Re: [RFC] A simple draft for channels

[Pjotr Prins <pjotr.public12@thebird.nl>]

On Tue, Jan 23, 2018 at 07:38:46AM +0100, Ricardo Wurmus wrote:
> 
> Hi Pjotr,
> 
> > On Fri, Jan 19, 2018 at 02:41:42PM +0100, Ludovic Courtès wrote:
> >> Authorizing keys is necessarily limited to root since the store is
> >> shared among all users of the machine.  I don’t see any way around that
> >
> > Well, the daemon could update itself with its own privileges.
> 
> I think Ludo’s point is that this is a security issue, not a technical
> limitation.

How is it a security issue? If authentication is user bound it becomes
a two-step or a one-step choice. User still has to do something
explicit to open a channel. Installed software is running in user land
so it is no different from compiling your own. But yes, devil is in
the details.

> > How
> > about maintaining authentication for a channel at runtime in RAM. When
> > the daemon restarts it is lost. The channel will not be shared with
> > other users. So every user maintains their own channels. When a
> > channel reconnects it authenticates itself again.
> 
> It all ends up in the store though and is thus available to everybody.

Hmmm. Is that a true concern? I ususally have no trouble software
installed by other people on systems (in their HOME or not). If an SA
does not want to allow for it we can tell the daemon not to support
channels with auto-authentication.

> > There really is no reason to share individual channels between users
> > (other then their outputs).
> 
> Yes, channel configuration and state is kept in the user’s home
> directory.  But authorization for downloading and installing substitutes
> in /gnu/store currently still falls to root.

I don't see why the daemon can not handle it. But maybe we should just
do a round-table at FOSDEM.

Pj.