all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* Why is /gnu/store writable by the guixbuild group?
@ 2016-01-22 14:41 Steven Allen
  2016-01-22 14:57 ` Thompson, David
  0 siblings, 1 reply; 7+ messages in thread
From: Steven Allen @ 2016-01-22 14:41 UTC (permalink / raw)
  To: help-guix

[-- Attachment #1: Type: text/plain, Size: 796 bytes --]

All,

While the builders run in containers, it still feels like a really bad
idea. Being able to write to /gnu/store gives one the power to overwrite
any binary. Furthermore, it makes grsecurity's TPE mad :(.

So, why exactly does the guixbuild group need write access to this
directory? I'd think that the guix-daemon would be responsible for
moving finished builds into the store, not the builders themselves.

On a related note, why do all builders use guixbuild as their primary
group. It would be safer to make guixbuild a supplementary group and
give every build user it's own primary group. This way, any group
writable files that the build process happens to create will not be
writable by all build users.


-- 
Steven Allen
((Do Not Email <honeypot@stebalien.com>))

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2016-01-23 20:56 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-22 14:41 Why is /gnu/store writable by the guixbuild group? Steven Allen
2016-01-22 14:57 ` Thompson, David
2016-01-22 15:45   ` Steven Allen
2016-01-22 15:59     ` Andreas Enge
2016-01-22 17:02     ` Ludovic Courtès
2016-01-22 23:17       ` Steven Allen
2016-01-23 20:56         ` Ludovic Courtès

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.