[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why is /gnu/store writable by the guixbuild group?
|
From: |
Steven Allen |
|
Subject: |
Re: Why is /gnu/store writable by the guixbuild group? |
|
Date: |
Fri, 22 Jan 2016 10:45:17 -0500 |
|
User-agent: |
Mutt/1.5.23.1 (2014-03-12) |
On 01-22-16, Thompson, David wrote:
> On GuixSD, /gnu/store is mounted *read-only* and remounted read/write
> for the purposes of the daemon only. So, for any particular build, a
> build user can *only* write to their specific output directories and
> nothing else.
Got it. Off to fix the Arch package... Unfortunately, I doubt this will
make grsecurity happy (and TPE is a really nice security feature)
because the store *could* be mounted read-write somewhere.
> Note as well that the items in the store are owned by root and cannot
> be touched. The only user that can trash things is the superuser, if
> they so choose.
FYI, in my Arch install (not GuixSD, as far as I can tell), some of the
files in /gnu/store/ files are owned by the guixbuild group (but not
group writable). I assume these are failed in-progress builds (for some
reason, Guix on Arch keeps on trying to build gcc on my poor laptop even
though I've enabled substitutes but that's another issue...)
> > So, why exactly does the guixbuild group need write access to this
> > directory? I'd think that the guix-daemon would be responsible for
> > moving finished builds into the store, not the builders themselves.
>
> Builders write directly to their output directories. In GNU terms,
> this is the directory used for './configure --prefix=/gnu/store/foo'.
Then why does /gnu/store need to be writable by the guixbuild group? If
the builders can only write to their output directories, e.g.
/gnu/store/foo, /gnu/store shouldn't need to be writable by guixbuild.
> I don't see an issue with this.
There isn't any. I was under the impression that store directories were
named after the hash of the output so I was assuming that the guix
builder was creating them. Now I understand that they are named after
the hash of the inputs which is *really* cool.
My only reservation with this is that directories in /gnu/store may or
may not be "complete" (one could have half-completed builds). However,
given that no build can go from complete to in-progress (builds are
deterministic so there are no rebuilds), this isn't really a problem as
long as programs never assume that all builds in the store are complete.
> > On a related note, why do all builders use guixbuild as their primary
> > group.
> In the long term, it would be cool to just use user namespaces...
In the short term, is there any reason not to give each of these users
its own group?
--
Steven Allen
((Do Not Email <address@hidden>))
signature.asc
Description: PGP signature