NixOS and Anarki-Lisp: permission denied, error 13 although run as root

Hi guys,

I installed “racket” via the configuration file and got arc running (GitHub - arclanguage/anarki: Community-managed fork of the Arc dialect of Lisp; for commit privileges submit a pull request.). The anarki repo was cloned into my home folder “/root” and root is the only user account that is currently active. I am trying to run the news website from the repo with “./run-news.sh”. For this I had to adapt the shebang to find bash with “#!/usr/bin/env bash”. Now everything starts up fine.

But: when I try to access the webserver via localhost:8080, the console prints out a lot of “error 13: permission denied” errors for log files etc. under /root/anarki/www/logs. I do not understand this, because the server is started as root. In addition, I chmod the /root/anarki/www folder to 777 and tried again, same error.

Is there any security concept that takes action here and I am not aware of?

Thanks in advance

You can use strace -p <pid_of_web_server> -f to get a better understanding what file operation result in EPERM (permission denied).

Thank you for the hint.

This is the error for the file:
[pid 26182] open(“/root/anarki/www/logs/srv-2018-07-21”, O_WRONLY|O_CREAT|O_APPEND|O_NONBLOCK, 0666) = -1 EACCES (Permission denied)

Your comment also lead me to another thing: although the initial bash script is launched as root, it seems like the web server itself runs as user ‘2’:

root 26174 0.0 0.0 124960 3420 pts/0 S+ 15:45 0:00 /bin/sh ./run-news
root 26176 0.0 0.0 124980 3480 pts/0 S+ 15:45 0:00 /bin/sh ./arc.sh -n -i lib/run-news.arc
2 26182 2.4 3.2 355012 132992 pts/0 Sl+ 15:45 0:13 /run/current-system/sw/bin/racket -t /root/anarki/boot.rkt -e (anarki-init-in-main-namespace-verbose) (aload-with-main-settings (vector-ref (current-command-line-arguments) 0)) (tl-with-main-settings) lib/run-news.arc

This may cause the error. I am not sure how this can happen? Any additional hints appreciated!

The webserver must drop the root permission as part of it’s startup. This is application specific. Because /root has mode 0700 the new user doesn’t have access to the files.

Try to checkout the repo under /opt/anarki for example and try to run it there. Or figure out where in the code it changes the user and remove that option.