From: Ricardo Wurmus <rekado@elephly.net>
To: "Jakob L. Kreuze" <zerodaysfordays@sdf.lonestar.org>
Cc: 36957@debbugs.gnu.org
Subject: [bug#36957] [PATCH v2] machine: Allow non-root users to deploy.
Date: Thu, 08 Aug 2019 10:33:03 +0200 [thread overview]
Message-ID: <87y304vyyo.fsf@elephly.net> (raw)
In-Reply-To: <87pnlgjymv.fsf_-_@sdf.lonestar.org>
Hi Jakob,
> +@code{user}. That is: the line in @code{sudoers} granting @code{user} the
> +ability to use @code{sudo} must contain the NOPASSWD tag.
Perhaps also wrap “NOPASSWD” in @code{…}.
> +(define (machine-become-command machine)
> + "Return as a list of strings the program and arguments necessary to run a
> +shell command with escalated privileges for MACHINE's configuration."
> + (if (string= "root" (machine-ssh-configuration-user
> + (machine-configuration machine)))
> + '()
> + '("/run/setuid-programs/sudo" "-n" "--")))
> +
This is a comment for future changes only: currently, we can assume that
the remote machine already runs Guix System. In the future “guix
deploy” should probably also be able to initialize a system. In that
case “sudo” may have to be searched on the target or otherwise be
provided.
(What happens if /run/setuid-programs/sudo is not available on the
target machine?)
> +(define* (%remote-eval lowered session #:optional become-command)
> "Evaluate LOWERED, a lowered gexp, in SESSION. This assumes that all the
> -prerequisites of EXP are already available on the host at SESSION."
> - (let* ((pipe (remote-pipe-for-gexp lowered session))
> +prerequisites of EXP are already available on the host at SESSION. If
> +BECOME-COMMAND is given, use that to invoke the remote Guile REPL."
> + (let* ((pipe (remote-pipe-for-gexp lowered session become-command))
> (result (read-repl-response pipe)))
> (close-port pipe)
> result))
> @@ -90,12 +104,14 @@ result to the current output port using the (guix repl) protocol."
> #:key
> (build-locally? #t)
> (module-path %load-path)
> - (socket-name "/var/guix/daemon-socket/socket"))
> + (socket-name "/var/guix/daemon-socket/socket")
> + (become-command #f))
I’m just stumbling upon “socket-name”. “/var/guix” is not guaranteed to
be the localstatedir. It would be better to use (guix config) to
determine the configured value.
This doesn’t block this patch, of course, but it would be good to change
this in the future.
--
Ricardo
next prev parent reply other threads:[~2019-08-08 8:34 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-07 12:46 [bug#36957] [PATCH] machine: Allow non-root users to deploy Jakob L. Kreuze
2019-08-07 17:43 ` Ricardo Wurmus
2019-08-07 19:17 ` Christopher Lemmer Webber
2019-08-07 20:20 ` Jakob L. Kreuze
2019-08-07 20:34 ` Ricardo Wurmus
2019-08-07 20:39 ` Jakob L. Kreuze
2019-08-07 22:31 ` Christopher Lemmer Webber
2019-08-08 0:20 ` [bug#36957] [PATCH v2] " Jakob L. Kreuze
2019-08-08 8:33 ` Ricardo Wurmus [this message]
2019-08-08 20:24 ` Jakob L. Kreuze
2019-08-14 20:52 ` Christopher Lemmer Webber
2019-08-15 8:03 ` [bug#36957] [PATCH 0/5] Consolidated patches for guix deploy Jakob L. Kreuze
2019-08-15 8:05 ` [bug#36957] [PATCH 1/5] machine: Allow non-root users to deploy Jakob L. Kreuze
2019-08-15 8:05 ` [bug#36957] [PATCH 2/5] machine: Implement 'roll-back-machine' Jakob L. Kreuze
2019-08-15 8:06 ` [bug#36957] [PATCH 3/5] machine: Automatically authorize the coordinator's signing key Jakob L. Kreuze
2019-08-15 8:07 ` [bug#36957] [PATCH 4/5] doc: Add description of 'build-locally?' Jakob L. Kreuze
2019-08-15 8:08 ` [bug#36957] [PATCH 5/5] remote: Use (%daemon-socket-uri) rather than hard-coded path Jakob L. Kreuze
2019-08-15 11:44 ` bug#36957: " Christopher Lemmer Webber
2019-08-15 15:07 ` [bug#36957] [PATCH 1/5] machine: Allow non-root users to deploy Ricardo Wurmus
2019-08-15 16:13 ` Jakob L. Kreuze
2019-08-08 20:26 ` [bug#36957] [PATCH v3] " Jakob L. Kreuze
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87y304vyyo.fsf@elephly.net \
--to=rekado@elephly.net \
--cc=36957@debbugs.gnu.org \
--cc=zerodaysfordays@sdf.lonestar.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.