From patchwork Wed Mar 26 16:51:02 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40859 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 832C527BBEA; Wed, 26 Mar 2025 16:52:58 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 482E027BBE2 for ; Wed, 26 Mar 2025 16:52:58 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1txTzo-0004IO-EV; Wed, 26 Mar 2025 12:52:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1txTz9-00045M-JM for guix-patches@gnu.org; Wed, 26 Mar 2025 12:52:12 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1txTz0-0007WD-5m for guix-patches@gnu.org; Wed, 26 Mar 2025 12:52:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=pX3LSffILOqR/UkDvibjIkTZohWxhjxg21izy7L/1yo=; b=rc2kZYN8q1ModnvzUaRogE7XUS0CTShYmwMmpQM1NEDgLCmqBGtvYDg83MpnX3F7wy7kW1ZvJRjj9eJYttbCGPbjt9qPbCg6HD38V8gQWMZElOghuSFfkquSAYELpOt5tAsy2QTiX0kjPMfKUMm9xJSIOPcJJ/lX94j3+V9IaIFHBGn3R55WUbZ+aHKzntj2Kgby3MBITJ5V5pyize6Iy9s5bG/Xcn7bzas7O9G1MvFKq7JGXG3uI5vp62/GgF6ssrkWChO2+yHi5/N5RUlqAb2GiipOS6zVDYteJUqVlP4AVwYx6ur8sklF8/Vhuy8QEKKg6wtkedcWhmkzzK/yDg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1txTz0-0000ak-16 for guix-patches@gnu.org; Wed, 26 Mar 2025 12:52:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH 1/6] syscalls: Add =?utf-8?b?4oCYdW5zaGFyZQ==?= =?utf-8?b?4oCZLg==?= Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 26 Mar 2025 16:52:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.17430078942181 (code B ref 77288); Wed, 26 Mar 2025 16:52:01 +0000 Received: (at 77288) by debbugs.gnu.org; 26 Mar 2025 16:51:34 +0000 Received: from localhost ([127.0.0.1]:44139 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1txTyX-0000Z1-ML for submit@debbugs.gnu.org; Wed, 26 Mar 2025 12:51:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58030) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1txTyU-0000YQ-AV for 77288@debbugs.gnu.org; Wed, 26 Mar 2025 12:51:30 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1txTyN-0007L8-VC; Wed, 26 Mar 2025 12:51:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=pX3LSffILOqR/UkDvibjIkTZohWxhjxg21izy7L/1yo=; b=QqOzJW/sKkFZ/rkpCSHj UJFKphlQs6I+v/y9h8P9/OH1AbzmqTKVX5dQcVGpgbawlPcuwCwQY7ng5ELtQK4WX+nmlrheC7vKr v8N/umwn5qzCz1SEPLRgsfAVejz/JLkBAHZ7iUOoeRm5Me2JX0AnBTq2IdMlVhSL/DoSiDauKAJwf YhSVX/0VitsPoYuKF7WwT5zC1hnYQuT3594UAklOw9jnTeF3dYDEeDXMf3z471hR/VS4oDv/sdtDj HTjlmmQzOW/njV+iV4/NrC/k7PqwpjB/eZq00/rFnJrZIDpfESuD4VwdFrRpkq+1C17To9kj9GJat SqQn08zR97II7A==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Wed, 26 Mar 2025 17:51:02 +0100 Message-ID: X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * guix/build/syscalls.scm (unshare): New procedure. Change-Id: I344273b8bdeaa9366334e6e20ee7efc37eb6c8f7 --- guix/build/syscalls.scm | 18 ++++++++++++++++++ tests/syscalls.scm | 9 +++++++++ 2 files changed, 27 insertions(+) diff --git a/guix/build/syscalls.scm b/guix/build/syscalls.scm index 42232fc7f1..cf09cae3a4 100644 --- a/guix/build/syscalls.scm +++ b/guix/build/syscalls.scm @@ -145,6 +145,7 @@ (define-module (guix build syscalls) CLONE_NEWPID CLONE_NEWNET clone + unshare setns kexec-load-file @@ -1213,6 +1214,23 @@ (define clone (list err)) ret))))) +(define unshare + (let ((proc (syscall->procedure int "unshare" (list int)))) + (lambda (flags) + "Disassociate the current process from parts of its execution context +according to FLAGS, which must be a logical or of CLONE_NEW* constants. + +Note that CLONE_NEWUSER requires that the calling process be single-threaded, +which is possible if and only if libgc is running a single marker thread; this +can be achieved by setting the GC_MARKERS environment variable to 1. If the +calling process is multi-threaded, this throws to 'system-error' with EINVAL." + (let-values (((ret err) + (without-automatic-finalization (proc flags)))) + (unless (zero? ret) + (throw 'system-error "unshare" "~a: ~A" + (list flags (strerror err)) + (list err))))))) + (define setns ;; Some systems may be using an old (pre-2.14) version of glibc where there ;; is no 'setns' function available. diff --git a/tests/syscalls.scm b/tests/syscalls.scm index d2848879d7..879c3e4f25 100644 --- a/tests/syscalls.scm +++ b/tests/syscalls.scm @@ -149,6 +149,15 @@ (define perform-container-tests? ((_ . status) (= 42 (status:exit-val status)))))))) +(test-equal "unshare" + EPERM + ;; Unless running as root, (unshare CLONE_NEWNS) returns EPERM. + (catch 'system-error + (lambda () + (unshare CLONE_NEWNS)) + (lambda args + (system-error-errno args)))) + (unless perform-container-tests? (test-skip 1)) (test-assert "setns" From patchwork Wed Mar 26 