permission denied: /gnu/store/...guile...

permission denied: /gnu/store/...guile...

[rekado]

Hi Guix,

my apologies for this badly formatted email.  I'm using a webmail interface because I have not been able to set up my email through Emacs on GuixSD as I cannot build custom packages.

Here's what happens when I try to build a custom package from a git checkout of the guix repository:

~~~~~~
rekado@banana guix $ ./pre-inst-env guix build ibus-pinyin
The following derivations will be built:
   /gnu/store/gbdfw3z89dxw5nh3qw5gq3y2p5i2l1a2-ibus-pinyin-1.5.0.drv
   /gnu/store/9pcjzs7g87vg2pc6ag877kxlmzg1v241-pyzy-0.1.0.tar.gz.drv
   /gnu/store/ni0hz29nyd051fsp2n73icjnwx28fajz-ibus-pinyin-1.5.0.tar.gz.drv
   /gnu/store/k2qwb22f1jzb9wr1cvkqv9bhdhmpyaqy-pyzy-0.1.0.drv
The following file will be downloaded:
   /gnu/store/7vrb932gf6lzsh5q0sskzgmjm2bwr91x-libtool-2.4.6
@ build-started /gnu/store/ni0hz29nyd051fsp2n73icjnwx28fajz-ibus-pinyin-1.5.0.tar.gz.drv - x86_64-linux /var/log/guix/drvs/ni//0hz29nyd051fsp2n73icjnwx28fajz-ibus-pinyin-1.5.0.tar.gz.drv.bz2
build error: executing `/gnu/store/cnqmkmj40jmssnx6fkf9n0n3bqj5x426-guile-2.0.11/bin/guile': Permission denied
builder for `/gnu/store/ni0hz29nyd051fsp2n73icjnwx28fajz-ibus-pinyin-1.5.0.tar.gz.drv' failed with exit code 1
@ build-failed /gnu/store/ni0hz29nyd051fsp2n73icjnwx28fajz-ibus-pinyin-1.5.0.tar.gz.drv - 1 builder for `/gnu/store/ni0hz29nyd051fsp2n73icjnwx28fajz-ibus-pinyin-1.5.0.tar.gz.drv' failed with exit code 1
cannot build derivation `/gnu/store/gbdfw3z89dxw5nh3qw5gq3y2p5i2l1a2-ibus-pinyin-1.5.0.drv': 1 dependencies couldn't be built
killing process 2391
guix build: error: build failed: build of `/gnu/store/gbdfw3z89dxw5nh3qw5gq3y2p5i2l1a2-ibus-pinyin-1.5.0.drv' failed
rekado@banana guix $ 
~~~~~~ 

I have confirmed that this particular guile binary can be executed, so I don't know what permission problem it encounters.  I attached strace to the guix-daemon and it produced a long log which I have uploaded here: http://elephly.net/downies/guile-permission-denied.txt

The failing derivation is this:

~~~~~~
Derive([("out","/gnu/store/vvs2c9zzl9zwrq0zwrayjlih9cpwjbcq-ibus-pinyin-1.5.0.tar.gz","sha256","a85d458dcc51ea9fd65849e63002428b3fcb3b39adcbea9214b5cb4a4cbdbc96")],[("/gnu/store/479gki04zgbysxipcb1wdl56mh1bldbx-guile-2.0.11.drv",["out"]),("/gnu/store/p20cih7k80cpqka6f06100j1ycgf3fl1-module-import.drv",["out"]),("/gnu/store/s8bacxxryg87p2ag6gl46qz6jvpdm5qs-gnutls-3.4.0.drv",["out"]),("/gnu/store/w9g2dqsfgr6n8pslwmm2lgbka96qwig4-module-import-compiled.drv",["out"])],["/gnu/store/yhds5m08mgp3a3yb2gj9imn7pkap0fc1-ibus-pinyin-1.5.0.tar.gz-builder"],"x86_64-linux","/gnu/store/cnqmkmj40jmssnx6fkf9n0n3bqj5x426-guile-2.0.11/bin/guile",["--no-auto-compile","-L","/gnu/store/6fnbs4j7dsn6rc598d72caay00yggvh7-module-import","-C","/gnu/store/ww9kwrbs4h468vll6a3swg6dc3hr9f8i-module-import-compiled","/gnu/
 store/yhds5m08mgp3a3yb2gj9imn7pkap0fc1-ibus-pinyin-1.5.0.tar.gz-builder"],[("impureEnvVars","http_proxy https_proxy"),("out","/gnu/store/vvs2c9zzl9zwrq0zwrayjlih9cpwjbcq-ibus-pinyin-1.5.0.tar.gz")])
~~~~~~

I have installed GuixSD from the 0.8.2 USB image onto a new, empty partition.  I'm reusing only my home directory, which is located on a luks LVM.  I have pulled the latest version of Guix and reconfigured the system a few hours ago. 

Permissions on various store directories:

drwxrwxr-t 751 root guixbuild 479232 May 20 08:26 /gnu/store/
dr-xr-xr-x 6 root root 4096 Jan  1  1970 /gnu/store/cnqmkmj40jmssnx6fkf9n0n3bqj5x426-guile-2.0.11/
-r-xr-xr-x 1 root root 10912 Jan  1  1970 /gnu/store/cnqmkmj40jmssnx6fkf9n0n3bqj5x426-guile-2.0.11/bin/guile

I would appreciate any help, as I cannot hack on Guix as long as this problem persists.

~~ Ricardo

Re: permission denied: /gnu/store/...guile...

[Andreas Enge]

Hello Recado,

this may not at all be helpful, but whenever I encounter a mysterious problem
such as this, I usually do a "make distclean; ./configure; make install".
Or better yet, have it precede by "./bootstrap" and
"rm -rf INSTALL_DIRECTORY/share/guile". Sometimes that solves the issue,
but it probably only makes sense if you have installed guix on top of another
distro.

