> the group level on the file system. I typically add that group to the
> nginx user, so I provide web access, security is controlled via basic
> authentication. I set this up a long time ago (probably 10 years or
> more, but it was probably apache then). There are probably better
> ways to do this now with better solutions (mediagoblin and nextcloud
> come to mind) today. My quick workaround was to move move most things to
> the nginx group and open permissions on a few others.
I see, that makes sense.
> Apparently, I don't have a use case for this, or least not one I can
> justify at the moment (I think I've fell into the "we've always done it
> this way trap"). Now it is feasible to achieve isolation by
> spinning up a container or vps rather than trying to use groups to
> achieve isolation on the same host.
Yeah, but GuixSD should not prevent this other approach IMO.
Thanks for explaining,
Ludo’.