From: Bengt Richter <bokr@bokr.com>
To: Josselin Poiret <dev@jpoiret.xyz>
Cc: Zhu Zihao <all_but_last@163.com>, guix-devel@gnu.org
Subject: Re: Building, packaging and updating Guix with confidence
Date: Tue, 26 Jul 2022 03:09:58 +0200 [thread overview]
Message-ID: <20220726010958.GA7490@LionPure> (raw)
In-Reply-To: <871quezbsi.fsf@jpoiret.xyz>
Hi Josselin,
tl;dr:
I naively don't buy the rationale against a non-root guix daemon :)
Skip to [2] if tl ;)
On +2022-07-21 18:10:53 +0200, Josselin Poiret wrote:
> Hello,
>
> bokr@bokr.com writes:
> > Naively:
> >
> > Why does "the" guix daemon per se need root access at all?
>
> The main thing is that all files in the store end up being written by
> the guix daemon user.
IIUC, that would be guixrootd per se, not the homeless guixbuilder{0-10}
users created by the default install, right? (IIUC the latter are
meant to allow guixrootd to shed its root write privilege by spawning
a user mode continuation, so to speak?)
> ... So if we want the files to be easily
> substitutable, they'd need to have a fixed uid/gid,
Why? "Easily" in what way? untarring tarballs?
Even if tar sets bogus external file system metadata,
UIAM the only privilege you need is ownership, and neither
guix nor the installer need to run as root themselves
to get ownership. That can be done by a tiny helper
whose source you can see on one page, and whose execution
you can limit to a user such as the single-writer guixstored,
which UIAM can then chmod and chown at will to share or not.
I don't believe in blanket permissions to accomplish
a tiny important priviliged action. I want to see it
factored out for auditability and comprehensibility.
(Here I did s/guixrootd/guixstored/ as a name for a non-root
user which has exclusive control over gnu/store because
it creates /home/guixstored/gnu/store thus in its home directory
and no other user has write access to it except by talking to guixstored via
message or sharing read-only files if mounted and reachable and permitted
by guixstored setting perissions on files it owns.
> ... and the only one we
> can guarantee is root.
But why would you have to? ISTM not necessary.
> ... Other than that, it needs to use a bunch of
> Linux namespaces to isolate the builds from the rest of the system,
You mean like -G from
--8<---------------cut here---------------start------------->8---
useradd -g guixbuild -G guixbuild${KVMGROUP} \
-d /var/empty -s "$(which nologin)" \
-c "Guix build user $i" --system \
"guixbuilder${i}";
_msg "${PAS}user added <guixbuilder${i}>"
fi
--8<---------------cut here---------------end--------------->8---
YOW! running as root AND being able to do KVM stuff?
My naive paranoia button has been pushed, and I don't want to
do the searching for info to calm myself ;/
BTW, above snip was from guix clone repo pull as of
┌──────────────────────────────────────────────────────────┐
│ # $ git log --pretty=medium --grep 'install\.sh'|head -3 │
├──────────────────────────────────────────────────────────┤
│ commit 3348e485b7229e062e563945ed7e6ac216f25125 │
│ Author: Philip McGrath <philip@philipmcgrath.com> │
│ Date: Sun Jul 3 22:35:03 2022 -0400 │
└──────────────────────────────────────────────────────────┘
> which depending on the kernel build-time configuration might not be
> possible when unprivileged.
>
IWT think that goes away if you run a single-writer daemon
on the local OS, and let the kernel use its namespaces to
keep the users from trampling on each other (any more than
they already maybe can with the current setup).
If the OS can't separate users, ISTM everbody is kind-of root in effect,
but then maybe we can run a single user thread as if root, if you have
an environment where that's useful -- maybe cloud virtual pcs?
Communicating would be an adapter problem, but virtual pcs
can boot fully fledged linux these days, I think, and it seems
doubtful that you would run a big guix build ON a raspberry pi
even though TARGETING an rpi makes lots of sense.
Whew, I've got to stop re-editing this :/
[2]:
So, do you see any real obstacles to making guixrootd an ordinary user
(in the sense of /home/ordinary_user/ ) and calling it
guixstored instead, with an ordinary /home/guixstored/ home directory
(where it has natural protection as guixstored:guixstored on useradd
creation, with added group guixbuilder for helper r/o sharing, which
as owner it can control)?
