From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pjotr Prins Subject: Re: [RFC] A simple draft for channels Date: Tue, 23 Jan 2018 09:54:07 +0100 Message-ID: <20180123085407.GA29079@thebird.nl> References: <87bmhq6ytg.fsf@mdc-berlin.de> <87d1263qzt.fsf@gnu.org> <20180119135658.GA5944@thebird.nl> <87vaftyt8v.fsf@elephly.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:41690) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eduOg-0004iM-3c for guix-devel@gnu.org; Tue, 23 Jan 2018 03:57:39 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eduOd-0002Uh-2I for guix-devel@gnu.org; Tue, 23 Jan 2018 03:57:38 -0500 Content-Disposition: inline In-Reply-To: <87vaftyt8v.fsf@elephly.net> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ricardo Wurmus Cc: guix-devel@gnu.org, Ricardo Wurmus On Tue, Jan 23, 2018 at 07:38:46AM +0100, Ricardo Wurmus wrote: >=20 > Hi Pjotr, >=20 > > On Fri, Jan 19, 2018 at 02:41:42PM +0100, Ludovic Court=C3=A8s wrote: > >> Authorizing keys is necessarily limited to root since the store is > >> shared among all users of the machine. I don=E2=80=99t see any way = around that > > > > Well, the daemon could update itself with its own privileges. >=20 > I think Ludo=E2=80=99s point is that this is a security issue, not a te= chnical > limitation. How is it a security issue? If authentication is user bound it becomes a two-step or a one-step choice. User still has to do something explicit to open a channel. Installed software is running in user land so it is no different from compiling your own. But yes, devil is in the details. > > How > > about maintaining authentication for a channel at runtime in RAM. Whe= n > > the daemon restarts it is lost. The channel will not be shared with > > other users. So every user maintains their own channels. When a > > channel reconnects it authenticates itself again. >=20 > It all ends up in the store though and is thus available to everybody. Hmmm. Is that a true concern? I ususally have no trouble software installed by other people on systems (in their HOME or not). If an SA does not want to allow for it we can tell the daemon not to support channels with auto-authentication. > > There really is no reason to share individual channels between users > > (other then their outputs). >=20 > Yes, channel configuration and state is kept in the user=E2=80=99s home > directory. But authorization for downloading and installing substitute= s > in /gnu/store currently still falls to root. I don't see why the daemon can not handle it. But maybe we should just do a round-table at FOSDEM. Pj.