16:51:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40855 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 0F9DB27BBEA; Wed, 26 Mar 2025 16:52:13 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 7D62727BBE2 for ; Wed, 26 Mar 2025 16:52:12 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1txTz5-00044b-E4; Wed, 26 Mar 2025 12:52:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1txTz0-000444-7D for guix-patches@gnu.org; Wed, 26 Mar 2025 12:52:03 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1txTyz-0007W9-Ni for guix-patches@gnu.org; Wed, 26 Mar 2025 12:52:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=CJ/L9kunERGnh6KdCeg3IMWjSzFeEbgPhD2pk3HBqVQ=; b=o1TljbrKidpQsMNNtyZJJgsbeDr1Tbr3mjV/8trJErU9mQCG0QJ4La403olz62NQDXJnUifH5gI+4uqbLqxV2FnpQg5VpBeosUwiQ5Ny/pxpVOQgZJns4nt2QuakkBhlGeo4U9wjxC3w9YZ+E95nG8bL9NlySz86H4uaenOct0mRs/area8nKywb1sRCFidJJKnrGcB8/rUO3shJn6l+ZVxqPDPRMM8rzHZQ2D5s6C6m8lkHY3yGg0KKU0ffSVXWB4ES0OiUwopPW2RwKlAJRBG4AtGyrfh2ijlWeGvPGcz17Kg88HOV4YriVdbtpYsLl21rgpMeF33/g7wVq078Bw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1txTyz-0000ab-IU for guix-patches@gnu.org; Wed, 26 Mar 2025 12:52:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH 2/6] services: account: Create /var/guix/profiles/per-user/$USER. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 26 Mar 2025 16:52:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.17430078932174 (code B ref 77288); Wed, 26 Mar 2025 16:52:01 +0000 Received: (at 77288) by debbugs.gnu.org; 26 Mar 2025 16:51:33 +0000 Received: from localhost ([127.0.0.1]:44137 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1txTyX-0000Yz-8X for submit@debbugs.gnu.org; Wed, 26 Mar 2025 12:51:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58046) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1txTyU-0000YT-8K for 77288@debbugs.gnu.org; Wed, 26 Mar 2025 12:51:30 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1txTyO-0007LF-VN; Wed, 26 Mar 2025 12:51:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=CJ/L9kunERGnh6KdCeg3IMWjSzFeEbgPhD2pk3HBqVQ=; b=Lu/jLpEy+jtFYcMxYx29 OEOKG83VFVDT1EGILU4Omei7V2Ty7+Myr33G+EjlMFw3iyTOYwn3QX3vRdOvJgeWRK4xgv20+obFF Toa+0QLvy4DvuEZ+ah/oc++ZRfa15KJqaVfwEtoCqwOai7gmzAFc6dqA5vChtwIcH7hzZS2O/wta+ +3dLqlpY4+bAxtDG6icO1ynbBmnd54X/qqFN2FAhwlLm5r+SPiiNMmwzv5bNdyLIdfO530HhDpA+u yoEH/d055bfDt3aBTl9thnHp7SKpPmjwPdWN6EjFMdZTzlvmY19UnVLYrblivnRkzN+SGjFG2jszQ wKlR6bzjihXDgA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Wed, 26 Mar 2025 17:51:03 +0100 Message-ID: X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/system/shadow.scm (account-shepherd-service): Create /var/guix/profiles/per-user/$USER in ‘user-homes’ service. Change-Id: I22e66e8a34d63686df9bae64c68df65c8889e72a --- gnu/system/shadow.scm | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/gnu/system/shadow.scm b/gnu/system/shadow.scm index b68a818871..d0f1b6b2b1 100644 --- a/gnu/system/shadow.scm +++ b/gnu/system/shadow.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2013-2020, 2022, 2023 Ludovic Courtès +;;; Copyright © 2013-2020, 2022-2023, 2025 Ludovic Courtès ;;; Copyright © 2016 Alex Griffin ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen ;;; Copyright © 2020, 2023 Efraim Flashner @@ -460,6 +460,12 @@ (define (account-shepherd-service accounts+groups) (define accounts (filter user-account? accounts+groups)) + (define regular-account-names + (filter-map (lambda (account) + (and (not (user-account-system? account)) + (user-account-name account))) + accounts)) + ;; Create home directories only once 'file-systems' is up. This makes sure ;; they are created in the right place if /home lives on a separate ;; partition. @@ -480,6 +486,17 @@ (define (account-shepherd-service accounts+groups) (activate-user-home (map sexp->user-account (list #$@(map user-account->gexp accounts)))) + + ;; Create the user's profile directory upfront: + ;; guix-daemon lacks permissions to create it when it is + ;; running as an unprivileged user. + (for-each (lambda (account) + (let ((profile (in-vicinity + "/var/guix/profiles/per-user" + account)) + (owner (getpwnam account))) + (mkdir-p/perms profile owner #o755))) + '#$regular-account-names) #t))) ;success (documentation "Create user home directories.")))) From patchwork Wed Mar 26 16:51:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40856 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 80DFB27BBEA; Wed, 26 Mar 2025 16:52:28 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 4A9E727BBE2 for ; Wed, 26 Mar 2025 16:52:28 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1txTzI-00049V-7u; Wed, 