Andreas

Re: permission denied: /gnu/store/...guile...

[Daniel Pimentel]

On 2015-05-20 04:06, rekado wrote:
> Hi Guix,
> 
> my apologies for this badly formatted email.  I'm using a webmail
> interface because I have not been able to set up my email through
> Emacs on GuixSD as I cannot build custom packages.
> 
> Here's what happens when I try to build a custom package from a git
> checkout of the guix repository:
> 
> ~~~~~~
> rekado@banana guix $ ./pre-inst-env guix build ibus-pinyin
> The following derivations will be built:
>    /gnu/store/gbdfw3z89dxw5nh3qw5gq3y2p5i2l1a2-ibus-pinyin-1.5.0.drv
>    /gnu/store/9pcjzs7g87vg2pc6ag877kxlmzg1v241-pyzy-0.1.0.tar.gz.drv
>    
> /gnu/store/ni0hz29nyd051fsp2n73icjnwx28fajz-ibus-pinyin-1.5.0.tar.gz.drv
>    /gnu/store/k2qwb22f1jzb9wr1cvkqv9bhdhmpyaqy-pyzy-0.1.0.drv
> The following file will be downloaded:
>    /gnu/store/7vrb932gf6lzsh5q0sskzgmjm2bwr91x-libtool-2.4.6
> @ build-started
> /gnu/store/ni0hz29nyd051fsp2n73icjnwx28fajz-ibus-pinyin-1.5.0.tar.gz.drv
> - x86_64-linux
> /var/log/guix/drvs/ni//0hz29nyd051fsp2n73icjnwx28fajz-ibus-pinyin-1.5.0.tar.gz.drv.bz2
> build error: executing
> `/gnu/store/cnqmkmj40jmssnx6fkf9n0n3bqj5x426-guile-2.0.11/bin/guile':
> Permission denied
> builder for
> `/gnu/store/ni0hz29nyd051fsp2n73icjnwx28fajz-ibus-pinyin-1.5.0.tar.gz.drv'
> failed with exit code 1
> @ build-failed
> /gnu/store/ni0hz29nyd051fsp2n73icjnwx28fajz-ibus-pinyin-1.5.0.tar.gz.drv
> - 1 builder for
> `/gnu/store/ni0hz29nyd051fsp2n73icjnwx28fajz-ibus-pinyin-1.5.0.tar.gz.drv'
> failed with exit code 1
> cannot build derivation
> `/gnu/store/gbdfw3z89dxw5nh3qw5gq3y2p5i2l1a2-ibus-pinyin-1.5.0.drv': 1
> dependencies couldn't be built
> killing process 2391
> guix build: error: build failed: build of
> `/gnu/store/gbdfw3z89dxw5nh3qw5gq3y2p5i2l1a2-ibus-pinyin-1.5.0.drv'
> failed
> rekado@banana guix $
> ~~~~~~
> 
> I have confirmed that this particular guile binary can be executed, so
> I don't know what permission problem it encounters.  I attached strace
> to the guix-daemon and it produced a long log which I have uploaded
> here: http://elephly.net/downies/guile-permission-denied.txt
> 
> The failing derivation is this:
> 
> ~~~~~~
> Derive([("out","/gnu/store/vvs2c9zzl9zwrq0zwrayjlih9cpwjbcq-ibus-pinyin-1.5.0.tar.gz","sha256","a85d458dcc51ea9fd65849e63002428b3fcb3b39adcbea9214b5cb4a4cbdbc96")],[("/gnu/store/479gki04zgbysxipcb1wdl56mh1bldbx-guile-2.0.11.drv",["out"]),("/gnu/store/p20cih7k80cpqka6f06100j1ycgf3fl1-module-import.drv",["out"]),("/gnu/store/s8bacxxryg87p2ag6gl46qz6jvpdm5qs-gnutls-3.4.0.drv",["out"]),("/gnu/store/w9g2dqsfgr6n8pslwmm2lgbka96qwig4-module-import-compiled.drv",["out"])],["/gnu/store/yhds5m08mgp3a3yb2gj9imn7pkap0fc1-ibus-pinyin-1.5.0.tar.gz-builder"],"x86_64-linux","/gnu/store/cnqmkmj40jmssnx6fkf9n0n3bqj5x426-guile-2.0.11/bin/guile",["--no-auto-compile","-L","/gnu/store/6fnbs4j7dsn6rc598d72caay00yggvh7-module-import","-C","/gnu/store/ww9kwrbs4h468vll6a3swg6dc3hr9f8i-module-import-compiled","/gn
 u/store/yhds5m08mgp3a3yb2gj9imn7pkap0fc1-ibus-pinyin-1.5.0.tar.gz-builder"],[("impureEnvVars","http_proxy
> https_proxy"),("out","/gnu/store/vvs2c9zzl9zwrq0zwrayjlih9cpwjbcq-ibus-pinyin-1.5.0.tar.gz")])
> ~~~~~~
> 
> I have installed GuixSD from the 0.8.2 USB image onto a new, empty
> partition.  I'm reusing only my home directory, which is located on a
> luks LVM.  I have pulled the latest version of Guix and reconfigured
> the system a few hours ago.
> 
> Permissions on various store directories:
> 
> drwxrwxr-t 751 root guixbuild 479232 May 20 08:26 /gnu/store/
> dr-xr-xr-x 6 root root 4096 Jan  1  1970
> /gnu/store/cnqmkmj40jmssnx6fkf9n0n3bqj5x426-guile-2.0.11/
> -r-xr-xr-x 1 root root 10912 Jan  1  1970
> /gnu/store/cnqmkmj40jmssnx6fkf9n0n3bqj5x426-guile-2.0.11/bin/guile
> 
> I would appreciate any help, as I cannot hack on Guix as long as this
> problem persists.
> 
> ~~ Ricardo
I have similar problem, I think. My problem was permission to write 
(using sudo) in /gnu/store/ when I needed to enable my correct synaptics 
(I copied 50-synaptics.conf file to /gnu/store/.../xorg.conf.d/), so I 
needed remount /gnu/store/ (sudo mount -o remount,rw /gnu/store) to copy 
this file.
-- 
Daniel Pimentel (d4n1)
#GnuPG: 0B1A1914
#FSF: 13054

Re: permission denied: /gnu/store/...guile...

