GNU bug report logs - #75810
[PATCH 0/6] Rootless guix-daemon

Previous Next

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: Reepca Russelstein <reepca <at> russelstein.xyz>
Cc: 75810 <at> debbugs.gnu.org
Subject: [bug#75810] [PATCH 0/6] Rootless guix-daemon
Date: Thu, 13 Feb 2025 14:29:10 +0100

Hello Reepca,

Thanks a lot for your feedback, very useful as always.

I’ve sent a v2 addressing some of the issues you mentioned before.

Crucially, this one remains:

>       #~(let ((guile (string-append (assoc-ref %guile-build-info
>                                                'bindir)
>                                     "/guile")))
>           (chmod "/" #o777)
>           (copy-file guile "/guile")
>           (chmod "/guile" #o6755)
>           (sleep 1000)

That is, / is currently writable inside the build environment, and
that’s:

  1. a security issue, but it could be addressed with a /top
     sub-directory as you wrote;

  2. a reproducibility issue because a build process now be able to
     create/modify files anywhere.

I looked for solutions to this and couldn’t find anything so far.

In particular, re-mounting / read-only makes everything beneath it
read-only, including mount points that were initially read-write.  It
might be that the wealth of MS_ options could be used to address that,
but honestly, it’s a mess and a maze (“shared subtrees”?).
Alternatively, I wondered if we could make / owned by the overflow user,
but that’s probably not possible.

Perhaps yet another option would be to use subordinate IDs to map two
different users in the container, but that sounds more involved and I’m
not sure how to get that done.

Thoughts?

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.