26 Mar 2025 12:52:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1txTz9-00045R-Sw for guix-patches@gnu.org; Wed, 26 Mar 2025 12:52:12 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1txTz0-0007WG-KQ for guix-patches@gnu.org; Wed, 26 Mar 2025 12:52:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=xCCzckKP82CnyuCIo9fuJVhLYLiOCYeDm9GnRHKF0VY=; b=DfaTB31/iC8+/zkUfWsXWU8KT72Gh6WiwumXBA/p4RGLPgP1Mg3JLYCpmkgkczC/zaX5T3tzTU3eY6DI1LJxyrwwpX2X8iM3VECThb/nCIaxZCFUgL5VMJwNfcswKn2iKfOV3YrgjwpH3lwoIShpNPOb0MoBK113WIOoDCcVzovNrRTJmVTZ3XKjoMI9M5u1XyQ3XhGfi2hp0R/XZ4QBErCNJivctodsZMb7dybDsdpX0gP0Fl55Sx+gd4p7OhcMM7OqjZ+PzCd7xpxBUj9crU8QRIFY6omfJruSaKCsYRwSb3BqGR86/OwND1nHJQNy6FYrXHuTQsqqAfI0bpomWA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1txTz0-0000ar-El for guix-patches@gnu.org; Wed, 26 Mar 2025 12:52:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH 3/6] tests: guix-daemon: Send system log output to /dev/console. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 26 Mar 2025 16:52:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.17430079052215 (code B ref 77288); Wed, 26 Mar 2025 16:52:02 +0000 Received: (at 77288) by debbugs.gnu.org; 26 Mar 2025 16:51:45 +0000 Received: from localhost ([127.0.0.1]:44145 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1txTyj-0000Ze-9S for submit@debbugs.gnu.org; Wed, 26 Mar 2025 12:51:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58050) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1txTyV-0000YV-6S for 77288@debbugs.gnu.org; Wed, 26 Mar 2025 12:51:31 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1txTyP-0007LO-TM; Wed, 26 Mar 2025 12:51:25 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=xCCzckKP82CnyuCIo9fuJVhLYLiOCYeDm9GnRHKF0VY=; b=lPYRnG6m976S/6LfbrzV 0bZq+p2QUD8qjo4qjbiUkFtvR9RFcw2V7Q/rQJuYlnEsYlwwWaNoKsh0neIiKgMWC3cJ7TCn51Pd0 Mvnp7Eft5zBpLAlMwzh37CJ2kc3rqtwiMruC2h8+vr+4XFE2GMTonyiiLwkWFHRCGHIjNOGu3hjzU CJRMIcUECsmh3WJ/Z4k7/if/JKNJ9T3qNoJwpCctyS/noYEtm/GkHTlRh5k6Aovckqd/+1v8HACVt seXqwrE4cwBkkgOLxFKKUxbKUVgasOwnJg+WId1f7Wt1FkekOkxDow2vpsskBp7xq0T/+jYhrMIRr 9LM60OBCTI3mGw==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Wed, 26 Mar 2025 17:51:04 +0100 Message-ID: <1d864f493260f758050b5a39668b3aed8c79466b.1743007256.git.ludo@gnu.org> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/tests/base.scm (%daemon-os): New variable. (%test-guix-daemon): Use it. Change-Id: Iea31808cc59e94971ea4cbc12d565c94348bf7a4 --- gnu/tests/base.scm | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/gnu/tests/base.scm b/gnu/tests/base.scm index a7f8a5bf7c..0f7fb543a7 100644 --- a/gnu/tests/base.scm +++ b/gnu/tests/base.scm @@ -994,6 +994,10 @@ (define %test-activation ;;; Build daemon. ;;; +(define %daemon-os + (operating-system-with-console-syslog + (simple-operating-system))) + (define (manifest-entry-without-grafts entry) "Return ENTRY with grafts disabled on its contents." (manifest-entry @@ -1168,7 +1172,7 @@ (define %test-guix-daemon (let ((os (marionette-operating-system (operating-system (inherit (operating-system-with-gc-roots - %simple-os + %daemon-os (list (profile (name "hello-build-dependencies") (content %hello-dependencies-manifest))))) From patchwork Wed Mar 26 16:51:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40860 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 5CF0827BBEA; Wed, 26 Mar 2025 16:52:59 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 1AD9E27BBE2 for ; Wed, 26 Mar 2025 16:52:59 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1txTzs-0004Jx-P0; Wed, 26 Mar 2025 12:52:56 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1txTz9-00045P-Rw for guix-patches@gnu.org; Wed, 26 Mar 2025 12:52:12 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1txTz1-0007WI-0v for guix-patches@gnu.org; Wed, 26 Mar 2025 12:52:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=gKI5dMXI0sDlCCCNGZpFka8Qpc+H6GgunfDTs5URY5s=; b=azt0PfEPc6sKiL9/s8kjm2pr2L6RaOy776OeDzoAYqOpRpDoj5uj5sNG6rvZC3+iR5XqhwYO1sGDgpd9P+WQHUPL4PyJkyq3VGfxOlXUmnx5Vs0uJw76lnwmmJZZG6bwXVj4BCKHHKG4ZVIjrMlpux3EkRTuYJg0vVPKuMHDMQQHQo/0dL+zgS+L5HiNNYeVnzL3y+mZsoLUtzL58HHg37c86bcnJveNEdpfkCC0syf6nuDVV2kgKpLLoNu82iNTQg68BpUKNfUh2wusgWwe/x0uBC3NG2dOOtINiPvGSBSIefOpzlxRJO6Kpe+92k0y862y/j16YD8INBsHMcYOrg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1txTz0-0000ay-Se for guix-patches@gnu.org; Wed, 26 Mar 2025 12:52:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH 4/6] tests: guix-daemon: Wait for the =?utf-8?b?4oCYZ3VpeC1kYWVtb27igJk=?= service to be up. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 26 Mar 2025 16:52:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.17430079062223 (code B ref 77288); Wed, 26 Mar 2025 16:52:02 +0000 Received: (at 77288) by debbugs.gnu.org; 26 Mar 2025 16:51:46 +0000 Received: from localhost ([127.0.0.1]:44147 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1txTyj-0000Zg-Nh for submit@debbugs.gnu.org; Wed, 26 Mar 2025 12:51:46 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58056) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1txTyW-0000YX-IF for 77288@debbugs.gnu.org; Wed, 26 Mar 2025 12:51:32 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1txTyQ-0007LV-UK; Wed, 26 Mar 2025 12:51:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=gKI5dMXI0sDlCCCNGZpFka8Qpc+H6GgunfDTs5URY5s=; b=XGGZ3pdrQdJhVLNKdgnE 40JHK2xPElvs4JKrwocE9Xz0nc1otqFaxl7nhlvt+bHy/p0HzFwrWmFKc7rkMXZVHKAdPE9H2DFf2 73lZ38UEErgG20BWQK5T8n4oR4CRdOG4M4exKJGKPo52PTPqw1jE8APvhRe7qsa3AQiDLegkOGwO1 rz20eTiEgZerCSG9Q5HIXDL+IlGZ3itbXcW41ohpvqGu5CYfqMeW9eK4Jsa6u0o87ut4BnlRkbuEP T0iOChkbX088nz+08SnPBWsNvwYqKKEZJylUq6jK80PIGldIbKXhJsjnM6hAedApptH/PGFy0/9BA 0yMNiHxjxaF/Rg==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Wed, 26 Mar 2025 17:51:05 +0100 Message-ID: X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/tests/base.scm (run-guix-daemon-test): Add “guix-daemon service is up” test. Change-Id: I4d44a1248599fec45c854c285d4da201c30eb00c --- gnu/tests/base.scm | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/gnu/tests/base.scm b/gnu/tests/base.scm index 0f7fb543a7..83e047f7e6 100644 --- a/gnu/tests/base.scm +++ b/gnu/tests/base.scm @@ -1157,6 +1157,13 @@ (define (run-guix-daemon-test os) (test-runner-current (system-test-runner #$output)) (test-begin "guix-daemon") + (test-assert "guix-service is running" + ;; Wait for 'guix-daemon' to be up. + (marionette-eval '(begin + (use-modules (gnu services herd)) + (start-service 'guix-daemon)) + marionette)) + #$(guix-daemon-test-cases #~marionette) (test-end)))) From patchwork Wed Mar 26 16:51:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40858 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 54CE327BBEA; Wed, 26 Mar 2025 16:52:49 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 403F927BBE2 for ; Wed, 26 Mar 2025 16:52:48 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1txTzQ-0004Az-2I; Wed, 26 Mar 2025 12:52:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1txTz9-00045S-TE for guix-patches@gnu.org; Wed, 26 Mar 2025 12:52:12 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1txTz2-0007WJ-2O; Wed, 26 Mar 2025 12:52:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=qYYVNgb+ThfS8s8i9+Nb3/LexlVoe5V9LNmeKUHcJo0=; b=o1j9aeXyksVsVgqG3qz3GNruXtCK5XGwk3yoEtzWZf+Z//1AS3TP2i9U630CHnL9uzG3yHvQX5LXXiUSIRUCy2AC75DeOPjeSaM733DmQON2JxGmY5KhvilRhluow9jNoQYN2sccm3aP5gy2KF4ZVEXkyRfNecw+uSnK1ehJsCo4yYahgXhj31FMxvEg6BbzT+WFchRlc5WRaetaApYjF19T7kFH+kKdvBiu3dHoImb58ahhmL1OsPGeMcPvDWhMeh5hUNND3BaDhWlBiLrR1593zgRwMgJsN5NE3Yfmi3Z7JDDDz9jTQ+tec9pW21NDYY6e4gFv0ypSn7++OO91kg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1txTz1-0000bJ-PH; Wed, 26 Mar 2025 12:52:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH 5/6] services: guix: Allow =?utf-8?b?4oCYZ3Vp?= =?utf-8?b?eC1kYWVtb27igJk=?= to run without root privileges. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: ludo@gnu.org, maxim.cournoyer@gmail.com, guix-patches@gnu.org Resent-Date: Wed, 26 Mar 2025 16:52:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Ludovic =?utf-8?q?Court?= =?utf-8?q?=C3=A8s?= , Maxim Cournoyer X-Debbugs-Original-Xcc: Ludovic =?utf-8?q?Court=C3=A8s?= , Maxim Cournoyer Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.17430079172255 (code B ref 77288); Wed, 26 Mar 2025 16:52:03 +0000 Received: (at 77288) by debbugs.gnu.org; 26 Mar 2025 16:51:57 +0000 Received: from localhost ([127.0.0.1]:44151 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1txTyu-0000aI-A5 for submit@debbugs.gnu.org; Wed, 26 Mar 2025 12:51:57 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58070) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1txTyY-0000YZ-G4 for 77288@debbugs.gnu.org; Wed, 26 Mar 2025 12:51:35 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1txTyS-0007Lh-7a; Wed, 26 Mar 2025 12:51:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=qYYVNgb+ThfS8s8i9+Nb3/LexlVoe5V9LNmeKUHcJo0=; b=EqT6zJTQ3MgOm8Hm9rZC 2obHZofEXKfaXprA4H22M22MBkq7efMsIEMYfPguPPyElMHAXQJ4rJEmVv9Ie70HSpoBcktNKNyQn HYiEr0r/UzmYgQxMuN/0xv/NXlYucQ3DMzb3mdyvxYhyeq8eKoPfzx6Z1HOF0AwqwTTfVahqz7TGi id7t90uLuYukqoJ/Ukl9oaj4RzQGYUF1fs5FqjjLcXwk4ZynEUfgY3AjkA1pHPXE3KoBhrSDxGHl2 