From patchwork Fri Jan 24 17:23:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 2637 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 2164827BBEA; Fri, 24 Jan 2025 17:24:55 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id E4CC027BBE2 for ; Fri, 24 Jan 2025 17:24:52 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tbNPm-0003WJ-WB; Fri, 24 Jan 2025 12:24:20 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tbNPX-0003UT-1E for guix-patches@gnu.org; Fri, 24 Jan 2025 12:24:03 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tbNPW-0007nr-Oc for guix-patches@gnu.org; Fri, 24 Jan 2025 12:24:02 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:Subject; bh=PD6esGgynPOINnX7oSt5mYPBliDR3e5pryXB3tW8/8Y=; b=FfwKGLcJA2YTzyYjUazadY0pmSypbvtHlBcA76iwymOrA01Cyht4Tqia1yjmdVY73dHLCXY6giU5ZiwRfgQglWcsgtJV/3Bfn/qSNVx7XY1qbsgl2yivw6nSmgVepBmvs3GtS3xU2UG7tNGtpLJ/CbxqFfD9baIJpqdoxSC6LFaFIx+gEOjh7PJnZiQRxRRVgVfs5OrgM2XoaghDmpXPDS668sw6cy5/IQt4cA4LbSy9Qysn4SM4NNSieEM2Gc53bezShbGvk81gXTaxanNS2B8r494+SHJ7ZaNSPNgG+ztGNvr2wSJ/SPl2GmV54CCfM/nc3tHMnEsHfqQE1biScg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tbNPW-0003KQ-4v for guix-patches@gnu.org; Fri, 24 Jan 2025 12:24:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#75810] [PATCH 0/6] Rootless guix-daemon Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 24 Jan 2025 17:24:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 75810 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75810@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.173773941912739 (code B ref -1); Fri, 24 Jan 2025 17:24:02 +0000 Received: (at submit) by debbugs.gnu.org; 24 Jan 2025 17:23:39 +0000 Received: from localhost ([127.0.0.1]:46876 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tbNP4-0003JI-FG for submit@debbugs.gnu.org; Fri, 24 Jan 2025 12:23:38 -0500 Received: from lists.gnu.org ([2001:470:142::17]:42976) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tbNP1-0003Iq-4f for submit@debbugs.gnu.org; Fri, 24 Jan 2025 12:23:32 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tbNOv-0002jg-NH for guix-patches@gnu.org; Fri, 24 Jan 2025 12:23:25 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tbNOu-0007lR-MV; Fri, 24 Jan 2025 12:23:24 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to: references; bh=PD6esGgynPOINnX7oSt5mYPBliDR3e5pryXB3tW8/8Y=; b=o5s3EXNxJjPzrE QAPCs6SEqUTl9K8Ax/LFlk2P11elT2FIKR+lUR3P1O0PZXD2EK8/2ko/zGqP/I06vUW6fCzWfztCC JMufeWCYISqjvsRBj1a2rxWkdhh9fBCDANPrb8b0uMNptCuVvL2g3AoTBGWlzQdMbQfXdHmSkCdMy q6lhuJ5FY7omSLwY/RiFK4Taq4sEh0kisiNawfpj/gwQsPUUaL01CUOiBhs3JT+xvkFrZDj7sieZ4 EBK8WRIYlzu2X7zBKezFo50L/cC49p4OKy5GiuKz7gQdF1GfnCyA/VGWwVMJN68doY2D004fQKtgR logQONcnHtvbM+5exx7Q==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Fri, 24 Jan 2025 18:23:08 +0100 Message-ID: X-Mailer: git-send-email 2.47.1 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches From: Ludovic Courtès Hello Guix! That guix-daemon runs as root is not confidence-inspiring for many. Initially, the main reason for running it as root was, in the absence of user namespaces, the fact that builders would be started under one of the build user accounts, which only root can do. Now that unprivileged user namespaces are almost ubiquitous (even on HPC clusters), this is no longer a good reason. This patch changes guix-daemon so it can run as an unprivileged user, using unprivileged user namespaces to still support isolated builds. There’s a couple of cases where root is/was still necessary: 1. To create /var/guix/profiles/per-user/$USER and chown it as $USER (see CVE-2019-18192). 2. To chown /tmp/guix-build-* when using ‘--keep-failed’. Both can be addressed by giving CAP_CHOWN to guix-daemon, and this is what this patch series does on distros using systemd. (For some reason CAP_CHOWN had to be added to the set of “ambient capabilities”, which are inherited by child processes; this is why there’s a patch to drop ambient capabilities in build processes.) On Guix System (not implemented here), we could address (1) by creating /var/guix/profiles/per-user/$USER upfront for all the user accounts. We could leave (2) unaddressed (so failed build directories would be owned by guix-daemon:guix-daemon) or we’d have to pass CAP_CHOWN as well. There’s another issue: /gnu/store can no longer be remounted read-only (like we do on Guix System and on systemd with ‘gnu-store.mount’) because then unprivileged guix-daemon would be unable to remount it read-write (or at least I couldn’t find a way to do that). Thus ‘guix-install.sh’ no longer installs ‘gnu-store.mount’ in that case. It’s a bit sad to lose that so if anyone can think of a way to achieve it, that’d be great. I tested all this in a Debian VM¹, along these lines: 1. GUIX_ALLOW_ME_TO_USE_PRIVATE_COMMIT=yes make update-guix-package 2. ./pre-inst-env guix pack -C zstd guix --without-tests=guix \ --localstatedir --profile-name=current-guix 3. Copy ‘guix-install.sh’ and the tarball to the VM over SSH. 4. In the VM: GUIX_BINARY_FILE_NAME=pack.tar.zst ./guix-install.sh The next step (in another patch series) would be Guix System support with automatic transition (essentially “chown -R guix-daemon:guix-daemon /gnu/store”). Thoughts? Ludo’. ¹ https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-12.9.0-amd64-standard.iso Ludovic Courtès (6): daemon: Allow running as non-root with unprivileged user namespaces. DRAFT tests: Run in a chroot and unprivileged user namespaces. daemon: Create /var/guix/profiles/per-user unconditionally. daemon: Drop Linux ambient capabilities before executing builder. etc: systemd services: Run ‘guix-daemon’ as an unprivileged user. guix-install.sh: Support the unprivileged daemon where possible. build-aux/test-env.in | 14 +++- config-daemon.ac | 2 +- etc/guix-daemon.service.in | 12 +++- etc/guix-install.sh | 114 ++++++++++++++++++++++++------- guix/substitutes.scm | 4 +- nix/libstore/build.cc | 132 ++++++++++++++++++++++++++++++------ nix/libstore/local-store.cc | 30 +++++--- tests/store.scm | 89 ++++++++++++++---------- 8 files changed, 300 insertions(+), 97 deletions(-) base-commit: bc6769f1211104dbc9341c064275cd930f5dfa3a