[Ludovic Courtès]

Daniel Pimentel <d4n1@openmailbox.org> skribis:

> I have similar problem, I think. My problem was permission to write
> (using sudo) in /gnu/store/ when I needed to enable my correct
> synaptics (I copied 50-synaptics.conf file to
> /gnu/store/.../xorg.conf.d/), so I needed remount /gnu/store/ (sudo
> mount -o remount,rw /gnu/store) to copy this file.

Files in /gnu/store must never be modified, because the whole system
assumes it is indeed immutable.  For this reason, /gnu/store is a
read-only bind-mount on GuixSD.

The solution for Synaptics would be to augment the Xorg service
definition in (gnu services xorg) so that it does the right thing.
What exactly is needed?

Ludo’.

Re: permission denied: /gnu/store/...guile...

[Daniel Pimentel]

On 2015-05-20 09:24, ludo@gnu.org wrote:
> Daniel Pimentel <d4n1@openmailbox.org> skribis:
> 
>> I have similar problem, I think. My problem was permission to write
>> (using sudo) in /gnu/store/ when I needed to enable my correct
>> synaptics (I copied 50-synaptics.conf file to
>> /gnu/store/.../xorg.conf.d/), so I needed remount /gnu/store/ (sudo
>> mount -o remount,rw /gnu/store) to copy this file.
> 
> Files in /gnu/store must never be modified, because the whole system
> assumes it is indeed immutable.  For this reason, /gnu/store is a
> read-only bind-mount on GuixSD.
> 
> The solution for Synaptics would be to augment the Xorg service
> definition in (gnu services xorg) so that it does the right thing.
> What exactly is needed?
> 
> Ludo’.

Allright, so I needed to add this code to my touchpad work well:

Section "InputClass"
   Identifier "touchpad catchall"
   Driver "synaptics"
   MatchIsTouchpad "on"
   Option "TapButton1" "1"
   Option "TapButton2" "-1"
   Option "TapButton3" "3"
   Option "VertEdgeScroll" "on"
   Option "HorizTwoFingerScroll" "on"
EndSection

What's solution? Add it to config.scm (is very long code to it?)?

Thanks,

-- 
Daniel Pimentel (d4n1)
GnuPG (0B1A1914)
FSF (13054)

Re: permission denied: /gnu/store/...guile...

[Alex Kost]

Daniel Pimentel (2015-05-20 16:12 +0300) wrote:

> On 2015-05-20 09:24, ludo@gnu.org wrote:
>> Daniel Pimentel <d4n1@openmailbox.org> skribis:
>>
>>> I have similar problem, I think. My problem was permission to write
>>> (using sudo) in /gnu/store/ when I needed to enable my correct
>>> synaptics (I copied 50-synaptics.conf file to
>>> /gnu/store/.../xorg.conf.d/), so I needed remount /gnu/store/ (sudo
>>> mount -o remount,rw /gnu/store) to copy this file.
>>
>> Files in /gnu/store must never be modified, because the whole system
>> assumes it is indeed immutable.  For this reason, /gnu/store is a
>> read-only bind-mount on GuixSD.
>>
>> The solution for Synaptics would be to augment the Xorg service
>> definition in (gnu services xorg) so that it does the right thing.
>> What exactly is needed?
>>
>> Ludo’.
>
> Allright, so I needed to add this code to my touchpad work well:
>
> Section "InputClass"
>   Identifier "touchpad catchall"
>   Driver "synaptics"
>   MatchIsTouchpad "on"
>   Option "TapButton1" "1"
>   Option "TapButton2" "-1"
>   Option "TapButton3" "3"
>   Option "VertEdgeScroll" "on"
>   Option "HorizTwoFingerScroll" "on"
> EndSection
>
> What's solution? Add it to config.scm (is very long code to it?)?

It's probably not a solution for you, but what I do is: I have Xorg
server and required modules (xf86-input-evdev, …) installed in my
user profile; and I start it with "-configdir /path/to/my/xorg.conf.d"
option.

-- 
Alex

Synaptics & libinput driver

[Ludovic Courtès]

Alex Kost <alezost@gmail.com> skribis:

> Daniel Pimentel (2015-05-20 16:12 +0300) wrote:
>
>> On 2015-05-20 09:24, ludo@gnu.org wrote:
>>> Daniel Pimentel <d4n1@openmailbox.org> skribis:

[...]

>> Allright, so I needed to add this code to my touchpad work well:
>>
>> Section "InputClass"
>>   Identifier "touchpad catchall"
>>   Driver "synaptics"
>>   MatchIsTouchpad "on"
>>   Option "TapButton1" "1"
>>   Option "TapButton2" "-1"
>>   Option "TapButton3" "3"
>>   Option "VertEdgeScroll" "on"
>>   Option "HorizTwoFingerScroll" "on"
>> EndSection
>>
>> What's solution? Add it to config.scm (is very long code to it?)?
>
> It's probably not a solution for you, but what I do is: I have Xorg
> server and required modules (xf86-input-evdev, …) installed in my
> user profile; and I start it with "-configdir /path/to/my/xorg.conf.d"
> option.

