From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steven Allen Subject: Re: Why is /gnu/store writable by the guixbuild group? Date: Fri, 22 Jan 2016 18:17:56 -0500 Message-ID: <20160122231756.GA2284@stebalien.com> References: <87d1st5z03.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="vtzGhvizbBRQ85DL" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:58664) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aMkxy-0006Xy-UV for help-guix@gnu.org; Fri, 22 Jan 2016 18:18:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aMkxu-0001Of-Tc for help-guix@gnu.org; Fri, 22 Jan 2016 18:18:06 -0500 Content-Disposition: inline In-Reply-To: <87d1st5z03.fsf@gnu.org> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org To: Ludovic =?iso-8859-1?Q?Court=E8s?= Cc: help-guix --vtzGhvizbBRQ85DL Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 01-22-16, Ludovic Court=C3=A8s wrote: > What=E2=80=99s TPE (sorry for asking) and how does it complain exactly? Nevermind. This is a false positive and I've reported it to the grsecurity people (although they may not fix it...). FYI... TPE is Trusted Path Execution. Basically, it means that unprivileged users can only execute files that are not writable, or in directories writable, by users other than the current user or root. This is to help make it harder to trick users into executing files written by a malicious user. However, after thinking about it, I this case is a false positive because: 1. The /gnu/store/xxx/ directories and all files under them are not group writable and are owned by root. 2. /gnu/store has the sticky bit set. This means that any files in /gnu/store that are owned by root must have "blessed" by root (either linked-in or chowned by root). Therefore, the "no group/other writable parent directory" constraint is unnecessary. > > Guix on Arch keeps on trying to build gcc on my poor laptop even > > though I've enabled substitutes but that's another issue...) >=20 > That shouldn=E2=80=99t happen, unless you=E2=80=99re using an old version= of Guix for > which substitutes are no longer available at hydra.gnu.org. I'm using guix from git and I'll look into it. In my build logs, it appears that tar is complaining about an invalid flat ("--sort=3Dname") so I think guix is having trouble extracting the substitutes. > That=E2=80=99s because initially build processes write to their chroot, b= ut when > the build completes, the build process moves the outputs (the results) > back to the store.=20 =2E.. > If you look at =E2=80=98strace -f -p $(pidof guix-daemon)=E2=80=99 while = running =E2=80=98guix > build grue-hunter=E2=80=99, the above lines of code translate to: >=20 > --8<---------------cut here---------------start------------->8--- > 7519 --- SIGCHLD {si_signo=3DSIGCHLD, si_code=3DCLD_EXITED, si_pid=3D754= 4, si_status=3D0, si_utime=3D0, si_stime=3D0} --- > 7519 lstat("/gnu/store/660hdld3sc7laz8kw871pd3yyg9khs5m-grue-hunter-1.0.= drv.chroot/gnu/store/h6sdfqzv4xbydwiafiqvrw0d5505l1l8-grue-hunter-1.0", {st= _mode=3DS_IFDIR|0755, st_size=3D4096, ...}) =3D 0 > 7519 rename("/gnu/store/660hdld3sc7laz8kw871pd3yyg9khs5m-grue-hunter-1.0= =2Edrv.chroot/gnu/store/h6sdfqzv4xbydwiafiqvrw0d5505l1l8-grue-hunter-1.0", = "/gnu/store/h6sdfqzv4xbydwiafiqvrw0d5505l1l8-grue-hunter-1.0") =3D 0 > --8<---------------cut here---------------end--------------->8--- I just did a local experiment (running pstree alongside strace) and, unless I'm mistaken, 7519 is running as root. > >> > On a related note, why do all builders use guixbuild as their primary > >> > group. > >> In the long term, it would be cool to just use user namespaces... > > > > In the short term, is there any reason not to give each of these users > > its own group? >=20 > Would it make a difference? No. I was concerned that some files might end up group writable but the ro bind mount of /gnu/store means that even world writable files are read only (and nix will make sure that no files in the final build are writable by users other than root. --=20 Steven Allen ((Do Not Email )) --vtzGhvizbBRQ85DL Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWorifAAoJEGVqlrqQ0li+yaIP/R+1tQocbhmuGtL38mmmkkz/ TPt7PZycf+s2Buuun8BDvkg4MuGVaDFaOZSDnLbiVm2TK+1U6WdNP0Mkgy0qOmZy aci7TWLoeqo3u+qBKoutPaS1KnQ4zL29KIhhEJtdZDJHl73Nu/uwLRZ8da+HL5zG nOmt045wLG794fM2ORVdh9ktoGXAhZ/B5YTKl2N6+rKFaoXoQ4JwEGItxF3LZ6kA fr2YQ2Xu6OrgpSvKh6jv6Ta6lbNfdwsXWWk7ffwRbNj9KINakvfsVbG3qf90WFgA P63FFrLYvs9ftu1sVjuyCb8qyb/gbU+j7myTXFWTljcY7aZLGsfHEnYJivHZbrcb JOGNTxXRum8q3pBWAI1GJkrpkyEUjRL/iHKDN+CA3YL1DwclR/tMHDgIH65vXaxj jU1Ezv6dxIqE30BgfLO87vWcGdNzbzuBWF63tFXms2Ghe+UBtMYVL+FQw1s5EpM8 uMHQiQj/d5toJB1cIRUknHxKqrxTecC3mUh26cc1KNfkJikJVaMWPZgsipP/m+xo Lb0nq+E3V+CxjcbtUzF4spPdwoyGEkVROWruG8EYjISfQDYg0r6ihn/5AqZCo7So s2m/FtrTM21LBCAd+dQNe2eGkUFC2MDS5pGNWB2uo6O0gV7Nitbn5Bdc83sTVxWd 8RnjP6jS7Il1jcIW3Z9f =RcQf -----END PGP SIGNATURE----- --vtzGhvizbBRQ85DL--