C4p6Qo+DnB9arxfWP5tfL9sIZo6OX+FlGQAkKcr41565ZwdJL9I6jFbYAJZBgry834ujRNzBSXrq3 jEqGn8imdeTJSg==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Wed, 26 Mar 2025 17:51:06 +0100 Message-ID: X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/services/base.scm (run-with-writable-store) (guix-ownership-change-program): New procedures. ()[privileged?]: New field. (guix-shepherd-service): Rename to… (guix-shepherd-services): … this. Add the ‘guix-ownership’ service. Change ‘guix-daemon’ service to depend on it; when unprivileged, prefix ‘daemon-command’ by ‘run-with-writable-store’ and omit ‘--build-users-group’; adjust socket activation endpoints. (guix-accounts): When unprivileged, create the “guix-daemon” user and group. (guix-service-type)[extensions]: Adjust to name change. * gnu/tests/base.scm (run-guix-daemon-test): Add ‘name’ parameter. (%test-guix-daemon): Adjust accordingly. (%test-guix-daemon-unprivileged): New test. * doc/guix.texi (Base Services): Document ‘privileged?’. Change-Id: I28a9a22e617416c551dccb24e43a253b544ba163 --- doc/guix.texi | 30 +++++++ gnu/services/base.scm | 187 ++++++++++++++++++++++++++++++++++++++---- gnu/tests/base.scm | 47 +++++++++-- 3 files changed, 244 insertions(+), 20 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 5af41830ca..f58688f57a 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -20046,6 +20046,36 @@ Base Services The Guix package to use. @xref{Customizing the System-Wide Guix} to learn how to provide a package with a pre-configured set of channels. +@cindex unprivileged @command{guix-daemon} +@cindex rootless @command{guix-daemon} +@item @code{privileged?} (default: @code{#t}) +Whether to run @command{guix-daemon} as root. + +When true, @command{guix-daemon} runs with root privileges and build +processes run under unprivileged user accounts as specified by +@code{build-group} and @code{build-accounts} (see below); when false, +@command{guix-daemon} run as the @code{guix-daemon} user, which is +unprivileged, and so do build processes. The unprivileged or +``rootless'' mode can reduce the impact of some classes of +vulnerabilities that could affect the daemon. + +The default is currently @code{#t} (@command{guix-daemon} runs with root +privileges) but may eventually be changed to @code{#f}. + +@quotation Warning +When changing this option, @file{/gnu/store}, @file{/var/guix}, and +@file{/etc/guix} have their ownership automatically changed by the +@code{guix-ownership} service to either the @code{guix-daemon} user or +the @code{root} user. + +This can take a while, especially if @file{/gnu/store} is big; it cannot +be interrupted and @command{guix-daemon} cannot be used until it has +completed. +@end quotation + +@xref{Build Environment Setup}, for more information on the two ways to +run @command{guix-daemon}. + @item @code{build-group} (default: @code{"guixbuild"}) Name of the group for build user accounts. diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 9a9dfdb304..8f66f54e74 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1917,6 +1917,100 @@ (define (guix-machines-files-installation machines) #$machines)) machines-file)))) +(define (run-with-writable-store) + "Return a wrapper that runs the given command under the specified UID and +GID in a context where the store is writable, even if it was bind-mounted +read-only via %IMMUTABLE-STORE (this wrapper must run as root)." + (program-file "run-with-writable-store" + (with-imported-modules (source-module-closure + '((guix build syscalls))) + #~(begin + (use-modules (guix build syscalls) + (ice-9 match)) + + (define (ensure-writable-store store) + ;; Create a new mount namespace and remount STORE with + ;; write permissions if it's read-only. + (unshare CLONE_NEWNS) + (let ((fs (statfs store))) + (unless (zero? (logand (file-system-mount-flags fs) + ST_RDONLY)) + (mount store store "none" + (logior MS_BIND MS_REMOUNT))))) + + (match (command-line) + ((_ user group command args ...) + (ensure-writable-store #$(%store-prefix)) + (let ((uid (or (string->number user) + (passwd:uid (getpwnam user)))) + (gid (or (string->number group) + (group:gid (getgrnam group))))) + (setgroups #()) + (setgid gid) + (setuid uid) + (apply execl command command args)))))))) + +(define (guix-ownership-change-program) + "Return a program that changes ownership of the store and other data files +of Guix to the given UID and GID." + (program-file "validate-guix-ownership" + (with-imported-modules (source-module-closure + '((guix build utils))) + #~(begin + (use-modules (guix build utils) + (ice-9 ftw) + (ice-9 match)) + + (define (lchown file uid gid) + (let ((parent (open (dirname file) O_DIRECTORY))) + (chown-at parent (basename file) uid gid + AT_SYMLINK_NOFOLLOW) + (close-port parent))) + + (define (change-ownership directory uid gid) + ;; chown -R UID:GID DIRECTORY + (file-system-fold (const #t) ;enter? + (lambda (file stat result) ;leaf + (if (eq? 