On 2021-10-02, Ludovic Courtès wrote:
> Maxime Devos <maximedevos@telenet.be> skribis:
>> Ludovic Courtès schreef op di 28-09-2021 om 14:21 [+0200]:
>>> Joshua Branson <jbranso@dismail.de> skribis:
>>> 
>>> > Apologies if I'm speaking for something I know very little
>>> > about...Wouldn't it be nice if guix home services would accept a user
>>> > and a group field?  For the syncthing service, perhaps the user wants to
>>> > limit Syncthing's runtime permissions.  So instead of running as the
>>> > user, the user would run synthing as a different user with less permissions?
>>> 
>>> That’s not possible unless the calling user is root, since you’d need
>>> the ability to switch users somehow.
>>
>> On Debian, a user has a list of ‘subordinate user IDs’ which can be switched
>> to without root: <https://manpages.debian.org/buster/uidmap/newuidmap.1.en.html>.
>>
>> Maybe "guix home" could use that mechanism, and this mechanism could be implemented
>> on Guix System as well?
>
> Yes but that requires unprivileged user namespaces, which may or may not
> be supported—e.g., likely unsupported when using Home on a foreign
> distro.

Debian finally enabled it by default in the current stable release,
bullseye, which was released just a few months ago (and it was possible
to enable with a boot flag in earlier releases). Not sure which distros
still disable unprivledged user namespaces...


I am definitely curious to test guix home on a foreign distro at some
point! :)


live well,
  vagrant