Commit d1cdd7b adds a more pleasant solution whereby one can specify
text to be added verbatim to the Xorg config file, like:

  (define input-class
    "Section \"InputClass" ...")

  (define (my-slim-service)
    (mlet %store-monad ((config (xorg-configuration-file
                                 #:extra-config (list input-class)))
                        (startx (xorg-start-command
                                 #:configuration-file config)))
      (slim-service #:startx startx)))

  (operating-system
    ;; ...
    (services (cons (my-slim-service) ...)))

But more importantly, it seems to be that these things are supposed to
work out-of-the-box nowadays.

Commit c2ee19e adds the libinput Xorg driver in the server configuration
file, which might help.  It is described as the “future” of input
drivers:

  http://who-t.blogspot.fr/2015/01/xf86-input-libinput-compatibility-with.html

Ludo’.

Re: permission denied: /gnu/store/...guile...

[Ludovic Courtès]

rekado <rekado@elephly.net> skribis:

> build error: executing `/gnu/store/cnqmkmj40jmssnx6fkf9n0n3bqj5x426-guile-2.0.11/bin/guile': Permission denied
> builder for `/gnu/store/ni0hz29nyd051fsp2n73icjnwx28fajz-ibus-pinyin-1.5.0.tar.gz.drv' failed with exit code 1
> @ build-failed /gnu/store/ni0hz29nyd051fsp2n73icjnwx28fajz-ibus-pinyin-1.5.0.tar.gz.drv - 1 builder for `/gnu/store/ni0hz29nyd051fsp2n73icjnwx28fajz-ibus-pinyin-1.5.0.tar.gz.drv' failed with exit code 1
> cannot build derivation `/gnu/store/gbdfw3z89dxw5nh3qw5gq3y2p5i2l1a2-ibus-pinyin-1.5.0.drv': 1 dependencies couldn't be built
> killing process 2391
> guix build: error: build failed: build of `/gnu/store/gbdfw3z89dxw5nh3qw5gq3y2p5i2l1a2-ibus-pinyin-1.5.0.drv' failed
> rekado@banana guix $ 
> ~~~~~~ 
>
> I have confirmed that this particular guile binary can be executed, so I don't know what permission problem it encounters.  I attached strace to the guix-daemon and it produced a long log which I have uploaded here: http://elephly.net/downies/guile-permission-denied.txt

So this happens only with this derivation?

Looking at the strace output, I can’t see anything suspicious;
everything seems to happen as expected, namely this part:

--8<---------------cut here---------------start------------->8---
[pid 16379] statfs("/gnu/store", {f_type="EXT2_SUPER_MAGIC", f_bsize=4096, f_blocks=6417799, f_bfree=4940413, f_bavail=4608638, f_files=1641600, f_ffree=1378343, f_fsid={-557300761, 437310106}, f_namelen=255, f_frsize=4096}) = 0
[pid 16379] unshare(CLONE_NEWNS)        = 0
[pid 16379] mount(NULL, "/gnu/store", NULL, MS_REMOUNT|MS_BIND, NULL) = 0
--8<---------------cut here---------------end--------------->8---

The only thing that could go wrong is if the store somehow ended up
being mounted with MS_NOEXEC, but I don’t see that happening here.

I suppose you’re on Linux-libre 4.0.2, right?

> I have installed GuixSD from the 0.8.2 USB image onto a new, empty partition.  I'm reusing only my home directory, which is located on a luks LVM.  I have pulled the latest version of Guix and reconfigured the system a few hours ago. 

... which means that other derivations build just fine, right?

> Derive([("out","/gnu/store/vvs2c9zzl9zwrq0zwrayjlih9cpwjbcq-ibus-pinyin-1.5.0.tar.gz","sha256","a85d458dcc51ea9fd65849e63002428b3fcb3b39adcbea9214b5cb4a4cbdbc96")],[("/gnu/store/479gki04zgbysxipcb1wdl56mh1bldbx-guile-2.0.11.drv",["out"]),("/gnu/store/p20cih7k80cpqka6f06100j1ycgf3fl1-module-import.drv",["out"]),("/gnu/store/s8bacxxryg87p2ag6gl46qz6jvpdm5qs-gnutls-3.4.0.drv",["out"]),("/gnu/store/w9g2dqsfgr6n8pslwmm2lgbka96qwig4-module-import-compiled.drv",["out"])],["/gnu/store/yhds5m08mgp3a3yb2gj9imn7pkap0fc1-ibus-pinyin-1.5.0.tar.gz-builder"],"x86_64-linux","/gnu/store/cnqmkmj40jmssnx6fkf9n0n3bqj5x426-guile-2.0.11/bin/guile",["--no-auto-compile","-L","/gnu/store/6fnbs4j7dsn6rc598d72caay00yggvh7-module-import","-C","/gnu/store/ww9kwrbs4h468vll6a3swg6dc3hr9f8i-module-import-compiled","/gnu/store/yhds5m08mgp3a3yb2gj9imn7pkap0fc1-ibus-pinyin-1.5.0.tar.gz-builder"],[("impureEnvVars","http_proxy https_proxy"),("out","/gnu/store/vvs2c9zzl9zwrq0zwrayjlih9cpwjbcq-ibus-pinyin-1.5.0.tar.gz")])

However I don’t see this derivation mention in the strace log.  Could
you try to strace again the daemon, but this time just run:

  guix build -S ibus-pinyin

?

Thanks,
Ludo’.

Re: permission denied: /gnu/store/...guile...

[rekado]

---- On Wed, 20 May 2015 20:18:31 +0800 Ludovic Courtès  wrote ---- 
>So this happens only with this derivation? 

No.  It happens whenever I build something without substitutes.  There are no substitutes for packages that are still in development (like my ibus-pinyin draft).

>I suppose you’re on Linux-libre 4.0.2, right? 