'symlink (stat:type stat)) + (lchown file uid gid) + (chown file uid gid))) + (const #t) ;down + (lambda (directory stat result) ;up + (chown directory uid gid)) + (const #t) ;skip + (lambda (file stat errno result) + (format (current-error-port) "i/o error: ~a: ~a~%" + file (strerror errno)) + #f) + #t ;seed + directory + lstat)) + + (define (claim-data-ownership uid gid) + (format #t "Changing file ownership for /gnu/store \ +and data directories to ~a:~a...~%" + uid gid) + (change-ownership #$(%store-prefix) uid gid) + (let ((excluded '("." ".." "profiles" "userpool"))) + (for-each (lambda (directory) + (change-ownership (in-vicinity "/var/guix" directory) + uid gid)) + (scandir "/var/guix" + (lambda (file) + (not (member file + excluded)))))) + (chown "/var/guix" uid gid) + (change-ownership "/etc/guix" uid gid) + (mkdir-p "/var/log/guix") + (change-ownership "/var/log/guix" uid gid)) + + (match (command-line) + ((_ (= string->number (? integer? uid)) + (= string->number (? integer? gid))) + (setlocale LC_ALL "C.UTF-8") ;for file name decoding + (setvbuf (current-output-port) 'line) + (claim-data-ownership uid gid))))))) + (define-record-type* guix-configuration make-guix-configuration guix-configuration? @@ -1958,6 +2052,8 @@ (define-record-type* (default #f)) (tmpdir guix-tmpdir ;string | #f (default #f)) + (privileged? guix-configuration-privileged? + (default #t)) (build-machines guix-configuration-build-machines ;list of gexps | '() (default '())) (environment guix-configuration-environment ;list of strings @@ -2020,7 +2116,7 @@ (define shepherd-discover-action (environ environment) #t))))) -(define (guix-shepherd-service config) +(define (guix-shepherd-services config) "Return a for the Guix daemon service with CONFIG." (define locales (let-system (system target) @@ -2029,16 +2125,57 @@ (define (guix-shepherd-service config) glibc-utf8-locales))) (match-record config - (guix build-group build-accounts chroot? authorize-key? authorized-keys + (guix privileged? + build-group build-accounts chroot? authorize-key? authorized-keys use-substitutes? substitute-urls max-silent-time timeout log-compression discover? extra-options log-file http-proxy tmpdir chroot-directories environment socket-directory-permissions socket-directory-group socket-directory-user) (list (shepherd-service + (provision '(guix-ownership)) + (requirement '(user-processes user-homes)) + (one-shot? #t) + (start #~(lambda () + (let* ((store #$(%store-prefix)) + (stat (lstat store)) + (privileged? #$(guix-configuration-privileged? + config)) + (change-ownership #$(guix-ownership-change-program)) + (with-writable-store #$(run-with-writable-store))) + ;; Check whether we're switching from privileged to + ;; unprivileged guix-daemon, or vice versa, and adjust + ;; file ownership accordingly. Spawn a child process + ;; if and only if something needs to be changed. + ;; + ;; Note: This service remains in 'starting' state for + ;; as long as CHANGE-OWNERSHIP is running. That way, + ;; 'guix-daemon' starts only once we're done. + (cond ((and (not privileged?) + (or (zero? (stat:uid stat)) + (zero? (stat:gid stat)))) + (let ((user (getpwnam "guix-daemon"))) + (format #t "Changing to unprivileged guix-daemon.~%") + (zero? + (system* with-writable-store "0" "0" + change-ownership + (number->string (passwd:uid user)) + (number->string (passwd:gid user)))))) + ((and privileged? + (and (not (zero? (stat:uid stat))) + (not (zero? (stat:gid stat))))) + (format #t "Changing to privileged guix-daemon.~%") + (zero? (system* with-writable-store "0" "0" + change-ownership "0" "0"))) + (else #t))))) + (documentation "Ensure that the store and other data files used by +guix-daemon have the right ownership.")) + + (shepherd-service (documentation "Run the Guix daemon.") (provision '(guix-daemon)) (requirement `(user-processes + guix-ownership ,@(if discover? '(avahi-daemon) '()))) (actions (list shepherd-set-http-proxy-action shepherd-discover-action)) @@ -2062,8 +2199,15 @@ (define (guix-shepherd-service config) (or (getenv "discover") #$discover?)) (define daemon-command - (cons* #$(file-append guix "/bin/guix-daemon") - "--build-users-group" #$build-group + (cons* #$@(if privileged? + #~() + #~(#$(run-with-writable-store) + "guix-daemon" "guix-daemon")) + + #$(file-append guix "/bin/guix-daemon") + #$@(if privileged? + #~("--build-users-group" #$build-group) + #~()) "--max-silent-time" #$(number->string max-silent-time) "--timeout" #$(number->string timeout) @@ -2144,9 +2288,11 @@ (define (guix-shepherd-service config) "/var/guix/daemon-socket/socket") #:name "socket" #:socket-owner - (or #$socket-directory-user 0) + (or #$socket-directory-user + #$(if privileged? 