However many guixbuilder0{1..9}:guixbuilder0{1..9} helper users are created,
(plus guixbuilder10:guixbuilder10 in the default naming :)
they would also belong to the guixbuilder extra group
(no suffixed number) but they only would have read access to parts of
/home/guixstored/gnu/store/... unless guixstored as
owner sets other permissions for the guixbuilder group.
I'm not seeing why there needs to be any guix daemon running as root :)
But this means you can't just uncompress files, metadata and all,
for substitution purposes, which I guess you were alluding to with
"...can't easily...", right?
But IWT that guixstored could use a tiny helper to get ownership, as above.
Becoming owner by using a factored-out-tiny-helper to chown untarred stuff
should be safer than running bigstuff as root IWT).
It can then create and exclusively control /home/guixstored/gnu/store/...
and allow guixbuilder{1..10} user-helpers to have group read access to
/home/guixstored/gnu/store/... I am imagining smallish /home directories
/home/guixbuilder{1..10}/... for those helpers to maintain their own
states in whatever they are helping with, and outputting their final results
to guixstored by the most efficient means available to the process.
If they're on the same SOC or on the other side of the globe will make
a difference, but IMO that's an adaper concern which should not
affect the design of the essential guile/guix package management
sources or their hashes.
Well, IMHO any adaptations to particular file systems or transfer
protocols should be considered as just that: adapters, orthogonal
to the essential data transforming that guix/guile does, where
all data is just various interpretations of #vu8 compositions.
Otherwise, if adaptor cruft is incorporated into the essential
guix package manager, IMHO it will grow into a rube-goldberg
kludge-ball. Let it manage libraries of adapter implementations,
but keep them scrupulously outside, along with the definitions of their
dependencies on the metadata describing what they are adapting to.
I think basically everything guix/guile reads and writes as it
does its package management should have an official documented
#vu8 representation. Including snarfed and transformed foreign
metadata.
> Best,
> --
> Josselin Poiret
For reference, this is a remnant from an old install, but I assume this
is still what the intaller creates (right?).
┌─────────────────────────────────────────────────────────────────────────┐
│ # $ grep guix /etc/passwd │
├─────────────────────────────────────────────────────────────────────────┤
│ guixbuilder01:x:998:998:Guix build user 01:/var/empty:/usr/sbin/nologin │
│ guixbuilder02:x:997:998:Guix build user 02:/var/empty:/usr/sbin/nologin │
│ guixbuilder03:x:996:998:Guix build user 03:/var/empty:/usr/sbin/nologin │
│ guixbuilder04:x:995:998:Guix build user 04:/var/empty:/usr/sbin/nologin │
│ guixbuilder05:x:994:998:Guix build user 05:/var/empty:/usr/sbin/nologin │
│ guixbuilder06:x:993:998:Guix build user 06:/var/empty:/usr/sbin/nologin │
│ guixbuilder07:x:992:998:Guix build user 07:/var/empty:/usr/sbin/nologin │
│ guixbuilder08:x:991:998:Guix build user 08:/var/empty:/usr/sbin/nologin │
│ guixbuilder09:x:990:998:Guix build user 09:/var/empty:/usr/sbin/nologin │
│ guixbuilder10:x:989:998:Guix build user 10:/var/empty:/usr/sbin/nologin │
│ guixrootd:988:998:Guix root daemon:/home/guixrootd: │
└─────────────────────────────────────────────────────────────────────────┘
So WDYT? :)
--
Regards,
engt Richter
next prev parent reply other threads:[~2022-07-26 1:11 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-06 20:01 Building, packaging and updating Guix with confidence Josselin Poiret
2022-07-07 12:06 ` Zhu Zihao
2022-07-07 14:34 ` Josselin Poiret
2022-07-17 16:52 ` bokr
2022-07-21 16:10 ` Josselin Poiret
2022-07-21 16:18 ` Maxime Devos
2022-07-26 1:09 ` Bengt Richter [this message]
2022-08-18 13:19 ` zimoun
2022-07-18 11:03 ` Ludovic Courtès
2022-08-18 12:52 ` zimoun
2022-08-19 10:21 ` Josselin Poiret
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220726010958.GA7490@LionPure \
--to=bokr@bokr.com \
--cc=all_but_last@163.com \
--cc=dev@jpoiret.xyz \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).