From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id XyAeFw6cwF4NcAAA0tVLHw (envelope-from ) for ; Sun, 17 May 2020 02:06:06 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id eDSCEg6cwF4vIAAA1q6Kng (envelope-from ) for ; Sun, 17 May 2020 02:06:06 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8F82C940C7B for ; Sun, 17 May 2020 02:06:05 +0000 (UTC) Received: from localhost ([::1]:59794 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ja8gm-00008u-Gx for larch@yhetil.org; Sat, 16 May 2020 22:06:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35028) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ja8gc-00008j-P9 for guix-devel@gnu.org; Sat, 16 May 2020 22:05:54 -0400 Received: from imta-36.everyone.net ([216.200.145.36]:37330 helo=imta-38.everyone.net) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ja8ga-0006vM-NX for guix-devel@gnu.org; Sat, 16 May 2020 22:05:54 -0400 Received: from pps.filterd (m0004960.ppops.net [127.0.0.1]) by imta-38.everyone.net (8.16.0.27/8.16.0.27) with SMTP id 04H23TuI031291; Sat, 16 May 2020 19:05:46 -0700 X-Eon-Originating-Account: 7P560K4rU5-IpPI67K1wAWZK4Y_2hVaLT0ZSCNHRHEk X-Eon-Dm: m0117124.ppops.net Received: by m0117124.mta.everyone.net (EON-AUTHRELAY2 - 53b925ba) id m0117124.5e67f957.71f09d; Sat, 16 May 2020 19:05:44 -0700 X-Eon-Sig: AQMHrIJewJv4IbSo+wIAAAAD,7ef2e5b4f5b7b570defeea2d7e6ac43e X-Eip: GXANy8b29q4hy45NUawIU8GxLr8fFenOHy0ua1QMIQo Date: Sun, 17 May 2020 04:05:35 +0200 From: Bengt Richter To: Tobias Geerinckx-Rice Subject: Re: Propose to distribute a user-only install script, not admin required Message-ID: <20200517020535.GA3652@LionPure> References: <87imgvop9g.fsf@nckx> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87imgvop9g.fsf@nckx> User-Agent: Mutt/1.10.1 (2018-07-13) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.216, 18.0.676 definitions=2020-05-16_13:2020-05-15, 2020-05-16 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1034 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2004280000 definitions=main-2005170017 Received-SPF: pass client-ip=216.200.145.36; envelope-from=bokr@oz.net; helo=imta-38.everyone.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/05/16 22:05:50 X-ACL-Warn: Detected OS = Linux 3.x [generic] X-Spam_score_int: -22 X-Spam_score: -2.3 X-Spam_bar: -- X-Spam_report: (-2.3 / 5.0 requ) BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Bengt Richter Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Spam-Score: -0.51 X-TUID: iBUQS1+RfhWf Hi Josh, Tobias, et al, On +2020-05-16 17:47:39 +0200, Tobias Geerinckx-Rice wrote: > Josh, > > Josh Marshall 写道: > > One thing which I think could significantly aid adoption would be up > > either add an option or add a new installer script with guix > > configured to install and run purely out of the user's home directory > > without any special permissions. > > An old but classic place to start is [0] which explains some of the problems > & trade-offs, and illustrates an approach that may or may not still work > today. > > My subjective impression was that this used to be more of a big deal (i.e. a > few years ago) than it is now. I don't know if it's less of a problem these > days, or people gave up on asking, or perhaps I'm not in the right channels > to hear the clamouring. > > Part of me thanks you for bringing this up again. I'm interested to see > where it goes. > > Another part of me fears that ‘rootless Guix’ is just the perfect excuse for > misguided admins to give their users a pale and flavourless Guix experience. > It would rather taint the brand. > > Kind regards, > > T G-R > > [0]: https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org (I hadn't seen [0] above, but now I have :) So I will be wondering if proot is a good path to get where I want to go. I hope this thread will provide further input). I am happy to see this suggestion, as I have been experimenting with re-writing guix-install.sh to do something very related: (I am assuming a user who _can_ do useradd and groupadd, or get it done, but wants to run guix totally without needing root priviliges beyond that). It boils down to creating a new user-mode user called guixurootd to serve as "guix-root" daemon and manage running the builders with inter-user permission isolation but not involving