I'm on Linux-libre 4.0.4.  "uname -a" says this:

    Linux banana 4.0.4-gnu #1 SMP Mon May 18 21:33:05 UTC 2015 x86_64 GNU/Linux

>> I have installed GuixSD from the 0.8.2 USB image onto a new, empty partition. I'm reusing only my home directory, which is located on a luks LVM. I have pulled the latest version of Guix and reconfigured the system a few hours ago. 
> 
>... which means that other derivations build just fine, right? 

When substitutes are involved everything works fine, as far as I can tell.

>> Derive([("out","/gnu/store/vvs2c9zzl9zwrq0zwrayjlih9cpwjbcq-ibus-pinyin-1.5.0.tar.gz","sha256","a85d458dcc51ea9fd65849e63002428b3fcb3b39adcbea9214b5cb4a4cbdbc96")],[("/gnu/store/479gki04zgbysxipcb1wdl56mh1bldbx-guile-2.0.11.drv",["out"]),("/gnu/store/p20cih7k80cpqka6f06100j1ycgf3fl1-module-import.drv",["out"]),("/gnu/store/s8bacxxryg87p2ag6gl46qz6jvpdm5qs-gnutls-3.4.0.drv",["out"]),("/gnu/store/w9g2dqsfgr6n8pslwmm2lgbka96qwig4-module-import-compiled.drv",["out"])],["/gnu/store/yhds5m08mgp3a3yb2gj9imn7pkap0fc1-ibus-pinyin-1.5.0.tar.gz-builder"],"x86_64-linux","/gnu/store/cnqmkmj40jmssnx6fkf9n0n3bqj5x426-guile-2.0.11/bin/guile",["--no-auto-compile","-L","/gnu/store/6fnbs4j7dsn6rc598d72caay00yggvh7-module-import","-C","/gnu/store/ww9kwrbs4h468vll6a3swg6dc3hr9f8i-module-import-compiled","/gnu/store/yhds5m08mgp3a3yb2gj9imn7pkap0fc1-ibus-pinyin-1.5.0.tar.gz-builder"],[("impureEnvVars","http_proxy https_proxy"),("out","/gnu/store/vvs2c9zzl9zwrq0zwrayjlih9cpwjbcq-ibus-pinyin-1.5.0.tar.gz")]) 
> 
>However I don’t see this derivation mention in the strace log.

Oh, right.  The strace log shows the output for another package I'm working on, "gnome-keyring".  There are only two things it has in common with "ibus-pinyin": there is no binary substitute available and I get the same error about "permission denied" when executing guile.

> Could 
>you try to strace again the daemon, but this time just run: 
> 
> guix build -S ibus-pinyin 

Here's the client output:

~~~~~~~~
rekado@banana guix $ ./pre-inst-env guix build -S ibus-pinyin
substitute: updating list of substitutes from 'http://hydra.gnu.org'... 100.0%
The following derivation will be built:
   /gnu/store/ni0hz29nyd051fsp2n73icjnwx28fajz-ibus-pinyin-1.5.0.tar.gz.drv
@ build-started /gnu/store/ni0hz29nyd051fsp2n73icjnwx28fajz-ibus-pinyin-1.5.0.tar.gz.drv - x86_64-linux /var/log/guix/drvs/ni//0hz29nyd051fsp2n73icjnwx28fajz-ibus-pinyin-1.5.0.tar.gz.drv.bz2
build error: executing `/gnu/store/cnqmkmj40jmssnx6fkf9n0n3bqj5x426-guile-2.0.11/bin/guile': Permission denied
builder for `/gnu/store/ni0hz29nyd051fsp2n73icjnwx28fajz-ibus-pinyin-1.5.0.tar.gz.drv' failed with exit code 1
@ build-failed /gnu/store/ni0hz29nyd051fsp2n73icjnwx28fajz-ibus-pinyin-1.5.0.tar.gz.drv - 1 builder for `/gnu/store/ni0hz29nyd051fsp2n73icjnwx28fajz-ibus-pinyin-1.5.0.tar.gz.drv' failed with exit code 1
killing process 2209
guix build: error: build failed: build of `/gnu/store/ni0hz29nyd051fsp2n73icjnwx28fajz-ibus-pinyin-1.5.0.tar.gz.drv' failed
rekado@banana guix $ 
~~~~~~~~

The strace log is here: http://elephly.net/downies/guile-permission-denied2.txt

I think I should also mention that I'm encountering another "permission denied" problem, which may or may not be related.  "sudo" is not working:

~~~~~~~~
rekado@banana guix $ sudo ls
sudo: unable to stat /etc/sudoers: Permission denied
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin
rekado@banana guix $ 
~~~~~~~~

The output of "strace sudo ls" is here: http://elephly.net/downies/sudo.txt

The store is of course not mounted with "nosetuid" flag.

Thank you all for offering assistance!  I appreciate it.
~~ Ricardo

Re: permission denied: /gnu/store/...guile...

[Ludovic Courtès]

rekado <rekado@elephly.net> skribis:

