GNU bug report logs - #77288
[PATCH 0/6] Rootless guix-daemon on Guix System

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Wed, 26 Mar 2025 16:50:01 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #65 received at 77288 <at> debbugs.gnu.org (full text, mbox):

From: "pelzflorian (Florian Pelz)" <pelzflorian <at> pelzflorian.de>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: Julien Lepiller <julien <at> lepiller.eu>, 77288 <at> debbugs.gnu.org
Subject: Re: [bug#77288] [PATCH v2 8/8] DRAFT news: Add entry about
 unprivileged guix-daemon on Guix System.
Date: Fri, 18 Apr 2025 15:32:50 +0200

[Message part 1 (text/plain, inline)]
Thank you Ludo for writing “Migrating to the Unprivileged Daemon”.
I have not tested on a foreign distro yet, though.

I try on Guix System the (privileged? #f) and get an error

florian <at> florianhp ~/src/guix$ sudo guix system reconfigure /etc/config.scm --allow-downgrades
guix system: error: the group `guixbuild' specified in `build-users-group' does not exist

It may have been that there were messages before like


The following derivation will be built:
  /gnu/store/w2bx5x6ms3drrcpyysc2jj5lzyjnxyf0-grub.cfg.drv

I temporarily added guixbuild with groupadd, but

substitute: looking for substitutes on 'https://substitutes.nonguix.org'... 100.0%
substitute: looking for substitutes on 'https://bordeaux.guix.gnu.org'... 100.0%
substitute: looking for substitutes on 'https://ci.guix.gnu.org'... 100.0%
The following derivations will be built:
  /gnu/store/s2xpbc0qy7nkwfca3cjy15ccbinz3lis-provenance.drv
  /gnu/store/sl57i03xygqc87q4853n6g3mmys066lm-system.drv
  /gnu/store/awwrr72s7z43nvrfp74wgqihr5qsa272-grub.cfg.drv

guix system: error: the group `guixbuild' specified in `build-users-group' does not exist


So the old daemon is still running and needs to build derivations, but its 
build-group is already gone?  I roll back for now.

Anyway.  Could you add this German translation?


[german-news-rootless.scm (text/plain, inline)]
 (entry (commit "XXX")
        (title
         (en "Guix System can run @command{guix-daemon} without root
privileges")
         (de "Guix System kann @command{guix-daemon} ohne root-Berechtigungen
ausführen"))
        (body
         (en "On Guix System, @code{guix-service-type} can now be configured
to run the build daemon, @command{guix-daemon}, without root privileges.  In
that configuration, the daemon runs with the authority of the
@code{guix-daemon} user, which we think can reduce the impact of some classes
of vulnerabilities that could affect it.

For now, this is opt-in: you have to change @code{guix-configuration} to set
the @code{privileged?} field to @code{#f}.  When you do this, all the files in
@file{/gnu/store}, @file{/var/guix}, etc. will have their ownership changed to
the @code{guix-daemon} user (instead of @code{root}); this can take a while,
especially if the store is big.  To learn more about it, run:

@example
info guix --index-search=guix-service-type
@end example

Running @command{guix-daemon} without root privileges will likely become the
default in the future.

Users of Guix on other distributions can find information on how to migrate in
the manual:

@example
info guix --index-search=migration
@end example")
         (de "Auf Guix System kann @code{guix-service-type} jetzt so
konfiguriert werden, dass der Erstellungs-Daemon @command{guix-daemon} ohne
root-Berechtigungen ausgeführt wird.  In dieser Konfiguration läuft der Daemon
mit den Berechtigungen des Benutzers @code{guix-daemon}, wovon wir glauben,
dass es die Auswirkungen mancher Schwachstellen-Kategorien verringert, die ihn
betreffen könnten.

Fürs Erste bleibt es Ihnen überlassen: Sie müssen @code{guix-configuration}
anpassen und dort das Feld @code{privileged?} auf @code{#f} setzen.  Wenn Sie
das tun, wird der Besitzer aller Dateien in @file{/gnu/store},
@file{/var/guix}, usw. auf den Benutzer @code{guix-daemon} geändert (anstelle
von @code{root}); das kann eine Weile dauern, besonders wenn der Store groß
ist.  Um mehr zu erfahren, führen Sie aus:

@example
info guix --index-search=guix-service-type
@end example

Schließlich wird das Ausführen von @command{guix-daemon} ohne
root-Berechtigungen wahrscheinlich die Vorgabe.

Wer Guix auf anderen Distributionen benutzt, kann sich mit dem Handbuch
informieren, wie man umsteigt:

@example
info guix --index-search=migration
@end example")))

[Message part 3 (text/plain, inline)]

Regards,
Florian
This bug report was last modified 90 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.