diff mbox series

[bug#57016,v2] scripts: Bail out when running pull/package commands as root.

Message ID 20220806115525.23819-1-paren@disroot.org
State Accepted
Headers show
Series [bug#57016,v2] scripts: Bail out when running pull/package commands as root. | expand

Checks

Context Check Description
cbaines/comparison success View comparision
cbaines/git-branch success View Git branch
cbaines/applying patch success View Laminar job
cbaines/issue success View issue

Commit Message

\( Aug. 6, 2022, 11:55 a.m. UTC
* guix/scripts/package.scm (assert-not-root): New procedure.
(%options): Add `--allow-root`.
(guix-package*): Add `#:allow-root?` keyword argument. Bail out when
  Guix is being run as root if `allow-root?` is not #T and `--allow-root`
  has not been passed.
* guix/scripts/install.scm (%options): Add `--allow-root` here...
* guix/scripts/remove.scm (%options): ...here...
* guix/scripts/upgrade.scm (%options): ...and here.
* guix/scripts/search.scm (guix-search): Explicitly allow execution as
  root here...
* guix/scripts/show.scm (guix-show): ...and here.
* guix/scripts/pull.scm (%options): Add `--allow-root`.
(guix-pull): Bail out when Guix is being run as root if `--allow-root`
  has not been passed.

A pretty common beginner mistake, it seems, is assuming that since
every other package manager you've used requires root for installing,
removing, and upgrading packages, Guix must too.

This is an especially dangerous assumption when applied to `guix pull`,
since I seem to recall that running that command as root breaks the
installation. (I'm pretty sure I once made that mistake, and spent
ages trying to figure out why it was broken.)

This commit tries to make it harder to make such an assumption, by
making commands such as `pull`, `package`, and `upgrade` bail out
when run as root. This can be overridden with the new `--allow-root`
flag for those commands.
---
 guix/scripts/install.scm |  4 +++-
 guix/scripts/package.scm | 31 ++++++++++++++++++++++++++++---
 guix/scripts/pull.scm    | 11 ++++++++++-
 guix/scripts/remove.scm  |  4 +++-
 guix/scripts/search.scm  |  3 ++-
 guix/scripts/show.scm    |  3 ++-
 guix/scripts/upgrade.scm |  4 +++-
 7 files changed, 51 insertions(+), 9 deletions(-)
diff mbox series

Patch

diff --git a/guix/scripts/install.scm b/guix/scripts/install.scm
index 63e625f266..21873e69c4 100644
--- a/guix/scripts/install.scm
+++ b/guix/scripts/install.scm
@@ -1,5 +1,6 @@ 
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2019, 2020 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2022 ( <paren@disroot.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -61,7 +62,8 @@  (define %options
          ;; Preserve some of the 'guix package' options.
          (append (filter (lambda (option)
                            (any (cut member <> (option-names option))
-                                '("profile" "dry-run" "verbosity" "bootstrap")))
+                                '("allow-root" "profile" "dry-run"
+                                  "verbosity" "bootstrap")))
                          %package-options)
 
                  %transformation-options
diff --git a/guix/scripts/package.scm b/guix/scripts/package.scm
index 7d92598efa..918fd385d8 100644
--- a/guix/scripts/package.scm
+++ b/guix/scripts/package.scm
@@ -12,6 +12,7 @@ 
 ;;; Copyright © 2018 Steve Sprang <scs@stevesprang.com>
 ;;; Copyright © 2022 Josselin Poiret <dev@jpoiret.xyz>
 ;;; Copyright © 2022 Antero Mejr <antero@mailbox.org>
+;;; Copyright © 2022 ( <paren@disroot.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -64,7 +65,9 @@  (define-module (guix scripts package)
   #:use-module (srfi srfi-37)
   #:use-module (gnu packages)
   #:autoload   (gnu packages bootstrap) (%bootstrap-guile)
-  #:export (build-and-use-profile
+  #:export (assert-not-root
+
+            build-and-use-profile
             delete-generations
             delete-matching-generations
             guix-package
@@ -82,6 +85,20 @@  (define-module (guix scripts package)
 (define %store
   (make-parameter #f))
 
+(define (assert-not-root override-flag)
+  "Throw an error if Guix was invoked by root.  This allows us to
+inform new users that it is usually a mistake to run commands such
+as `guix package' as root.  OVERRIDE-FLAG should be a flag that can
+be used with the invoked command to override this requirement."
+  (when (= (getuid) 0)
+    (report-error (G_ "this command should not be run as root~%"))
+    (display-hint (format #f (G_ "Running this command as root will
+only affect the `root' user, not the entire system, due to Guix's
+support for per-user package management.  Use `~a' to continue
+regardless.~%")
+                          override-flag))
+    (exit 1)))
+
 
 ;;;
 ;;; Profiles.
@@ -658,6 +675,10 @@  (define %options
                    (values (cons `(query show ,arg)
                                  result)
                            #f)))
+         (option '("allow-root") #f #f
+                 (lambda (opt name arg result arg-handler)
+                   (values (alist-cons 'allow-root? #t result)
+                           #f)))
 
          (append %transformation-options
                  %standard-build-options)))
@@ -1079,10 +1100,14 @@  (define opts
 
   (guix-package* opts))
 
