GNU bug report logs - #75810
[PATCH 0/6] Rootless guix-daemon

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Fri, 24 Jan 2025 17:24:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #41 received at 75810 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Noé Lopez <noe <at> xn--no-cja.eu>
Cc: Reepca Russelstein <reepca <at> russelstein.xyz>, 75810 <at> debbugs.gnu.org,
 Janneke Nieuwenhuizen <janneke <at> gnu.org>
Subject: Re: [PATCH 0/6] Rootless guix-daemon
Date: Mon, 27 Jan 2025 23:05:21 +0100

Hi,

Noé Lopez <noe <at> noé.eu> skribis:

> If the store is not read-only, is there not a risk of applications
> running as root modifying their own files in the store?

Yes, there’s a risk.

> As a possible solution, maybe it is possible to have a modifiable store
> directory for the daemon and a read-only bind mount as /gnu/store.  If
> it does not have performance implications, applications would be started
> from /gnu/store as usual and the builder can still use the other
> directory.

I agree, that’s what I alluded to with having /gnu/.rw-store as the
backing store used by guix-daemon, while /gnu/store would be read-only.

Thanks,
Ludo’.

This bug report was last modified 56 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #75810 [PATCH 0/6] Rootless guix-daemon

GNU bug report logs - #75810
[PATCH 0/6] Rootless guix-daemon