From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Why is /gnu/store writable by the guixbuild group? Date: Fri, 22 Jan 2016 18:02:04 +0100 Message-ID: <87d1st5z03.fsf@gnu.org> References: <20160122144107.GA2185@stebalien.com> <20160122154517.GA7619@stebalien.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:37511) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aMf6E-0007yJ-5g for help-guix@gnu.org; Fri, 22 Jan 2016 12:02:17 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aMf69-0007LK-4q for help-guix@gnu.org; Fri, 22 Jan 2016 12:02:14 -0500 In-Reply-To: <20160122154517.GA7619@stebalien.com> (Steven Allen's message of "Fri, 22 Jan 2016 10:45:17 -0500") List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org To: Steven Allen Cc: help-guix Steven Allen skribis: > On 01-22-16, Thompson, David wrote: >> On GuixSD, /gnu/store is mounted *read-only* and remounted read/write >> for the purposes of the daemon only. So, for any particular build, a >> build user can *only* write to their specific output directories and >> nothing else. > > Got it. Off to fix the Arch package... Unfortunately, I doubt this will > make grsecurity happy (and TPE is a really nice security feature) > because the store *could* be mounted read-write somewhere. What=E2=80=99s TPE (sorry for asking) and how does it complain exactly? >> Note as well that the items in the store are owned by root and cannot >> be touched. The only user that can trash things is the superuser, if >> they so choose. > > FYI, in my Arch install (not GuixSD, as far as I can tell), some of the > files in /gnu/store/ files are owned by the guixbuild group (but not > group writable). I assume these are failed in-progress builds (for some > reason, Exactly. > Guix on Arch keeps on trying to build gcc on my poor laptop even > though I've enabled substitutes but that's another issue...) That shouldn=E2=80=99t happen, unless you=E2=80=99re using an old version o= f Guix for which substitutes are no longer available at hydra.gnu.org. >> > So, why exactly does the guixbuild group need write access to this >> > directory? I'd think that the guix-daemon would be responsible for >> > moving finished builds into the store, not the builders themselves. >>=20 >> Builders write directly to their output directories. In GNU terms, >> this is the directory used for './configure --prefix=3D/gnu/store/foo'. > > Then why does /gnu/store need to be writable by the guixbuild group? If > the builders can only write to their output directories, e.g. > /gnu/store/foo, /gnu/store shouldn't need to be writable by guixbuild. That=E2=80=99s because initially build processes write to their chroot, but= when the build completes, the build process moves the outputs (the results) back to the store. See nix/libstore/build.cc in =E2=80=98registerOutputs= =E2=80=99: --8<---------------cut here---------------start------------->8--- if (pathExists(actualPath)) { /* Move output paths from the chroot to the Nix store. */ if (buildMode =3D=3D bmRepair) replaceValidPath(path, actualPath); else if (buildMode !=3D bmCheck && rename(actualPath.c_str(), path= .c_str()) =3D=3D -1) throw SysError(format("moving build output `%1%' from the= chroot to the Nix store") % path); } --8<---------------cut here---------------end--------------->8--- If you look at =E2=80=98strace -f -p $(pidof guix-daemon)=E2=80=99 while ru= nning =E2=80=98guix build grue-hunter=E2=80=99, the above lines of code translate to: --8<---------------cut here---------------start------------->8--- 7519 --- SIGCHLD {si_signo=3DSIGCHLD, si_code=3DCLD_EXITED, si_pid=3D7544,= si_status=3D0, si_utime=3D0, si_stime=3D0} --- 7519 lstat("/gnu/store/660hdld3sc7laz8kw871pd3yyg9khs5m-grue-hunter-1.0.dr= v.chroot/gnu/store/h6sdfqzv4xbydwiafiqvrw0d5505l1l8-grue-hunter-1.0", {st_m= ode=3DS_IFDIR|0755, st_size=3D4096, ...}) =3D 0 7519 rename("/gnu/store/660hdld3sc7laz8kw871pd3yyg9khs5m-grue-hunter-1.0.d= rv.chroot/gnu/store/h6sdfqzv4xbydwiafiqvrw0d5505l1l8-grue-hunter-1.0", "/gn= u/store/h6sdfqzv4xbydwiafiqvrw0d5505l1l8-grue-hunter-1.0") =3D 0 --8<---------------cut here---------------end--------------->8--- > My only reservation with this is that directories in /gnu/store may or > may not be "complete" (one could have half-completed builds). However, > given that no build can go from complete to in-progress (builds are > deterministic so there are no rebuilds), this isn't really a problem as > long as programs never assume that all builds in the store are complete. As Andreas said, there=E2=80=99s a database (/var/guix/db/db.sqlite by defa= ult) that contains a table listing valid store entries, among other things. >> > On a related note, why do all builders use guixbuild as their primary >> > group. >> In the long term, it would be cool to just use user namespaces... > > In the short term, is there any reason not to give each of these users > its own group? Would it make a difference? I should point out that this part (the daemon) is inherited from the Nix project, which was started long ago, and notably long before user name spaces came into existence. HTH, Ludo=E2=80=99.