-(define (guix-package* opts)
+(define* (guix-package* opts #:key (allow-root? #f))
   "Run the 'guix package' command on OPTS, an alist resulting for command-line
-option processing with 'parse-command-line'."
+option processing with 'parse-command-line'.  If ALLOW-ROOT? is #T, don't bail
+out when running as root, even if `opts' doesn't set `allow-root?'."
   (with-error-handling
+    (unless (or allow-root? (assoc-ref opts 'allow-root?))
+      (assert-not-root "--allow-root"))
+
     (or (process-query opts)
         (parameterize ((%store  (open-connection))
                        (%graft? (assoc-ref opts 'graft?)))
diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm
index b0cc459d63..7a871939af 100644
--- a/guix/scripts/pull.scm
+++ b/guix/scripts/pull.scm
@@ -2,6 +2,7 @@ 
 ;;; Copyright © 2013-2015, 2017-2022 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2020, 2021 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2022 ( <paren@disroot.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -45,7 +46,8 @@  (define-module (guix scripts pull)
   #:use-module (git)
   #:autoload   (gnu packages) (fold-available-packages)
   #:autoload   (guix scripts package) (build-and-use-profile
-                                       delete-matching-generations)
+                                       delete-matching-generations
+                                       assert-not-root)
   #:autoload   (gnu packages base) (canonical-package)
   #:autoload   (gnu packages bootstrap) (%bootstrap-guile)
   #:autoload   (gnu packages certs) (le-certs)
@@ -195,6 +197,9 @@  (define %options
          (option '("bootstrap") #f #f
                  (lambda (opt name arg result)
                    (alist-cons 'bootstrap? #t result)))
+         (option '("allow-root") #f #f
+                 (lambda (opt name arg result)
+                   (alist-cons 'allow-root? #t result)))
 
          (option '(#\h "help") #f #f
                  (lambda args
@@ -828,12 +833,16 @@  (define (no-arguments arg _)
      (let* ((opts         (parse-command-line args %options
                                               (list %default-options)
                                               #:argument-handler no-arguments))
+            (allow-root?  (assoc-ref opts 'allow-root?))
             (substitutes? (assoc-ref opts 'substitutes?))
             (dry-run?     (assoc-ref opts 'dry-run?))
             (profile      (or (assoc-ref opts 'profile) %current-profile))
             (current-channels (profile-channels profile))
             (validate-pull    (assoc-ref opts 'validate-pull))
             (authenticate?    (assoc-ref opts 'authenticate-channels?)))
+       (unless allow-root?
+         (assert-not-root "--allow-root"))
+
        (cond
         ((assoc-ref opts 'query)
          (process-query opts profile))
diff --git a/guix/scripts/remove.scm b/guix/scripts/remove.scm
index a46ad04d56..f7cf810544 100644
--- a/guix/scripts/remove.scm
+++ b/guix/scripts/remove.scm
@@ -1,5 +1,6 @@ 
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2019, 2020 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2022 ( <paren@disroot.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -58,7 +59,8 @@  (define %options
          ;; Preserve some of the 'guix package' options.
          (append (filter (lambda (option)
                            (any (cut member <> (option-names option))
-                                '("profile" "dry-run" "verbosity" "bootstrap")))
+                                '("allow-root" "profile" "dry-run"
+                                  "verbosity" "bootstrap")))
                          %package-options)
 
                  %standard-build-options)))
diff --git a/guix/scripts/search.scm b/guix/scripts/search.scm
index 27b9da5278..efa83e066c 100644
--- a/guix/scripts/search.scm
+++ b/guix/scripts/search.scm
@@ -1,6 +1,7 @@ 
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2019, 2020 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2021 Simon Tournier <zimon.toutoune@gmail.com>
+;;; Copyright © 2022 ( <paren@disroot.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -74,4 +75,4 @@  (define opts
   (unless (assoc-ref opts 'query)
     (leave (G_ "missing arguments: no regular expressions to search for~%")))
 
-  (guix-package* opts))
+  (guix-package* opts #:allow-root? #t))
diff --git a/guix/scripts/show.scm b/guix/scripts/show.scm
index c747eedd21..ae1e56469a 100644
--- a/guix/scripts/show.scm
+++ b/guix/scripts/show.scm
@@ -1,5 +1,6 @@ 
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2019, 2021 Simon Tournier <zimon.toutoune@gmail.com>
+;;; Copyright © 2022 ( <paren@disroot.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -73,4 +74,4 @@  (define opts
   (unless (assoc-ref opts 'query)
     (leave (G_ "missing arguments: no package to show~%")))
 
-  (guix-package* (reverse opts)))
+  (guix-package* (reverse opts) #:allow-root? #t))
diff --git a/guix/scripts/upgrade.scm b/guix/scripts/upgrade.scm
index beb59cbe6f..e5a7c84108 100644
--- a/guix/scripts/upgrade.scm
+++ b/guix/scripts/upgrade.scm
@@ -2,6 +2,7 @@ 
 ;;; Copyright © 2019, 2020 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net>
 ;;; Copyright © 2020 Simon Tournier <zimon.toutoune@gmail.com>
+;;; Copyright © 2022 ( <paren@disroot.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -65,7 +66,8 @@  (define %options
          ;; Preserve some of the 'guix package' options.
          (append (filter (lambda (option)
                            (any (cut member <> (option-names option))
-                                '("profile" "dry-run" "verbosity" "do-not-upgrade")))
+                                '("allow-root" "profile" "dry-run"
+                                  "verbosity" "do-not-upgrade")))
                          %package-options)
 
                  %transformation-options