From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steven Allen Subject: Why is /gnu/store writable by the guixbuild group? Date: Fri, 22 Jan 2016 09:41:07 -0500 Message-ID: <20160122144107.GA2185@stebalien.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="liOOAslEiF7prFVr" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:35098) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aMctl-0000jo-EN for help-guix@gnu.org; Fri, 22 Jan 2016 09:41:14 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aMcti-00075h-6O for help-guix@gnu.org; Fri, 22 Jan 2016 09:41:13 -0500 Received: from mail-io0-x233.google.com ([2607:f8b0:4001:c06::233]:36805) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aMcti-000752-0M for help-guix@gnu.org; Fri, 22 Jan 2016 09:41:10 -0500 Received: by mail-io0-x233.google.com with SMTP id g73so91868138ioe.3 for ; Fri, 22 Jan 2016 06:41:09 -0800 (PST) Received: from localhost (30-9-69.wireless.csail.mit.edu. [128.30.9.69]) by smtp.gmail.com with ESMTPSA id k2sm3151576ioe.19.2016.01.22.06.41.08 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Jan 2016 06:41:08 -0800 (PST) Content-Disposition: inline List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org To: help-guix@gnu.org --liOOAslEiF7prFVr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable All, While the builders run in containers, it still feels like a really bad idea. Being able to write to /gnu/store gives one the power to overwrite any binary. Furthermore, it makes grsecurity's TPE mad :(. So, why exactly does the guixbuild group need write access to this directory? I'd think that the guix-daemon would be responsible for moving finished builds into the store, not the builders themselves. On a related note, why do all builders use guixbuild as their primary group. It would be safer to make guixbuild a supplementary group and give every build user it's own primary group. This way, any group writable files that the build process happens to create will not be writable by all build users. --=20 Steven Allen ((Do Not Email )) --liOOAslEiF7prFVr Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWoj9+AAoJEGVqlrqQ0li+8VYP/3vHSqjaM3Jn54OdG/3gH7cc bGNl6UEZKSDT+NS9uE2x1tHWg8sQneNUwKJjkMotQpUWSoKmFUhWnQc+UvJBZ6eR 1pBa3SK1x6+gL+OcaB1yUh6VXEdkZboOfLgcBy4Fc5mHGT0ZExRlliHbneEPVpPD zVvlkPewGTVY5mcO1Q56mKkG2ypSMRW6idMNBzGk6vIBDJ3sqVZTPmo03WA+DewT 4f735ZOx8q8Tv5xefrsWqaTkFSWvUSVpExqmOdNXOPp541T8zbodMu4ueAzmWvCo nITNxmg1tJUxvWDbbwMVSrFMgciXEd0TvXFsu5HpHwf3Kvnqy5VUNkcpVMDCv8vx olN4V51st//siyHjgnpLyYJ5A4CpBybS+Qq9eXl0rM6WCikXSJ1T1kktW5np1AIN aXJwUFuq76kmbahO+U3ZxmyXR0VoqA7aX97/6UZnAz3KSeSxg1R16ldvVd08CTmY XyIbPxD2PMvFMaGI8OF5bGUnedyVU9wuoo5b+rlMSM8GhO6Lj9hIuZWbwuhntR/x 89DNcTYz0XwN9USjWFUmf/24KuM3ZEUgUtYpQz1qxxRmkYIZc9Kn+TBeZW9Ptvwc HMJ+HnipIrH9vmfBtWhc80oyfJv2BOZscIGbKnSREGGaH9bUYbSSJOBQiqX3lUE5 1bg68arS3qOCh2btWDAG =T9aJ -----END PGP SIGNATURE----- --liOOAslEiF7prFVr--