GNU bug report logs - #75810
[PATCH 0/6] Rootless guix-daemon

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Fri, 24 Jan 2025 17:24:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Noé Lopez <noe <at> xn--no-cja.eu>
To: 75810 <at> debbugs.gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>, Reepca Russelstein <reepca <at> russelstein.xyz>, Janneke Nieuwenhuizen <janneke <at> gnu.org>
Subject: [bug#75810] [PATCH 0/6] Rootless guix-daemon
Date: Mon, 27 Jan 2025 22:51:08 +0100

Hi Ludovic,

If the store is not read-only, is there not a risk of applications
running as root modifying their own files in the store?

As a possible solution, maybe it is possible to have a modifiable store
directory for the daemon and a read-only bind mount as /gnu/store.  If
it does not have performance implications, applications would be started
from /gnu/store as usual and the builder can still use the other
directory.

What do you think?
Noé

This bug report was last modified 56 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #75810 [PATCH 0/6] Rootless guix-daemon

GNU bug report logs - #75810
[PATCH 0/6] Rootless guix-daemon