From mboxrd@z Thu Jan  1 00:00:00 1970
From: Pjotr Prins <pjotr.public12@thebird.nl>
Subject: Re: [RFC] A simple draft for channels
Date: Tue, 23 Jan 2018 09:54:07 +0100
Message-ID: <20180123085407.GA29079@thebird.nl>
References: <87bmhq6ytg.fsf@mdc-berlin.de> <87d1263qzt.fsf@gnu.org>
	<20180119135658.GA5944@thebird.nl> <87vaftyt8v.fsf@elephly.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:41690)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <pjotr2017@thebird.nl>) id 1eduOg-0004iM-3c
	for guix-devel@gnu.org; Tue, 23 Jan 2018 03:57:39 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <pjotr2017@thebird.nl>) id 1eduOd-0002Uh-2I
	for guix-devel@gnu.org; Tue, 23 Jan 2018 03:57:38 -0500
Content-Disposition: inline
In-Reply-To: <87vaftyt8v.fsf@elephly.net>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Ricardo Wurmus <rekado@elephly.net>
Cc: guix-devel@gnu.org, Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de>

On Tue, Jan 23, 2018 at 07:38:46AM +0100, Ricardo Wurmus wrote:
>=20
> Hi Pjotr,
>=20
> > On Fri, Jan 19, 2018 at 02:41:42PM +0100, Ludovic Court=C3=A8s wrote:
> >> Authorizing keys is necessarily limited to root since the store is
> >> shared among all users of the machine.  I don=E2=80=99t see any way =
around that
> >
> > Well, the daemon could update itself with its own privileges.
>=20
> I think Ludo=E2=80=99s point is that this is a security issue, not a te=
chnical
> limitation.

How is it a security issue? If authentication is user bound it becomes
a two-step or a one-step choice. User still has to do something
explicit to open a channel. Installed software is running in user land
so it is no different from compiling your own. But yes, devil is in
the details.

> > How
> > about maintaining authentication for a channel at runtime in RAM. Whe=
n
> > the daemon restarts it is lost. The channel will not be shared with
> > other users. So every user maintains their own channels. When a
> > channel reconnects it authenticates itself again.
>=20
> It all ends up in the store though and is thus available to everybody.

Hmmm. Is that a true concern? I ususally have no trouble software
installed by other people on systems (in their HOME or not). If an SA
does not want to allow for it we can tell the daemon not to support
channels with auto-authentication.

> > There really is no reason to share individual channels between users
> > (other then their outputs).
>=20
> Yes, channel configuration and state is kept in the user=E2=80=99s home
> directory.  But authorization for downloading and installing substitute=
s
> in /gnu/store currently still falls to root.

I don't see why the daemon can not handle it. But maybe we should just
do a round-table at FOSDEM.

Pj.