Ludovic Courtès schreef op za 02-10-2021 om 16:27 [+0200]: > Maxime Devos skribis: > > > Ludovic Courtès schreef op di 28-09-2021 om 14:21 [+0200]: > > > Hi, > > > > > > Joshua Branson skribis: > > > > > > > Apologies if I'm speaking for something I know very little > > > > about...Wouldn't it be nice if guix home services would accept a user > > > > and a group field? For the syncthing service, perhaps the user wants to > > > > limit Syncthing's runtime permissions. So instead of running as the > > > > user, the user would run synthing as a different user with less permissions? > > > > > > That’s not possible unless the calling user is root, since you’d need > > > the ability to switch users somehow. > > > > On Debian, a user has a list of ‘subordinate user IDs’ which can be switched > > to without root: ;. > > > > Maybe "guix home" could use that mechanism, and this mechanism could be implemented > > on Guix System as well? > > Yes but that requires unprivileged user namespaces, which may or may not > be supported—e.g., likely unsupported when using Home on a foreign > distro. I don't recall newuidmap requiring unprivileged user namespaces -- it's a setuid binary. It being unsupported on some foreign distros (*) that aren't Debian doesn't seem a big problem to me, as long as its use is optional and the limitation is documented. (*) It's upported on Debian, presumably all Debian derivatives, NixOS (https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/config/users-groups.nix#L179), on Guix System according to the output of "type newuidmap" though Guix System doesn't setup /etc/subuid yet. That covers a lot of GNU/Linux systems, though certainly not all. Greetings, Maxime