>>> Derive([("out","/gnu/store/vvs2c9zzl9zwrq0zwrayjlih9cpwjbcq-ibus-pinyin-1.5.0.tar.gz","sha256","a85d458dcc51ea9fd65849e63002428b3fcb3b39adcbea9214b5cb4a4cbdbc96")],[("/gnu/store/479gki04zgbysxipcb1wdl56mh1bldbx-guile-2.0.11.drv",["out"]),("/gnu/store/p20cih7k80cpqka6f06100j1ycgf3fl1-module-import.drv",["out"]),("/gnu/store/s8bacxxryg87p2ag6gl46qz6jvpdm5qs-gnutls-3.4.0.drv",["out"]),("/gnu/store/w9g2dqsfgr6n8pslwmm2lgbka96qwig4-module-import-compiled.drv",["out"])],["/gnu/store/yhds5m08mgp3a3yb2gj9imn7pkap0fc1-ibus-pinyin-1.5.0.tar.gz-builder"],"x86_64-linux","/gnu/store/cnqmkmj40jmssnx6fkf9n0n3bqj5x426-guile-2.0.11/bin/guile",["--no-auto-compile","-L","/gnu/store/6fnbs4j7dsn6rc598d72caay00yggvh7-module-import","-C","/gnu/store/ww9kwrbs4h468vll6a3swg6dc3hr9f8i-module-import-compiled","/gnu/store/yhds5m08mgp3a3yb2gj9imn7pkap0fc1-ibus-pinyin-1.5.0.tar.gz-builder"],[("impureEnvVars","http_proxy https_proxy"),("out","/gnu/store/vvs2c9zzl9zwrq0zwrayjlih9cpwjbcq-ibus-pinyin-1.5.0.tar.gz")]) 
>> 
>>However I don’t see this derivation mention in the strace log.
>
> Oh, right.  The strace log shows the output for another package I'm working on, "gnome-keyring".  There are only two things it has in common with "ibus-pinyin": there is no binary substitute available and I get the same error about "permission denied" when executing guile.

Could you post the output of
“stat /gnu/store/cnqmkmj40jmssnx6fkf9n0n3bqj5x426-guile-2.0.11/bin/guile”?

What do the following return at the Guile REPL:

  (getgr 30000)
  (getpw 30001)

?

> The strace log is here: http://elephly.net/downies/guile-permission-denied2.txt

Note that here, since it’s a fixed-output derivation, there’s no chroot,
unshare, etc., so it’s really just UID 30001 running that file.
Something equivalent to:

  # su guixbuilder01
  $ /gnu/store/cnqmkmj40jmssnx6fkf9n0n3bqj5x426-guile-2.0.11/bin/guile

> ~~~~~~~~
> rekado@banana guix $ sudo ls
> sudo: unable to stat /etc/sudoers: Permission denied
> sudo: no valid sudoers sources found, quitting
> sudo: unable to initialize policy plugin

Same with:

  /run/setuid-programs/sudo ls

?

Does /run/setuid-programs/sudo have the same inode as
$(guix build sudo)/bin/sudo?

  stat -c '%i' /run/setuid-programs/sudo \
    $(guix build sudo)/bin/sudo


The only partitions are / and /home, right?

Thanks,
Ludo’.

Re: permission denied: /gnu/store/...guile...

[Mark H Weaver]

The problem turned out to be that on rekado's system, / was owned by
user "rekado" with mode 700.

    Mark

Re: permission denied: /gnu/store/...guile...

[Mark H Weaver]

Mark H Weaver <mhw@netris.org> writes:

> The problem turned out to be that on rekado's system, / was owned by
> user "rekado" with mode 700.

One possibility is that he created this filesystem from some nice GUI
disk utility from Fedora, before running our USB installer.

Perhaps 'guix system init' should explicitly set the ownership and
permissions on the target root directory?

     Mark

Re: Re: permission denied: /gnu/store/...guile...

[rekado]

---- On Sat, 23 May 2015 04:21:40 +0800 Mark H Weaver  wrote ---- 
>Mark H Weaver <mhw@netris.org> writes: 
> 
>> The problem turned out to be that on rekado's system, / was owned by 
>> user "rekado" with mode 700. 
> 
>One possibility is that he created this filesystem from some nice GUI 
>disk utility from Fedora, before running our USB installer. 

He did not :)

I did use rsync on the freshly formatted disk to move a couple of directories.  This probably resulted in a change of ownership of the root on that partition.
 
>Perhaps 'guix system init' should explicitly set the ownership and 
>permissions on the target root directory? 

That would be much appreciated.

Re: permission denied: /gnu/store/...guile...

[Ludovic Courtès]

[-- Attachment #1: Type: text/plain, Size: 501 bytes --]

Mark H Weaver <mhw@netris.org> skribis:

> The problem turned out to be that on rekado's system, / was owned by
> user "rekado" with mode 700.

Oh, I see.  I would never have thought of this!

> Perhaps 'guix system init' should explicitly set the ownership and
> permissions on the target root directory?

Here’s a tentative patch.

I wonder if the activation code shouldn’t systematically do
(chown "/" 0 0) as well.

Thoughts?

Thank you both for investigating!

Ludo’.


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 804 bytes --]

diff --git a/guix/scripts/system.scm b/guix/scripts/system.scm
index 8d5fbe5..2cf6a43 100644
--- a/guix/scripts/system.scm
+++ b/guix/scripts/system.scm
@@ -145,6 +145,14 @@ When GRUB? is true, install GRUB on DEVICE, using GRUB.CFG."
             ;; Copy items to the new store.
             (copy-closure to-copy target #:log-port log-port)))))
 
+  ;; Make sure TARGET is root-owned when running as root, but still allow
+  ;; non-root uses (useful for testing.)
+  (if (zero? (getuid))
+      (chown target 0 0)
+      (warning (_ "not running as 'root', so \
+the ownership of '~a' may be incorrect!~%")
+               target))
+
   (let ((os-dir   (derivation->output-path os-drv))
         (format   (lift format %store-monad))
         (populate (lift2 populate-root-file-system %store-monad)))

Re: permission denied: /gnu/store/...guile...

