From: Maxime Devos <maximedevos@telenet.be>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: guix-devel@gnu.org, Xinglu Chen <public@yoctocell.xyz>,
Maxim Cournoyer <maxim.cournoyer@gmail.com>,
Andrew Tropin <andrew@trop.in>
Subject: Re: Code sharing between system and home services (was Re: On the naming of System and Home services modules.)
Date: Mon, 04 Oct 2021 18:14:35 +0200 [thread overview]
Message-ID: <129eb4ca6dd24e150f360df431e294413e238ac8.camel@telenet.be> (raw)
In-Reply-To: <87k0isoo6o.fsf@gnu.org>
[-- Attachment #1: Type: text/plain, Size: 2477 bytes --]
Ludovic Courtès schreef op ma 04-10-2021 om 16:32 [+0200]:
> Maxime Devos <maximedevos@telenet.be> skribis:
>
> > Ludovic Courtès schreef op za 02-10-2021 om 16:27 [+0200]:
> > > Maxime Devos <maximedevos@telenet.be> skribis:
> > >
> > > > Ludovic Courtès schreef op di 28-09-2021 om 14:21 [+0200]:
> > > > > Hi,
> > > > >
> > > > > Joshua Branson <jbranso@dismail.de> skribis:
> > > > >
> > > > > > Apologies if I'm speaking for something I know very little
> > > > > > about...Wouldn't it be nice if guix home services would accept a user
> > > > > > and a group field? For the syncthing service, perhaps the user wants to
> > > > > > limit Syncthing's runtime permissions. So instead of running as the
> > > > > > user, the user would run synthing as a different user with less permissions?
> > > > >
> > > > > That’s not possible unless the calling user is root, since you’d need
> > > > > the ability to switch users somehow.
> > > >
> > > > On Debian, a user has a list of ‘subordinate user IDs’ which can be switched
> > > > to without root: <https://manpages.debian.org/buster/uidmap/newuidmap.1.en.html>;;.
> > > >
> > > > Maybe "guix home" could use that mechanism, and this mechanism could be implemented
> > > > on Guix System as well?
> > >
> > > Yes but that requires unprivileged user namespaces, which may or may not
> > > be supported—e.g., likely unsupported when using Home on a foreign
> > > distro.
> >
> > I don't recall newuidmap requiring unprivileged user namespaces -- it's a setuid binary.
>
> Ah right. But we’re not call do (system* "/usr/sbin/newuidmap") in
> service code, so that’s still a problem, no?
It might be possible to modify 'make-forkexec-constructor/container' to call
(exec-command (cons* newuidmap ARGUMENTS-TO-NEWUIDMAP command) ...),
where newuidmap is (search-input-file "newuidmap" '("/run/setuid-programs" "/usr/sbin" "/sbin")).
That path should work on Guix System and many foreign distro, presuming the distro
is configured to make "newuidmap" setuid.
There might be complications w.r.t. bind mounts though (presumably setuid binaries
don't like being called if the (unprivileged) parent process has created some bind mounts?),
so the bind mounting code might need to be performed as a child process of newuidmap,
but in principle, everything should be implemented I think.
I'm not volunteering to write this code though.
Greetings,
Maxime.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 260 bytes --]
next prev parent reply other threads:[~2021-10-04 16:19 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-15 8:47 On the naming of System and Home services modules Andrew Tropin
2021-09-15 10:09 ` Maxime Devos
2021-09-15 13:15 ` Andrew Tropin
2021-09-15 13:06 ` Xinglu Chen
2021-09-15 14:50 ` Katherine Cox-Buday
2021-09-16 10:01 ` Andrew Tropin
2021-09-16 9:57 ` Andrew Tropin
2021-09-17 9:28 ` Xinglu Chen
2021-09-17 11:35 ` Andrew Tropin
2021-09-19 14:54 ` Xinglu Chen
2021-09-23 20:08 ` Ludovic Courtès
2021-09-24 8:08 ` Andrew Tropin
2021-09-28 12:17 ` Ludovic Courtès
2021-09-24 13:35 ` Code sharing between system and home services (was Re: On the naming of System and Home services modules.) Xinglu Chen
2021-09-24 14:03 ` Maxime Devos
2021-09-24 15:39 ` Xinglu Chen
2021-09-24 17:02 ` Maxime Devos
2021-09-28 12:19 ` Ludovic Courtès
2021-09-28 6:03 ` Andrew Tropin
2021-09-24 15:32 ` Joshua Branson
2021-09-28 12:21 ` Ludovic Courtès
2021-09-29 13:52 ` Maxime Devos
2021-10-02 14:27 ` Ludovic Courtès
2021-10-02 22:13 ` Code sharing between system and home services Vagrant Cascadian
2021-10-04 14:34 ` Ludovic Courtès
2021-10-03 8:45 ` Code sharing between system and home services (was Re: On the naming of System and Home services modules.) Maxime Devos
2021-10-04 14:32 ` Ludovic Courtès
2021-10-04 16:14 ` Maxime Devos [this message]
2021-10-06 13:12 ` Ludovic Courtès
2021-09-28 2:32 ` Maxim Cournoyer
2021-09-16 3:05 ` On the naming of System and Home services modules Ryan Prior
2021-09-16 8:50 ` Andrew Tropin
2021-09-17 13:43 ` pinoaffe
2021-09-23 20:10 ` Ludovic Courtès
2021-09-28 6:32 ` Andrew Tropin
2021-09-28 12:26 ` Ludovic Courtès
2021-09-28 13:48 ` Andrew Tropin
2021-09-28 19:36 ` Oleg Pykhalov
2021-10-02 14:22 ` Ludovic Courtès
2021-10-02 17:23 ` Oleg Pykhalov
2021-09-28 15:25 ` Xinglu Chen
2021-10-02 14:25 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=129eb4ca6dd24e150f360df431e294413e238ac8.camel@telenet.be \
--to=maximedevos@telenet.be \
--cc=andrew@trop.in \
--cc=guix-devel@gnu.org \
--cc=ludo@gnu.org \
--cc=maxim.cournoyer@gmail.com \
--cc=public@yoctocell.xyz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.