root. I'm hoping some combination of group membership and permissions will enable safe multithread isolation without involving actual root privileges for guixurootd. My motivation was really not liking to run guix-install.sh as root. Big complex chains of actions that involve unnecessary global root privileges scare me, even if I can inspect the script. So my first thought was to split it into two: the part that can run fine without sudo to root (which is most of it) and the part that requires sudo to root, which is creating the daemon and builders, and writing to / and ~root, and something I forgot probably :). The latter requirement goes away when writing to / becomes writing to /home/guixurootd/ and /home/guixurootd/root I really would like the entire guix usage of "/" to become usage of "/home/guixurootd/" including /var /etc /root/.dotfiles /tmp and _everything_, so that the impact on a "foreign distro" is totally contained in the guixurootd $HOME file space plus the existence of the $HOME-less builders. I am in a design-churn phase for the moment, trying to factor everything into place ;-) Ideally installation could become something like --8<---------------cut here---------------start------------->8--- 1. sudo sys_create_build_user # as defined in guix-install.sh 2. sudo useradd -U -G guixbuild \ -m -k $tmp_skeldir -s "$(which nologin)" \ -c "Guix user-root daemon" --system \ "guixurootd"; 3. download and verify guixurootd-install.sh 4. sudo -u guixrootd guixurootd-install.sh --8<---------------cut here---------------end--------------->8--- but wondering whether to live with /etc/skeldir (think not entirely) or what to put in $tmp_skeldir... Maybe even more ideally, the guixurootd daemon could populate itself by cloning the guix repo and automatically proceed according to https://guix.gnu.org/manual/en/html_node/Building-from-Git.html I.e. sudo -u guixurootd 'cd;bin/init' automatically would do git clone https://git.savannah.gnu.org/git/guix.git (BTW, should a specific commit be specified by install docs, to avoid becoming invalid due to later commit breakage??) (BTW2 any-whatever-install.sh should be version controlled and signed too, IMO :) I'm thinking skeldir/bin/init would be a minimal kick-start script to run build stuff from the repo. Or maybe skeldir/.profile could do it without a skeldir/bin ... wip ;-) So anyway git would store the repo at /home/guixurootd/guix/ and then the init script would somehow execute a "build-from-git" sequence automatically, at the end of which all other users on the machine have to do is set up their ~/.guix-profile and ~/.bash_profile to tie in, maybe starting with the (now deprecated?) advice to use /usr/local/bin like # mkdir -p /usr/local/bin # cd /usr/local/bin # ln -s /home/guixurootd/var/guix/profiles/per-user/root/current-guix/bin/guix if /var really were moved there ... wip ;) Anticipating potholes and brick walls ... One thing I'd like to do is make this new guixurootd-install.sh stateful -- I'm thinking by logging passed and failed milestones to a source-able file like a bash_history with dates in comments so that re-tries don't waste my time (or internet budget). Lines like autoconf=1 # 2020-05-17 01:56:55 +0200 with the file initialized from a template with all steps =0 and including the template version and where to find it, with self-referential hash :) Still wip ;-) I'm wondering whether to make guixurootd support login or not. Or just rely on sudo -u (Maybe some special setuid helper will have to be created for privilege lowering? I haven't got that far yet. Maybe it could be done without any changing of privileges at all, with the guixurootd daemon and builderXX processes cooperating by message passing using that new extent-swapping kernel api that atomically (IIUC) swaps page-sequemces between files of cooperating users. That should be fast, since it's just like mmap table manipulation IIUC. So there's my 2 cents worth of bike shed paint :) Well, a little more, I hope. I'll be poking at it, but now will hope for ideas and prior art revelations here ;-) BTW, might encapsulating all of guix in the guixurootd $HOME file space serendipitously work with that systemd home encapsulator/migration- facilitator that I don't even know the right name of, possibly? -- Regards, Bengt Richter