0 "guix-daemon")) #:socket-group - (or #$socket-directory-group 0) + (or #$socket-directory-group + #$(if privileged? 0 "guix-daemon")) #:socket-directory-permissions #$socket-directory-permissions))) ((make-systemd-constructor daemon-command @@ -2161,15 +2307,26 @@ (define (guix-shepherd-service config) (define (guix-accounts config) "Return the user accounts and user groups for CONFIG." - (cons (user-group - (name (guix-configuration-build-group config)) - (system? #t) + (if (guix-configuration-privileged? config) + (cons (user-group + (name (guix-configuration-build-group config)) + (system? #t) - ;; Use a fixed GID so that we can create the store with the right - ;; owner. - (id 30000)) - (guix-build-accounts (guix-configuration-build-accounts config) - #:group (guix-configuration-build-group config)))) + ;; Use a fixed GID so that we can create the store with the right + ;; owner. + (id 30000)) + (guix-build-accounts (guix-configuration-build-accounts config) + #:group (guix-configuration-build-group + config))) + (list (user-group (name "guix-daemon") (system? #t)) + (user-account + (name "guix-daemon") + (group "guix-daemon") + (system? #t) + (supplementary-groups '("kvm")) + (comment "Guix Daemon User") + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin")))))) (define (guix-activation config) "Return the activation gexp for CONFIG." @@ -2227,7 +2384,7 @@ (define guix-service-type (service-type (name 'guix) (extensions - (list (service-extension shepherd-root-service-type guix-shepherd-service) + (list (service-extension shepherd-root-service-type guix-shepherd-services) (service-extension account-service-type guix-accounts) (service-extension activation-service-type guix-activation) (service-extension profile-service-type diff --git a/gnu/tests/base.scm b/gnu/tests/base.scm index 83e047f7e6..12d4e70ee5 100644 --- a/gnu/tests/base.scm +++ b/gnu/tests/base.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2016-2020, 2022, 2024 Ludovic Courtès +;;; Copyright © 2016-2020, 2022, 2024-2025 Ludovic Courtès ;;; Copyright © 2018 Clément Lassieur ;;; Copyright © 2022 Maxim Cournoyer ;;; Copyright © 2022 Marius Bakke @@ -63,7 +63,8 @@ (define-module (gnu tests base) %hello-dependencies-manifest guix-daemon-test-cases - %test-guix-daemon)) + %test-guix-daemon + %test-guix-daemon-unprivileged)) (define %simple-os (simple-operating-system)) @@ -1121,7 +1122,7 @@ (define (guix-daemon-test-cases marionette) (system-error-errno args))) #$marionette)))) -(define (run-guix-daemon-test os) +(define (run-guix-daemon-test os name) (define test-image (image (operating-system os) (format 'compressed-qcow2) @@ -1161,6 +1162,12 @@ (define (run-guix-daemon-test os) ;; Wait for 'guix-daemon' to be up. (marionette-eval '(begin (use-modules (gnu services herd)) + (start-service 'guix-daemon) + + ;; XXX: Do it a second time to work around + ;; and its + ;; effect on the 'guix-ownership' service. + ;; TODO: Remove when Shepherd 1.0.4 is out. (start-service 'guix-daemon)) marionette)) @@ -1168,7 +1175,7 @@ (define (run-guix-daemon-test os) (test-end)))) - (gexp->derivation "guix-daemon-test" test)) + (gexp->derivation name test)) (define %test-guix-daemon (system-test @@ -1190,4 +1197,34 @@ (define %test-guix-daemon %base-user-accounts))) #:imported-modules '((gnu services herd) (guix combinators))))) - (run-guix-daemon-test os))))) + (run-guix-daemon-test os "guix-daemon-test"))))) + +(define %test-guix-daemon-unprivileged + (system-test + (name "guix-daemon-unprivileged") + (description + "Test 'guix-daemon' behavior on a multi-user system, where 'guix-daemon' +runs unprivileged.") + (value + (let ((os (marionette-operating-system + (let ((base (operating-system-with-gc-roots + %daemon-os + (list (profile + (name "hello-build-dependencies") + (content %hello-dependencies-manifest)))))) + (operating-system + (inherit base) + (kernel-arguments '("console=ttyS0")) + (users (cons (user-account + (name "user") + (group "users")) + %base-user-accounts)) + (services + (modify-services (operating-system-user-services base) + (guix-service-type + config => (guix-configuration + (inherit config) + (privileged? #f))))))) + #:imported-modules '((gnu services herd) + (guix combinators))))) + (run-guix-daemon-test os "guix-daemon-unprivileged-test"))))) From patchwork Wed Mar 26 16:51:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 40857 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 114CB27BBEA; Wed, 26 Mar 2025 16:52:29 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id C462727BBE9 for ; Wed, 26 Mar 2025 16:52:28 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1txTzI-00049L-5n; Wed, 26 Mar 2025 12:52:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1txTz9-00045Q-Rr for guix-patches@gnu.org; Wed, 26 Mar 2025 12:52:12 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1txTz2-0007WK-4L for guix-patches@gnu.org; Wed, 26 Mar 2025 12:52:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=LrIFOEsQySI3Oe8HQ/hFoGK6VvBjDCeJDCpRfvTGvV8=; b=eMPTecGMp8Y3CuihutheTn+PjpqiKpBx8IiYRs6K7zi13W0D2jmht/Ikq1aL16z13AOf2FS/7kUJd2sGXCteUbf6W2Apv2PwEPKJpXyLHb2YSPY6nseH6iRj1AEe2o3Y/2rCnhMOzqt5pO3YsFvJBaXmPhW+w+u3wfkHax6Q/aBOUFtqvN+0K6l2XOkQPQQbxDZywlCd/Epg7LB7HTFMBWj0JnkV0MQfkQiwNGT/jfDFfZalbWfHyRSV9qftVexeHYUS/hX7//Gbpw4LERxbScgdlwYEkWRZM+9EfdHEaThZj7zUP2yvSutGpbrcUNPaVV3sP9H5Xqh+lMnM26YOGA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1txTz1-0000bD-Bb; Wed, 26 Mar 2025 12:52:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77288] [PATCH 6/6] DRAFT news: Add entry about unprivileged guix-daemon on Guix System. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: pelzflorian@pelzflorian.de, julien@lepiller.eu, guix-patches@gnu.org Resent-Date: Wed, 26 Mar 2025 16:52:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77288 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77288@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Florian Pelz , Julien Lepiller X-Debbugs-Original-Xcc: Florian Pelz , Julien Lepiller Received: via spool by 77288-submit@debbugs.gnu.org id=B77288.17430079102237 (code B ref 77288); Wed, 26 Mar 2025 16:52:03 +0000 Received: (at 77288) by debbugs.gnu.org; 26 Mar 2025 16:51:50 +0000 Received: from localhost ([127.0.0.1]:44149 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1txTyk-0000Zn-37 for submit@debbugs.gnu.org; Wed, 26 Mar 2025 12:51:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58074) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1txTyY-0000Ya-Hj for 77288@debbugs.gnu.org; Wed, 26 Mar 2025 12:51:34 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1txTyT-0007Lp-19; Wed, 26 Mar 2025 12:51:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=LrIFOEsQySI3Oe8HQ/hFoGK6VvBjDCeJDCpRfvTGvV8=; b=S/qyUSFkB+P3knZWfXHd TTnDWt89dEQClTw0+qrRT2DarbzhPoUvepSKam8lDoKvtIEKmVU+iy/+1KeJkyGO3jHshloHI0XDZ OwtI2gB1WRUC3nd1a7O4AtvAAiX8CGp1CkL5TGAxn1YS0Ji+dpAWocCNJQ7f92mA0siJR5HBTiSzP /VmaWhTK64L+oSDOxHzfLK0XZfBQccFZBtaJImyvgmvkI5xZYZcQZHUPMHla+bzzrVs7bajXCE9Jg d0/GX9Y4fSTHBnPolQ5bubc4a5P8BV6xXCzxh40N+UNPUqGYEUqqBn5irW+NotyMu2mOpG0w01nHh EvVY7iirj+kgDQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Wed, 26 Mar 2025 17:51:07 +0100 Message-ID: <2f0e31d6674693e0b785724283cd494dd11fa0f9.1743007256.git.ludo@gnu.org> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches DRAFT: Temporary commit. * etc/news.scm: Add it. Change-Id: I28eae7f7b4305225b13281b99458cbedda3c3b94 --- etc/news.scm | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/etc/news.scm b/etc/news.scm index 4b3da44540..840f5cea53 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -37,6 +37,30 @@ (channel-news (version 0) + (entry (commit "XXX") + (title + (en "Guix System can run @command{guix-daemon} without root +privileges")) + (body + (en "On Guix System, @code{guix-service-type} can now be configured +to run the build daemon, @command{guix-daemon}, without root privileges. In +that configuration, the daemon runs with the authority of the +@code{guix-daemon} user, which we think can reduce the impact of some classes +of vulnerabilities that could affect it. + +For now, this is opt-in: you have to change @code{guix-configuration} to set +the @code{privileged?} field to @code{#f}. When you do this, all the files in +@file{/gnu/store}, @file{/var/guix}, etc. will have their ownership changed to +the @code{guix-daemon} user (instead of @code{root}); this can take a while, +especially if the store is big. To learn more about it, run: + +@example +info guix --index-search=guix-service-type +@end example + +Eventually running @command{guix-daemon} without root privileges may become +the default."))) + (entry (commit "0e51c6547ffdaf91777f7383da4a52a1a07b7286") (title (en "Incompatible upgrade of the Syncthing service"))