From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Thompson, David" <dthompson2@worcester.edu>
Subject: Re: Why is /gnu/store writable by the guixbuild group?
Date: Fri, 22 Jan 2016 09:57:31 -0500
Message-ID: <CAJ=RwfZ6i5Qsu58q9amJdWJ-oTPNyAts26k_8Vxzr9x4sb5osA@mail.gmail.com>
References: <20160122144107.GA2185@stebalien.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Return-path: <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:39533)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <dthompson2@worcester.edu>) id 1aMd9Z-0003af-VB
	for help-guix@gnu.org; Fri, 22 Jan 2016 09:57:34 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <dthompson2@worcester.edu>) id 1aMd9Y-0003RO-Uj
	for help-guix@gnu.org; Fri, 22 Jan 2016 09:57:33 -0500
Received: from mail-yk0-x234.google.com ([2607:f8b0:4002:c07::234]:34103)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <dthompson2@worcester.edu>) id 1aMd9Y-0003RF-OK
	for help-guix@gnu.org; Fri, 22 Jan 2016 09:57:32 -0500
Received: by mail-yk0-x234.google.com with SMTP id a85so88731497ykb.1
	for <help-guix@gnu.org>; Fri, 22 Jan 2016 06:57:32 -0800 (PST)
In-Reply-To: <20160122144107.GA2185@stebalien.com>
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/help-guix>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
Sender: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
To: Steven Allen <steven@stebalien.com>
Cc: help-guix <help-guix@gnu.org>

On Fri, Jan 22, 2016 at 9:41 AM, Steven Allen <steven@stebalien.com> wrote:
> All,
>
> While the builders run in containers, it still feels like a really bad
> idea. Being able to write to /gnu/store gives one the power to overwrite
> any binary. Furthermore, it makes grsecurity's TPE mad :(.

On GuixSD, /gnu/store is mounted *read-only* and remounted read/write
for the purposes of the daemon only.  So, for any particular build, a
build user can *only* write to their specific output directories and
nothing else.

Note as well that the items in the store are owned by root and cannot
be touched.  The only user that can trash things is the superuser, if
they so choose.

> So, why exactly does the guixbuild group need write access to this
> directory? I'd think that the guix-daemon would be responsible for
> moving finished builds into the store, not the builders themselves.

Builders write directly to their output directories.  In GNU terms,
this is the directory used for './configure --prefix=/gnu/store/foo'.
I don't see an issue with this.

> On a related note, why do all builders use guixbuild as their primary
> group. It would be safer to make guixbuild a supplementary group and
> give every build user it's own primary group. This way, any group
> writable files that the build process happens to create will not be
> writable by all build users.

In the long term, it would be cool to just use user namespaces instead
of build users, but this would cause issues for a number of Guix users
(and some of our donated build slaves) who do not have a new enough
kernel.  Some day.

- Dave