From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <help-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp2.migadu.com ([2001:41d0:700:3204::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms8.migadu.com with LMTPS
	id iFxEBEdZj2UcEwAAkFu2QA
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sat, 30 Dec 2023 00:41:59 +0100
Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2.migadu.com with LMTPS
	id 6GMFO0ZZj2WafQEAe85BDQ
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sat, 30 Dec 2023 00:41:59 +0100
X-Envelope-To: larch@yhetil.org
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=benwr.net header.s=protonmail header.b=qyZCZT1q;
	spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org";
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1703893318;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=isUq7eVMz7dEX5RFqElpfjUWBsAxel9aqWtX6NvhpE0=;
	b=uiSxgxbaToCW6kk1Ip8b9IZZ/dXN7iaSk8UmXHsUCWc2KIVymaJoPd6sEPyf0sHa4hSQAY
	FZ4GLaWlS8vmaB8jjaAjWkPOcozGxexRWM7M6NV8Cm5c71gKCSv8EShf8kCyDi15lvQWAt
	zKMd92KXzR5YABK9KETz8/CiC8IEZtQpVPMA5mocXepkxapFIBRhrbHEFHNy5WUFq7VDu+
	gcctJ4bsr18mS4sJvSlq/LncnmoY+d0qwutILBWC9ZLYI6uZYbpWU06Z+cu/2Rjq2BWV63
	oZN62GInsE5UZikO9QFocrBqyuISUSRmya6BuAUInL4Pb7L5HlKF4AySqKAJ1g==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1703893318; a=rsa-sha256; cv=none;
	b=ooiBrZRs1T2n9MilHiIEABXrBGgq51nCU+UFwicPmc+03K1xRU0gXwDrgvaKP5cCG5yDJW
	NVT0r4NTOyXMNhKxYInobrSJ8tUs4itunKUpmahACXMSrWrhH3fkQWC5mJtx7vHcsg9zpU
	HTM/uLeMHwZS++zwW9FcTrNMMkfwUJL0DXCB0YzuD0jK0KXCb4t0biNCyPbHz6NUeqhcEx
	qxEWYRmaTAdSqGck4rix882xgX6CZzpczFBkis4p89UitIJO/g4JawSjJEzEzghcC78VZD
	rmrLL/3/5aFAyCqT2ZmoRXjRZp7qPnm6/4kQGvlBtHJd68abTzv0niPFbXY7pw==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=benwr.net header.s=protonmail header.b=qyZCZT1q;
	spf=pass (aspmx1.migadu.com: domain of "help-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="help-guix-bounces+larch=yhetil.org@gnu.org";
	dmarc=none
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id AAE865B936
	for <larch@yhetil.org>; Sat, 30 Dec 2023 00:41:58 +0100 (CET)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <help-guix-bounces@gnu.org>)
	id 1rJMTa-0005pJ-7g; Fri, 29 Dec 2023 18:41:14 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <root@benwr.net>) id 1rJMTZ-0005oo-Ey
 for help-guix@gnu.org; Fri, 29 Dec 2023 18:41:13 -0500
Received: from mail-4022.proton.ch ([185.70.40.22])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <root@benwr.net>) id 1rJMTV-0006SY-H7
 for help-guix@gnu.org; Fri, 29 Dec 2023 18:41:13 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=benwr.net;
 s=protonmail; t=1703893265; x=1704152465;
 bh=isUq7eVMz7dEX5RFqElpfjUWBsAxel9aqWtX6NvhpE0=;
 h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date:
 Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector;
 b=qyZCZT1qEP5OGkVnMF3Lm1VXgDIYx28O0U4MbLvsy3UfsoK2tT03JU6/krDxk0e0Q
 r/8KjkU4dE01a1lKQiMUnexwQ4WT9kR8JbMe4YldKl78rEAfnOkVofYGwaFJzaxvcc
 KMgRU0hWvOlHvlZAayg+PFUUGnjeZ11mNr+q8FiM=
Date: Fri, 29 Dec 2023 23:40:50 +0000
To: help-guix@gnu.org
From: Ben Weinstein-Raun <root@benwr.net>
Subject: Running untrusted code as root in a `guix system vm`?
Message-ID: <7fd0d86d-9e36-4949-8917-8daf3181c86f@benwr.net>
Feedback-ID: 7118633:user:proton
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
 micalg=pgp-sha256;
 boundary="------3207e1551d3cb8dbaa4e192cfd90b961edd565d7d1581d6c293ce54608732ad4";
 charset=utf-8
Received-SPF: pass client-ip=185.70.40.22; envelope-from=root@benwr.net;
 helo=mail-4022.proton.ch
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: help-guix@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/help-guix>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org
Sender: help-guix-bounces+larch=yhetil.org@gnu.org
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
X-Migadu-Spam-Score: -5.53
X-Spam-Score: -5.53
X-Migadu-Queue-Id: AAE865B936
X-Migadu-Scanner: mx11.migadu.com
X-TUID: f2p/av7ki1KH

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------3207e1551d3cb8dbaa4e192cfd90b961edd565d7d1581d6c293ce54608732ad4
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Message-ID: <7fd0d86d-9e36-4949-8917-8daf3181c86f@benwr.net>
Date: Fri, 29 Dec 2023 18:40:45 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: help-guix@gnu.org
From: Ben Weinstein-Raun <root@benwr.net>
Subject: Running untrusted code as root in a `guix system vm`?

Hello!

I'm considering running some software inside a VM created using `guix
system vm`. The easiest thing to do would be to run the virtualized
software as root. Normally I wouldn't think twice about that, but iiuc
the guest will have the host's /store mounted. Am I right that this
should make me nervous about running untrusted things as root in the VM?
Or is there some trick by which a root process in the VM is prevented
from destructively changing /store?

Thanks!


--------3207e1551d3cb8dbaa4e192cfd90b961edd565d7d1581d6c293ce54608732ad4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wnUEARYIACcFAmWPWQEJEB9MBG51G3uoFiEEkw3z4F36dhwIvy/hH0wEbnUb
e6gAAAw9AP0fkQBJ9PEaf1DkM+Qxq9O4HDX4j7WNT3lQchnyPHYG8wEAlesM
CkkzHhg5eKpNcLgjEVhDSO/s+SnvFRvmFVs16wo=
=E0SW
-----END PGP SIGNATURE-----


--------3207e1551d3cb8dbaa4e192cfd90b961edd565d7d1581d6c293ce54608732ad4--