From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id mBVPIdBT7mLrzwAAbAwnHQ (envelope-from ) for ; Sat, 06 Aug 2022 13:43:12 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id IAtaINBT7mKuoQAAG6o9tA (envelope-from ) for ; Sat, 06 Aug 2022 13:43:12 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 2932F8441 for ; Sat, 6 Aug 2022 13:43:12 +0200 (CEST) Received: from localhost ([::1]:56128 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oKID1-0007gE-5u for larch@yhetil.org; Sat, 06 Aug 2022 07:43:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47638) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oKICs-0007fv-4V for guix-patches@gnu.org; Sat, 06 Aug 2022 07:43:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:43132) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oKICr-00017A-Sb for guix-patches@gnu.org; Sat, 06 Aug 2022 07:43:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oKICr-0005U3-OH for guix-patches@gnu.org; Sat, 06 Aug 2022 07:43:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#57016] [PATCH] scripts: Bail out when running pull/package commands as root. Resent-From: "(" Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 06 Aug 2022 11:43:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 57016 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 57016@debbugs.gnu.org Cc: "\(" X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.165978614421008 (code B ref -1); Sat, 06 Aug 2022 11:43:01 +0000 Received: (at submit) by debbugs.gnu.org; 6 Aug 2022 11:42:24 +0000 Received: from localhost ([127.0.0.1]:32872 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oKICF-0005Sm-Uv for submit@debbugs.gnu.org; Sat, 06 Aug 2022 07:42:24 -0400 Received: from lists.gnu.org ([209.51.188.17]:43332) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oKICB-0005Sb-Px for submit@debbugs.gnu.org; Sat, 06 Aug 2022 07:42:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47488) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oKICB-0007Zm-JY for guix-patches@gnu.org; Sat, 06 Aug 2022 07:42:19 -0400 Received: from knopi.disroot.org ([178.21.23.139]:41584) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oKIC8-00013P-Kx for guix-patches@gnu.org; Sat, 06 Aug 2022 07:42:19 -0400 Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 7096840DCB; Sat, 6 Aug 2022 13:42:14 +0200 (CEST) X-Virus-Scanned: SPAM Filter at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o9005qLOWRdC; Sat, 6 Aug 2022 13:42:13 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1659786123; bh=dJs3Pz+WfsaOiPQVtksscHWnk0NMoJR4v1hamEhkmm4=; h=From:To:Cc:Subject:Date; b=I3LDIjF2WHISJjrtzM8Wgkg6bzdff+XYneKNiTxDQSHDkfkHIYE7bT8fz8sUSDzQS KQajurdy4wbkYVsUlZ0sG+pAt9t7Fks74APEgQlfM5Fz3Ebyki4r0nA5xgq/9iLK8E mFdmOM9tpU+wRovYSei1ZSCSfpZLXl699EGRM9DQoYDIGiKboe5BLPapeE5AgbMQvn CpwznvcaIOwe4uLI58TG7jXovAe8aBWuedi30JLdRCoQt/HzpIHz6wUcZYMKlCht8H J7NGgO9A7UcjreaDCNoyFFY477cLO1UYxAgYXaitONBDlTbIE/nIUAlHFa2gtaQSBw mpa2OKeS5U+LQ== Date: Sat, 6 Aug 2022 12:41:53 +0100 Message-Id: <20220806114153.23153-1-paren@disroot.org> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=178.21.23.139; envelope-from=paren@disroot.org; helo=knopi.disroot.org X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" Reply-to: "\(" X-ACL-Warn: , "\( via Guix-patches" From: "\( via Guix-patches" via X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1659786192; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=S1+TkLSsNktJ4IkHbf3meLUIXF1HTXpfH1v9BwY/OK4=; b=JIzqT08qGJ/JEAa6+IWykiAeOZw7Q+6r5h0gTNFVHKX21oF6DhUWqOVxevje8OIDBKMhGl tF1JwXudbyOklCdELn6NVIQzZBdx6aTbcVyTUN5sUrcSoYK8UA2Kpa32pZ7k99LJpBuaHQ yYYWOAhs8BChnQgNshOHKU2GS5zmX3dns5XcR5EiP7bpaofRoaWPlBvXVZL8IOWkvI3dzn 5iPzOLBvKHjRBnaLKay/fEZijl0aBZAkwrdbmRtyk7tuZ93mC+F5DSWE81bhLNzherHBUt XaUO5sphebcaSxmPanGG6jeh42MZfT92P9PZToMdf2K5FUU2IehSapoj5IU91w== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1659786192; a=rsa-sha256; cv=none; b=n6vHQvkGPE+RaYmr8pmw/e6X6qDk1SnGFf5z1p4nhaM9liac83RdTlAwj7I9ltdCM5wdlx 84CztElBts7YwikmWnK7H7CviuVCnNkA3HnXsKQrx47pZpD9oKWGEC6XLSYCcI+mvn6DXO 9WrFbACVpTD5TKE1LLDyv/z+X6okvV6I0eTWMC/HpzFPwoeMzpQtAbqUQj9pA96do7tSMd KfWMd0l4KwBmqlalSQ4DWUjJF5pLA64SA2EibFq3wNbqncjJtIzPr/WWTMDu5gqjaMLVQM 4TIsaU658wVKl4/EbVFuKy9caq3reehce7gKHPCPhBiz5gaoxOX0t1O34pH1ww== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=disroot.org header.s=mail header.b=I3LDIjF2; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -3.09 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=disroot.org header.s=mail header.b=I3LDIjF2; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 2932F8441 X-Spam-Score: -3.09 X-Migadu-Scanner: scn1.migadu.com X-TUID: cpIvvrqy9ewu * guix/scripts/package.scm (assert-not-root): New procedure. (%options): Add `--allow-root`. (guix-package*): Add `#:allow-root?