On Mon, Feb 15, 2021 at 11:58:59AM +0000, Laurent Bercot wrote:
> > So, If we have a e.g <service>/data/perms/rules/uid/<uid>/allow file and if
> > s6-supervise check this directory at the creation time and create the
> > necessary file/directory with the respective uid/gid found at that
> > directory, we can configure a service permissions permanently.
>
> Typically, if you're using s6-rc, this can be done via a s6-rc
> service running early, before the longruns are started. The "up"
> script can read attributes from a file and set them; the "down"
> script can save all the attributes to a file.
>
> Ideally, though, the user would be able to declare the attributes
> in service definition directories, and s6-rc would set them
> automatically at start. That wouldn't help with early services, but
> early services should be few and far between and their permissions
> shouldn't be trifled with.
>
> I can add that functionality to the next version of s6-rc. What do
> you think?
>
Services can fix their own permissions so if s6-rc is going to grow that
functionality it should be in the generated run, not in some rarely used
outboard helper service.
--
Colin Booth