From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id kAy4CuNtWWFbFwAAgWs5BA (envelope-from ) for ; Sun, 03 Oct 2021 10:46:27 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id 2DOJBuNtWWHqawAA1q6Kng (envelope-from ) for ; Sun, 03 Oct 2021 08:46:27 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 662B8B6B3 for ; Sun, 3 Oct 2021 10:46:26 +0200 (CEST) Received: from localhost ([::1]:54650 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mWx8b-000741-If for larch@yhetil.org; Sun, 03 Oct 2021 04:46:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44476) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mWx87-00073p-HR for guix-devel@gnu.org; Sun, 03 Oct 2021 04:45:55 -0400 Received: from laurent.telenet-ops.be ([2a02:1800:110:4::f00:19]:45424) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mWx84-0008Bn-Th for guix-devel@gnu.org; Sun, 03 Oct 2021 04:45:55 -0400 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by laurent.telenet-ops.be with bizsmtp id 1Llp260060mfAB401Llp1H; Sun, 03 Oct 2021 10:45:50 +0200 Message-ID: Subject: Re: Code sharing between system and home services (was Re: On the naming of System and Home services modules.) From: Maxime Devos To: Ludovic =?ISO-8859-1?Q?Court=E8s?= Date: Sun, 03 Oct 2021 10:45:38 +0200 In-Reply-To: <87zgrrwlgy.fsf@gnu.org> References: <87tuiajdv1.fsf@yoctocell.xyz> <87a6k2ng48.fsf@dismail.de> <875yukdh6a.fsf@gnu.org> <87zgrrwlgy.fsf@gnu.org> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-0Y6frmE0f9ATdqBl+nE0" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1633250750; bh=7IU9inLyVCjTUOB5QsYQclTVoIAC3Nzbf6A0imMLjNY=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=m342vGeXwju50290hWBAYqyarbWCfw2B1rcJ9cya+B5uwcqNbGNYWTwlOjNhsBxX/ 8BdWjMHZPtu9cdqDq7bN2MInbZ+bzEiTlFLb0UxmHi35YJ8Vgzy8Y9VgSwSp+3eLNF 4WOQRmbugSHB6T3nojTuW2gUjH/in3Soz73kM8Fus9FF2oTO+El5TdzJ8WgiH/in5E fXRmTs5KaLARJoGrpe2SeaD5RrMucS0LgUjbpsxK8fQBndzv/VtAwePzfuI++KEeBa g6T67bw+Dm74mUltNTeWMBWnS1E6+4ONF3eBdXmmFBAiVz9w26VndzU/ETUkMIDTD7 VjXMAGQlwY8UA== Received-SPF: pass client-ip=2a02:1800:110:4::f00:19; envelope-from=maximedevos@telenet.be; helo=laurent.telenet-ops.be X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org, Xinglu Chen , Maxim Cournoyer , Andrew Tropin Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1633250786; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=7IU9inLyVCjTUOB5QsYQclTVoIAC3Nzbf6A0imMLjNY=; b=tq5T6XQYHPsxJg+wrAPRsgLhCuojLrzCovEvH67aQE4CQtgbymu4xVOZv8JCzfHRHfaaeC cjCCosFCBIXGtc0Pa+rGVilbm4gRAwPx9gQmegxkF5/9bcGI8kuH3ZAN/v6Vw1WwXy2alE 1Evb8IDUA9h8ILadH7Njf8aGbaN6m0sOhHYmWfbL1i5PZoNIjthrIfbu2MA5BhuCeYxONE VrhEYQ1bCio5/DBc1vOPyyuwP1cxM+A3xqikNyCAZG4opIdWx6k27mDB4Wkb0OPejo1ZOp F1n6L0nGWPpZRP6rM9mMzdRcMcMk2G7vWZCgB+aIZ+/+bcX0TzmZn/EAO/p/nQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1633250786; a=rsa-sha256; cv=none; b=Nw7/KCpEonsgvljZdNMavGEGQS6Mw/voKOOvJ6v0h2rFPPE/OS5jEZB5D16+ZKNYZRXikg v1XJoBVS8yBw98eEnhcVSIxPyG9Hs5iw5vP4qygez2QRRSosxw0c7peQsDFl8tmBGQ5VRO CuchUDBhq+C5EMGY+zSlNwaroi8iOaHojVhDw3/Qb54cAQKttU/A4Rxx6zBvsQsm09SCfG fW3jC8HS4gzq5rF2XYVZxUNJ2BfxVHxoCVF7SRasIdOdVv+//uV4YqoVmTHuvmHJsM6Zcv nK4G7pAtvwI+PQnkc6elUxOtZJvjY+fxoHkyD17Rahs7W6MB8NF9xOsyLmz5ng== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r21 header.b=m342vGeX; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -1.91 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r21 header.b=m342vGeX; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 662B8B6B3 X-Spam-Score: -1.91 X-Migadu-Scanner: scn0.migadu.com X-TUID: xfjqk9aeoN/d --=-0Y6frmE0f9ATdqBl+nE0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s schreef op za 02-10-2021 om 16:27 [+0200]: > Maxime Devos skribis: >=20 > > Ludovic Court=C3=A8s schreef op di 28-09-2021 om 14:21 [+0200]: > > > Hi, > > >=20 > > > Joshua Branson skribis: > > >=20 > > > > Apologies if I'm speaking for something I know very little > > > > about...Wouldn't it be nice if guix home services would accept a us= er > > > > and a group field? For the syncthing service, perhaps the user wan= ts to > > > > limit Syncthing's runtime permissions. So instead of running as th= e > > > > user, the user would run synthing as a different user with less per= missions? > > >=20 > > > That=E2=80=99s not possible unless the calling user is root, since yo= u=E2=80=99d need > > > the ability to switch users somehow. > >=20 > > On Debian, a user has a list of =E2=80=98subordinate user IDs=E2=80=99 = which can be switched > > to without root: ;. > >=20 > > Maybe "guix home" could use that mechanism, and this mechanism could be= implemented > > on Guix System as well? >=20 > Yes but that requires unprivileged user namespaces, which may or may not > be supported=E2=80=94e.g., likely unsupported when using Home on a foreig= n > distro. I don't recall newuidmap requiring unprivileged user namespaces -- it's a s= etuid binary. It being unsupported on some foreign distros (*) that aren't Debian doesn't= seem a big problem to me, as long as its use is optional and the limitation is d= ocumented. (*) It's upported on Debian, presumably all Debian derivatives, NixOS (https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/config/users-gr= oups.nix#L179), on Guix System according to the output of "type newuidmap" though Guix Syst= em doesn't setup /etc/subuid yet. That covers a lot of GNU/Linux systems, tho= ugh certainly not all. Greetings, Maxime --=-0Y6frmE0f9ATdqBl+nE0 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYVltshccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7kpwAP95AgNfThoFRVlB2Rly1iwjHKFA lsoXZSGvQHSnntObdgEAnfBoLy9xCHVChfspMSooJGf0OrW8/1u/r4hBv3CjtQA= =znD7 -----END PGP SIGNATURE----- --=-0Y6frmE0f9ATdqBl+nE0--