` keyword argument. Bail out when Guix is being run as root if `allow-root?` is not #T and `--allow-root` has not been passed. * guix/scripts/install.scm (%options): Add `--allow-root` here... * guix/scripts/remove.scm (%options): ...here... * guix/scripts/upgrade.scm (%options): ...and here. * guix/scripts/search.scm (guix-search): Explicitly allow execution as root here... * guix/scripts/show.scm (guix-show): ...and here. * guix/scripts/pull.scm (%options): Add `--allow-root`. (guix-pull): Bail out when Guix is being run as root if `--allow-root` has not been passed. A pretty common beginner mistake, it seems, is assuming that since every other package manager you've used requires root for installing, removing, and upgrading packages, Guix must too. This is an especially dangerous assumption when applied to `guix pull`, since I seem to recall that running that command as root breaks the installation. (I'm pretty sure I once made that mistake, and spent ages trying to figure out why it was broken.) This commit tries to make it harder to make such an assumption, by making commands such as `pull`, `package`, and `upgrade` bail out when run as root. This can be overridden with the new `--allow-root` flag for those commands. --- guix/scripts/install.scm | 4 +++- guix/scripts/package.scm | 30 +++++++++++++++++++++++++++--- guix/scripts/pull.scm | 11 ++++++++++- guix/scripts/remove.scm | 4 +++- guix/scripts/search.scm | 3 ++- guix/scripts/show.scm | 3 ++- guix/scripts/upgrade.scm | 4 +++- 7 files changed, 50 insertions(+), 9 deletions(-) diff --git a/guix/scripts/install.scm b/guix/scripts/install.scm index 63e625f266..21873e69c4 100644 --- a/guix/scripts/install.scm +++ b/guix/scripts/install.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2019, 2020 Ludovic Courtès +;;; Copyright © 2022 ( ;;; ;;; This file is part of GNU Guix. ;;; @@ -61,7 +62,8 @@ (define %options ;; Preserve some of the 'guix package' options. (append (filter (lambda (option) (any (cut member <> (option-names option)) - '("profile" "dry-run" "verbosity" "bootstrap"))) + '("allow-root" "profile" "dry-run" + "verbosity" "bootstrap"))) %package-options) %transformation-options diff --git a/guix/scripts/package.scm b/guix/scripts/package.scm index 7d92598efa..5dba931216 100644 --- a/guix/scripts/package.scm +++ b/guix/scripts/package.scm @@ -12,6 +12,7 @@ ;;; Copyright © 2018 Steve Sprang ;;; Copyright © 2022 Josselin Poiret ;;; Copyright © 2022 Antero Mejr +;;; Copyright © 2022 ( ;;; ;;; This file is part of GNU Guix. ;;; @@ -64,7 +65,9 @@ (define-module (guix scripts package) #:use-module (srfi srfi-37) #:use-module (gnu packages) #:autoload (gnu packages bootstrap) (%bootstrap-guile) - #:export (build-and-use-profile + #:export (assert-not-root + + build-and-use-profile delete-generations delete-matching-generations guix-package @@ -82,6 +85,19 @@ (define-module (guix scripts package) (define %store (make-parameter #f)) +(define (assert-not-root override-flag) + "Throw an error if Guix was invoked by root. This allows us to +inform new users that it is usually a mistake to run commands such +as `guix package' as root. OVERRIDE-FLAG should be a flag that can +be used with the invoked command to override this requirement." + (when (= (getuid) 0) + (leave (G_ "this command should not be run as root + +Note: Running this command as root will only affect the `root' user, +not the entire system, due to Guix's support for per-user package +management. Use `~a' to continue regardless.~%") + override-flag))) + ;;; ;;; Profiles. @@ -658,6 +674,10 @@ (define %options (values (cons `(query show ,arg) result) #f))) + (option '("allow-root") #f #f + (lambda (opt name arg result arg-handler) + (values (alist-cons 'allow-root? #t result) + #f))) (append %transformation-options %standard-build-options))) @@ -1079,10 +1099,14 @@ (define opts (guix-package* opts)) -(define (guix-package* opts) +(define* (guix-package* opts #:key (allow-root? #f)) "Run the 'guix package' command on OPTS, an alist resulting for command-line -option processing with 'parse-command-line'." +option processing with 'parse-command-line'. If ALLOW-ROOT? is #T, don't bail +out when running as root, even if `opts' doesn't set `allow-root?'