GNU bug report logs -
#77288
[PATCH 0/6] Rootless guix-daemon on Guix System
Previous Next
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Wed, 26 Mar 2025 16:50:01 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
Message #20 received at 77288 <at> debbugs.gnu.org (full text, mbox):
DRAFT: Temporary commit.
* etc/news.scm: Add it.
Change-Id: I28eae7f7b4305225b13281b99458cbedda3c3b94
---
etc/news.scm | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/etc/news.scm b/etc/news.scm
index 4b3da44540..840f5cea53 100644
--- a/etc/news.scm
+++ b/etc/news.scm
@@ -37,6 +37,30 @@
(channel-news
(version 0)
+ (entry (commit "XXX")
+ (title
+ (en "Guix System can run @command{guix-daemon} without root
+privileges"))
+ (body
+ (en "On Guix System, @code{guix-service-type} can now be configured
+to run the build daemon, @command{guix-daemon}, without root privileges. In
+that configuration, the daemon runs with the authority of the
+@code{guix-daemon} user, which we think can reduce the impact of some classes
+of vulnerabilities that could affect it.
+
+For now, this is opt-in: you have to change @code{guix-configuration} to set
+the @code{privileged?} field to @code{#f}. When you do this, all the files in
+@file{/gnu/store}, @file{/var/guix}, etc. will have their ownership changed to
+the @code{guix-daemon} user (instead of @code{root}); this can take a while,
+especially if the store is big. To learn more about it, run:
+
+@example
+info guix --index-search=guix-service-type
+@end example
+
+Eventually running @command{guix-daemon} without root privileges may become
+the default.")))
+
(entry (commit "0e51c6547ffdaf91777f7383da4a52a1a07b7286")
(title
(en "Incompatible upgrade of the Syncthing service"))
--
2.49.0
This bug report was last modified 90 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.