GNU bug report logs - #36957
[PATCH] machine: Allow non-root users to deploy.

Previous Next

Package: guix-patches;

Reported by: zerodaysfordays <at> sdf.lonestar.org (Jakob L. Kreuze)

Date: Wed, 7 Aug 2019 12:50:02 UTC

Severity: normal

Tags: patch

Done: Christopher Lemmer Webber <cwebber <at> dustycloud.org>

Bug is archived. No further changes may be made.

Full log

Message #47 received at 36957 <at> debbugs.gnu.org (full text, mbox):

From: Ricardo Wurmus <rekado <at> elephly.net>
To: Jakob L. Kreuze <zerodaysfordays <at> sdf.lonestar.org>
Cc: Christopher Lemmer Webber <cwebber <at> dustycloud.org>, 36957 <at> debbugs.gnu.org
Subject: Re: [bug#36957] [PATCH v2] machine: Allow non-root users to deploy.
Date: Thu, 08 Aug 2019 10:33:03 +0200

Hi Jakob,

> +@code{user}.  That is: the line in @code{sudoers} granting @code{user} the
> +ability to use @code{sudo} must contain the NOPASSWD tag.

Perhaps also wrap “NOPASSWD” in @code{…}.

> +(define (machine-become-command machine)
> +  "Return as a list of strings the program and arguments necessary to run a
> +shell command with escalated privileges for MACHINE's configuration."
> +  (if (string= "root" (machine-ssh-configuration-user
> +                       (machine-configuration machine)))
> +      '()
> +      '("/run/setuid-programs/sudo" "-n" "--")))
> +

This is a comment for future changes only: currently, we can assume that
the remote machine already runs Guix System.  In the future “guix
deploy” should probably also be able to initialize a system.  In that
case “sudo” may have to be searched on the target or otherwise be
provided.

(What happens if /run/setuid-programs/sudo is not available on the
target machine?)

> +(define* (%remote-eval lowered session #:optional become-command)
>    "Evaluate LOWERED, a lowered gexp, in SESSION.  This assumes that all the
> -prerequisites of EXP are already available on the host at SESSION."
> -  (let* ((pipe   (remote-pipe-for-gexp lowered session))
> +prerequisites of EXP are already available on the host at SESSION.  If
> +BECOME-COMMAND is given, use that to invoke the remote Guile REPL."
> +  (let* ((pipe   (remote-pipe-for-gexp lowered session become-command))
>           (result (read-repl-response pipe)))
>      (close-port pipe)
>      result))
> @@ -90,12 +104,14 @@ result to the current output port using the (guix repl) protocol."
>                        #:key
>                        (build-locally? #t)
>                        (module-path %load-path)
> -                      (socket-name "/var/guix/daemon-socket/socket"))
> +                      (socket-name "/var/guix/daemon-socket/socket")
> +                      (become-command #f))

I’m just stumbling upon “socket-name”.  “/var/guix” is not guaranteed to
be the localstatedir.  It would be better to use (guix config) to
determine the configured value.

This doesn’t block this patch, of course, but it would be good to change
this in the future.

--
Ricardo
This bug report was last modified 6 years ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.