." (with-error-handling + (unless (or allow-root? (assoc-ref opts 'allow-root?)) + (assert-not-root "--allow-root")) + (or (process-query opts) (parameterize ((%store (open-connection)) (%graft? (assoc-ref opts 'graft?))) diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm index b0cc459d63..7a871939af 100644 --- a/guix/scripts/pull.scm +++ b/guix/scripts/pull.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2013-2015, 2017-2022 Ludovic Courtès ;;; Copyright © 2017 Marius Bakke ;;; Copyright © 2020, 2021 Tobias Geerinckx-Rice +;;; Copyright © 2022 ( ;;; ;;; This file is part of GNU Guix. ;;; @@ -45,7 +46,8 @@ (define-module (guix scripts pull) #:use-module (git) #:autoload (gnu packages) (fold-available-packages) #:autoload (guix scripts package) (build-and-use-profile - delete-matching-generations) + delete-matching-generations + assert-not-root) #:autoload (gnu packages base) (canonical-package) #:autoload (gnu packages bootstrap) (%bootstrap-guile) #:autoload (gnu packages certs) (le-certs) @@ -195,6 +197,9 @@ (define %options (option '("bootstrap") #f #f (lambda (opt name arg result) (alist-cons 'bootstrap? #t result))) + (option '("allow-root") #f #f + (lambda (opt name arg result) + (alist-cons 'allow-root? #t result))) (option '(#\h "help") #f #f (lambda args @@ -828,12 +833,16 @@ (define (no-arguments arg _) (let* ((opts (parse-command-line args %options (list %default-options) #:argument-handler no-arguments)) + (allow-root? (assoc-ref opts 'allow-root?)) (substitutes? (assoc-ref opts 'substitutes?)) (dry-run? (assoc-ref opts 'dry-run?)) (profile (or (assoc-ref opts 'profile) %current-profile)) (current-channels (profile-channels profile)) (validate-pull (assoc-ref opts 'validate-pull)) (authenticate? (assoc-ref opts 'authenticate-channels?))) + (unless allow-root? + (assert-not-root "--allow-root")) + (cond ((assoc-ref opts 'query) (process-query opts profile)) diff --git a/guix/scripts/remove.scm b/guix/scripts/remove.scm index a46ad04d56..f7cf810544 100644 --- a/guix/scripts/remove.scm +++ b/guix/scripts/remove.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2019, 2020 Ludovic Courtès +;;; Copyright © 2022 ( ;;; ;;; This file is part of GNU Guix. ;;; @@ -58,7 +59,8 @@ (define %options ;; Preserve some of the 'guix package' options. (append (filter (lambda (option) (any (cut member <> (option-names option)) - '("profile" "dry-run" "verbosity" "bootstrap"))) + '("allow-root" "profile" "dry-run" + "verbosity" "bootstrap"))) %package-options) %standard-build-options))) diff --git a/guix/scripts/search.scm b/guix/scripts/search.scm index 27b9da5278..efa83e066c 100644 --- a/guix/scripts/search.scm +++ b/guix/scripts/search.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2019, 2020 Ludovic Courtès ;;; Copyright © 2021 Simon Tournier +;;; Copyright © 2022 ( ;;; ;;; This file is part of GNU Guix. ;;; @@ -74,4 +75,4 @@ (define opts (unless (assoc-ref opts 'query) (leave (G_ "missing arguments: no regular expressions to search for~%"))) - (guix-package* opts)) + (guix-package* opts #:allow-root? #t)) diff --git a/guix/scripts/show.scm b/guix/scripts/show.scm index c747eedd21..ae1e56469a 100644 --- a/guix/scripts/show.scm +++ b/guix/scripts/show.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2019, 2021 Simon Tournier +;;; Copyright © 2022 ( ;;; ;;; This file is part of GNU Guix. ;;; @@ -73,4 +74,4 @@ (define opts (unless (assoc-ref opts 'query) (leave (G_ "missing arguments: no package to show~%"))) - (guix-package* (reverse opts))) + (guix-package* (reverse opts) #:allow-root? #t)) diff --git a/guix/scripts/upgrade.scm b/guix/scripts/upgrade.scm index beb59cbe6f..e5a7c84108 100644 --- a/guix/scripts/upgrade.scm +++ b/guix/scripts/upgrade.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2019, 2020 Ludovic Courtès ;;; Copyright © 2020 Jakub Kądziołka ;;; Copyright © 2020 Simon Tournier +;;; Copyright © 2022 ( ;;; ;;; This file is part of GNU Guix. ;;; @@ -65,7 +66,8 @@ (define %options ;; Preserve some of the 'guix package' options. (append (filter (lambda (option) (any (cut member <> (option-names option)) - '("profile" "dry-run" "verbosity" "do-not-upgrade"))) + '("allow-root" "profile" "dry-run" + "verbosity" "do-not-upgrade"))) %package-options) %transformation-options -- 2.37.1