GNU bug report logs - #75810
[PATCH 0/6] Rootless guix-daemon

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Fri, 24 Jan 2025 17:24:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #214 received at 75810 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Josselin Poiret <dev <at> jpoiret.xyz>,
 Simon Tournier <zimon.toutoune <at> gmail.com>, Mathieu Othacehe <othacehe <at> gnu.org>,
 Tobias Geerinckx-Rice <me <at> tobias.gr>, Christopher Baines <guix <at> cbaines.net>,
 75810 <at> debbugs.gnu.org
Subject: Re: [bug#75810] [PATCH v4 06/14] daemon: Allow running as non-root
 with unprivileged user namespaces.
Date: Tue, 04 Mar 2025 09:25:41 +0900

Hi Ludovic,

Ludovic Courtès <ludo <at> gnu.org> writes:

[...]

>>> -        if (chown(chrootRootDir.c_str(), 0, buildUser.getGID()) == -1)
>>> +        if (buildUser.enabled() && chown(chrootRootDir.c_str(), 0, buildUser.getGID()) == -1)
>
>> I think adding the new check for buildUser.enabled() in the above ifs
>> should be split into a distinct commit since it's not relevant to this
>> specific new feature.
>
> It’s in fact related: previously you could not run guix-daemon with
> useChroot == true unless running as root, and buildUser.enabled() was
> implied in this case.
>
> With this change, you can end up in the “if (useChroot)” block without
> running as root, which is why this distinction needs to be made.

Oh, I see (and for the other instance as well).  Thanks for explaining!

Reviewed-by: Maxim Cournoyer <maxim.cournoyer <at> gmail>

-- 
Thanks,
Maxim
This bug report was last modified 56 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.