[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why is /gnu/store writable by the guixbuild group?

From: Thompson, David
Subject: Re: Why is /gnu/store writable by the guixbuild group?
Date: Fri, 22 Jan 2016 09:57:31 -0500

On Fri, Jan 22, 2016 at 9:41 AM, Steven Allen <address@hidden> wrote:
> All,
> While the builders run in containers, it still feels like a really bad
> idea. Being able to write to /gnu/store gives one the power to overwrite
> any binary. Furthermore, it makes grsecurity's TPE mad :(.

On GuixSD, /gnu/store is mounted *read-only* and remounted read/write
for the purposes of the daemon only.  So, for any particular build, a
build user can *only* write to their specific output directories and
nothing else.

Note as well that the items in the store are owned by root and cannot
be touched.  The only user that can trash things is the superuser, if
they so choose.

> So, why exactly does the guixbuild group need write access to this
> directory? I'd think that the guix-daemon would be responsible for
> moving finished builds into the store, not the builders themselves.

Builders write directly to their output directories.  In GNU terms,
this is the directory used for './configure --prefix=/gnu/store/foo'.
I don't see an issue with this.

> On a related note, why do all builders use guixbuild as their primary
> group. It would be safer to make guixbuild a supplementary group and
> give every build user it's own primary group. This way, any group
> writable files that the build process happens to create will not be
> writable by all build users.

In the long term, it would be cool to just use user namespaces instead
of build users, but this would cause issues for a number of Guix users
(and some of our donated build slaves) who do not have a new enough
kernel.  Some day.

- Dave

reply via email to

[Prev in Thread] Current Thread [Next in Thread]