From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steven Allen Subject: Re: Why is /gnu/store writable by the guixbuild group? Date: Fri, 22 Jan 2016 10:45:17 -0500 Message-ID: <20160122154517.GA7619@stebalien.com> References: <20160122144107.GA2185@stebalien.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="pf9I7BMVVzbSWLtt" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:48256) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aMdtr-0007qB-EU for help-guix@gnu.org; Fri, 22 Jan 2016 10:45:24 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aMdto-0005hV-NB for help-guix@gnu.org; Fri, 22 Jan 2016 10:45:23 -0500 Received: from mail-ig0-x234.google.com ([2607:f8b0:4001:c05::234]:36843) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aMdto-0005h6-Fe for help-guix@gnu.org; Fri, 22 Jan 2016 10:45:20 -0500 Received: by mail-ig0-x234.google.com with SMTP id z14so151817561igp.1 for ; Fri, 22 Jan 2016 07:45:20 -0800 (PST) Content-Disposition: inline In-Reply-To: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org To: "Thompson, David" Cc: help-guix --pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 01-22-16, Thompson, David wrote: > On GuixSD, /gnu/store is mounted *read-only* and remounted read/write > for the purposes of the daemon only. So, for any particular build, a > build user can *only* write to their specific output directories and > nothing else. Got it. Off to fix the Arch package... Unfortunately, I doubt this will make grsecurity happy (and TPE is a really nice security feature) because the store *could* be mounted read-write somewhere. > Note as well that the items in the store are owned by root and cannot > be touched. The only user that can trash things is the superuser, if > they so choose. FYI, in my Arch install (not GuixSD, as far as I can tell), some of the files in /gnu/store/ files are owned by the guixbuild group (but not group writable). I assume these are failed in-progress builds (for some reason, Guix on Arch keeps on trying to build gcc on my poor laptop even though I've enabled substitutes but that's another issue...) > > So, why exactly does the guixbuild group need write access to this > > directory? I'd think that the guix-daemon would be responsible for > > moving finished builds into the store, not the builders themselves. >=20 > Builders write directly to their output directories. In GNU terms, > this is the directory used for './configure --prefix=3D/gnu/store/foo'. Then why does /gnu/store need to be writable by the guixbuild group? If the builders can only write to their output directories, e.g. /gnu/store/foo, /gnu/store shouldn't need to be writable by guixbuild. > I don't see an issue with this. There isn't any. I was under the impression that store directories were named after the hash of the output so I was assuming that the guix builder was creating them. Now I understand that they are named after the hash of the inputs which is *really* cool. My only reservation with this is that directories in /gnu/store may or may not be "complete" (one could have half-completed builds). However, given that no build can go from complete to in-progress (builds are deterministic so there are no rebuilds), this isn't really a problem as long as programs never assume that all builds in the store are complete. > > On a related note, why do all builders use guixbuild as their primary > > group. > In the long term, it would be cool to just use user namespaces... In the short term, is there any reason not to give each of these users its own group? --=20 Steven Allen ((Do Not Email )) --pf9I7BMVVzbSWLtt Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWok6LAAoJEGVqlrqQ0li+FCwP/jhEEQkfo3C6mcwNozXsmoqA UOsX7Exq3G9VKyWG1F/Upzckyjy0jX/z56idSb8dvwtXpx6MrClsvgGV4J9zDB/N ePJfxIc8TF9+hwm0ZzuClpnbQe7q/IrURgsBFAcelGDkunDgJVQQwFeRkbLhXR6/ +3DcdwMEspiol4DlMH17hs6Vjq0anPEIa7yGc47RUJNBoVtfAvSR+VCsbzVSj/pf gE9r/CiiR3ULsVu3cyfVXvQNf4kvGj+4kn+BePZR9OkwNqoca8G5VazSCUGsqpro U8i5AOi5mP9+pTHGNCQxsyAXKaEB9AVH5bMDrfLB5Q+p1L9oQH/x1+MhHIiOptxk 74wo3yP41v+FIMM0dAI0LnGRNJteJEKXqWRAoQEI22q4ni6lCoZ2b6MblB98zfQ4 DARjLx/NUQ8PZVaCuCYdJ8pzYUB1ATq8cfiZhwDLSiDs5ddfF1JhdVM/297Bajla BLQA5P1FlCzpqGo/fv+rnAQaj4Ynhwa+zOoZ4lN+ZFpNOGQqDkQR5DCw+nbB0aVQ HcBnSUE6Lu+AP69FHN82hUNjf5m4Bdx75dr5K1TWctAUa1RwZ2ABuXtLN2pXUajw JaEOzk618Tn5JkIbfw92tJAESJnKbUYxsUAocTIve9M/48qI8J1ZHry9Uij5TaSX PkgFUVROKyi//4/3NvhG =llG2 -----END PGP SIGNATURE----- --pf9I7BMVVzbSWLtt--