James Richardson <[email protected]> skribis: > Ludovic Courtès writes: > >> Hi James, >> >> James Richardson <[email protected]> skribis: >> >>> I've managed to get nginx running as service (I'm running GuixSD). I >>> would like the nginx user to be in supplementary groups, obviously >>> usermod and vim /etc/group are not the proper solution. >>> >>> %nginx-accounts seems not to be exported from (gnu services web). >>> >>> Is there a way to add supplementary groups to the nginx user? >> >> Not yet, but this kind of customization is what’s being discussed at >> <https://bugs.gnu.org/27155>, so it’s good that you’re sharing this use >> case now. >> >> Out of curiosity, what’s the desired effect of adding these >> supplementary groups? > > I have files, mostly pictures and videos, whose access is controlled at > the group level on the file system. I typically add that group to the > nginx user, so I provide web access, security is controlled via basic > authentication. I set this up a long time ago (probably 10 years or > more, but it was probably apache then). There are probably better > ways to do this now with better solutions (mediagoblin and nextcloud > come to mind) today. My quick workaround was to move move most things to > the nginx group and open permissions on a few others.
I see, that makes sense. > Apparently, I don't have a use case for this, or least not one I can > justify at the moment (I think I've fell into the "we've always done it > this way trap"). Now it is feasible to achieve isolation by > spinning up a container or vps rather than trying to use groups to > achieve isolation on the same host. Yeah, but GuixSD should not prevent this other approach IMO. Thanks for explaining, Ludo’.