[Mark H Weaver]

ludo@gnu.org (Ludovic Courtès) writes:

> Mark H Weaver <mhw@netris.org> skribis:
>
>> The problem turned out to be that on rekado's system, / was owned by
>> user "rekado" with mode 700.
>
> Oh, I see.  I would never have thought of this!
>
>> Perhaps 'guix system init' should explicitly set the ownership and
>> permissions on the target root directory?
>
> Here’s a tentative patch.
[...]
> diff --git a/guix/scripts/system.scm b/guix/scripts/system.scm
> index 8d5fbe5..2cf6a43 100644
> --- a/guix/scripts/system.scm
> +++ b/guix/scripts/system.scm
> @@ -145,6 +145,14 @@ When GRUB? is true, install GRUB on DEVICE, using GRUB.CFG."
>              ;; Copy items to the new store.
>              (copy-closure to-copy target #:log-port log-port)))))
>  
> +  ;; Make sure TARGET is root-owned when running as root, but still allow
> +  ;; non-root uses (useful for testing.)
> +  (if (zero? (getuid))
> +      (chown target 0 0)

I would suggest using (geteuid) instead.  Also, we should set the mode.
In this particular case, if we had changed the owner without also
changing the mode, rekado's system still would have been quite broken.

> I wonder if the activation code shouldn’t systematically do
> (chown "/" 0 0) as well.
>
> Thoughts?

I'm not sure.  Trying to fix individual things during activation that
might have been broken is a slippery slope.  We cannot hope to fix
everything that might have been broken using this approach, and on the
other hand we might undo some change that the user made intentionally.

For now, I would probably do this only from 'guix system init', but I
don't feel strongly either way.

    Thanks!
      Mark

Re: permission denied: /gnu/store/...guile...

[Ludovic Courtès]

Mark H Weaver <mhw@netris.org> skribis:

> ludo@gnu.org (Ludovic Courtès) writes:
>
>> Mark H Weaver <mhw@netris.org> skribis:

[...]

> I would suggest using (geteuid) instead.  Also, we should set the mode.
> In this particular case, if we had changed the owner without also
> changing the mode, rekado's system still would have been quite broken.

Good points.  I have taken these into accounts and committed as 4a35a86.

>> I wonder if the activation code shouldn’t systematically do
>> (chown "/" 0 0) as well.
>>
>> Thoughts?
>
> I'm not sure.  Trying to fix individual things during activation that
> might have been broken is a slippery slope.  We cannot hope to fix
> everything that might have been broken using this approach, and on the
> other hand we might undo some change that the user made intentionally.

Yeah, makes sense to me.

Thanks!

Ludo’.

Re: permission denied: /gnu/store/...guile...

[rekado]

> Could you post the output of
> “stat /gnu/store/cnqmkmj40jmssnx6fkf9n0n3bqj5x426-guile-2.0.11/bin/guile”?

~~~~~
root@banana ~# stat /gnu/store/cnqmkmj40jmssnx6fkf9n0n3bqj5x426-guile-2.0.11/bin/guile
  File: ‘/gnu/store/cnqmkmj40jmssnx6fkf9n0n3bqj5x426-guile-2.0.11/bin/guile’
  Size: 10912     	Blocks: 24         IO Block: 4096   regular file
Device: 803h/2051d	Inode: 15582       Links: 1
Access: (0555/-r-xr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2015-05-21 09:06:47.744008648 +0200
Modify: 1970-01-01 01:00:01.000000000 +0100
Change: 2015-05-17 12:08:22.839537391 +0200
 Birth: -
~~~~~

> What do the following return at the Guile REPL:
>
> (getgr 30000)
> (getpw 30001)
>
> ?

~~~~~
root@banana ~# guile
GNU Guile 2.0.11
Copyright (C) 1995-2014 Free Software Foundation, Inc.

Guile comes with ABSOLUTELY NO WARRANTY; for details type `,show w'.
This program is free software, and you are welcome to redistribute it
under certain conditions; type `,show c' for details.

Enter `,help' for help.
scheme@(guile-user)> (getgr 30000)
$1 = #("guixbuild" "x" 30000 ("guixbuilder01" "guixbuilder02" "guixbuilder03" "guixbuilder04" "guixbuilder05" "guixbuilder06" "guixbuilder07" "guixbuilder08" "guixbuilder09" "guixbuilder10"))
scheme@(guile-user)> (getpw 30001)
$2 = #("guixbuilder01" "x" 30001 30000 "Guix Build User  1" "/var/empty" "/gnu/store/6v6wngdavjg0vlkpx8h69pxlzmi8cb8a-shadow-4.1.5.1/sbin/nologin")
scheme@(guile-user)> 
~~~~~

> Note that here, since it’s a fixed-output derivation, there’s no chroot,
> unshare, etc., so it’s really just UID 30001 running that file.
> Something equivalent to:
>
> # su guixbuilder01
> $ /gnu/store/cnqmkmj40jmssnx6fkf9n0n3bqj5x426-guile-2.0.11/bin/guile

I cannot switch to user "guixbuilder01" without having to input a password.  It appears that "su" is also not working as it should.

>> ~~~~~~~~
>> rekado@banana guix $ sudo ls
>> sudo: unable to stat /etc/sudoers: Permission denied
>> sudo: no valid sudoers sources found, quitting
>> sudo: unable to initialize policy plugin
>
> Same with:
>
> /run/setuid-programs/sudo ls
>
> ?

Yes, exactly the same message.

> Does /run/setuid-programs/sudo have the same inode as
> $(guix build sudo)/bin/sudo?

> stat -c '%i' /run/setuid-programs/sudo \
> $(guix build sudo)/bin/sudo

The inode is the same:

~~~~~
rekado@banana ~ $ stat -c '%i' /run/setuid-programs/sudo $(guix build sudo)/bin/sudo
1461970
1461970
~~~~~~

> The only partitions are / and /home, right?

I only manually mounted / (/dev/sda3) and /home (a luks logical volume):

~~~~~~
rekado@banana ~ $ mount
none on /proc type proc (rw,relatime)
none on /sys type sysfs (rw,relatime)
/dev/sda3 on / type ext4 (rw,relatime,data=ordered)
none on /dev type devtmpfs (rw,relatime,size=1966132k,nr_inodes=491533,mode=755)
none on /dev/pts type devpts (rw,relatime,gid=996,mode=620,ptmxmode=000)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,relatime,size=1970696k)
/dev/sda3 on /gnu/store type ext4 (rw,relatime,data=ordered)
/dev/mapper/fedora-home on /home type ext4 (rw,relatime,data=ordered)
rekado@banana ~ $ 
~~~~~

Thank you,
Ricardo

Re: permission denied: /gnu/store/...guile...

[Ludovic Courtès]

Could you try this:

--8<---------------cut here---------------start------------->8---
(chdir "/tmp")
(setgroups #())
(setgid 30000)
(setuid 30001)
(pk 'uid/gid (getuid) (getgid))
(pk 'euid/egid (geteuid) (getegid))
(let loop ((i 3))
  (when (< i 1024)
    (false-if-exception (close-fdes i))
    (loop (+ 1 i))))
(execl "/gnu/store/cnqmkmj40jmssnx6fkf9n0n3bqj5x426-guile-2.0.11/bin/guile" "guile"
       "-c" "(pk 'running (getuid) (geteuid))")
--8<---------------cut here---------------end--------------->8---

and then as root run:

  # guile the-above-file.scm

It should return zero and print:

--8<---------------cut here---------------start------------->8---
;;; (uid/gid 30001 30000)

;;; (euid/egid 30001 30000)

;;; (running 30001 30001)
--8<---------------cut here---------------end--------------->8---

TIA,
Ludo’.

Re: permission denied: /gnu/store/...guile...

[rekado]

---- On Fri, 22 May 2015 05:53:51 +0800 Ludovic Courtès<ludo@gnu.org> wrote ---- 
 > Could you try this: 
 >  
 > --8<---------------cut here---------------start------------->8--- 
 > (chdir "/tmp") 
 > (setgroups #()) 
 > (setgid 30000) 
 > (setuid 30001) 
 > (pk 'uid/gid (getuid) (getgid)) 
 > (pk 'euid/egid (geteuid) (getegid)) 
 > (let loop ((i 3)) 
 >   (when (< i 1024) 
 >     (false-if-exception (close-fdes i)) 
 >     (loop (+ 1 i)))) 
 > (execl "/gnu/store/cnqmkmj40jmssnx6fkf9n0n3bqj5x426-guile-2.0.11/bin/guile" "guile" 
 >        "-c" "(pk 'running (getuid) (geteuid))") 
 > --8<---------------cut here---------------end--------------->8--- 
 >  
 > and then as root run: 
 >  
 >   # guile the-above-file.scm 
 >  
 > It should return zero and print: 
 >  
 > --8<---------------cut here---------------start------------->8--- 
 > ;;; (uid/gid 30001 30000) 
 >  
 > ;;; (euid/egid 30001 30000) 
 >  
 > ;;; (running 30001 30001) 
 > --8<---------------cut here---------------end--------------->8--- 

I ran it in a guile REPL (as root) and I got the first two outputs, but an error on (execl ...).  It's an unhelpful message:

    ERROR: In procedure execl:
    ERROR: In procedure execl: Permission denied

The backtrace just shows me the line that failed.

When I save it in a file and run that with guile as root I get this error after the first two output lines:

    Backtrace:
    In ice-9/boot-9.scm:
      157: 7 Exception thrown while printing backtrace:
    ERROR: In procedure private-lookup: Module named (system vm frame) does not exist

    ERROR: In procedure execl:
    ERROR: In procedure execl: Permission denied

That's all.

Re: permission denied: /gnu/store/...guile...

[Ludovic Courtès]

rekado <rekado@elephly.net> skribis:

> ---- On Fri, 22 May 2015 05:53:51 +0800 Ludovic Courtès<ludo@gnu.org> wrote ---- 
>  > Could you try this: 
>  >  
>  > --8<---------------cut here---------------start------------->8--- 
>  > (chdir "/tmp") 
>  > (setgroups #()) 
>  > (setgid 30000) 
>  > (setuid 30001) 
>  > (pk 'uid/gid (getuid) (getgid)) 
>  > (pk 'euid/egid (geteuid) (getegid)) 
>  > (let loop ((i 3)) 
>  >   (when (< i 1024) 
>  >     (false-if-exception (close-fdes i)) 
>  >     (loop (+ 1 i)))) 
>  > (execl "/gnu/store/cnqmkmj40jmssnx6fkf9n0n3bqj5x426-guile-2.0.11/bin/guile" "guile" 
>  >        "-c" "(pk 'running (getuid) (geteuid))") 
>  > --8<---------------cut here---------------end--------------->8--- 
>  >  
>  > and then as root run: 
>  >  
>  >   # guile the-above-file.scm 
>  >  
>  > It should return zero and print: 
>  >  
>  > --8<---------------cut here---------------start------------->8--- 
>  > ;;; (uid/gid 30001 30000) 
>  >  
>  > ;;; (euid/egid 30001 30000) 
>  >  
>  > ;;; (running 30001 30001) 
>  > --8<---------------cut here---------------end--------------->8--- 
>
> I ran it in a guile REPL (as root) and I got the first two outputs, but an error on (execl ...).  It's an unhelpful message:
>
>     ERROR: In procedure execl:
>     ERROR: In procedure execl: Permission denied

Great, that means that we have a reduced test case now!

Now, could you try to comment out some of the lines before the ‘execl’
until you find which one is responsible for that?

IIRC you said that
"/gnu/store/cnqmkmj40jmssnx6fkf9n0n3bqj5x426-guile-2.0.11/bin/guile" is
555, so normally every user on the machine can run it.  It can only
imagine an obscure kernel or file system setting that would somehow
prevent execution, but we’ll see.

Thank you,
Ludo’.