[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why is /gnu/store writable by the guixbuild group?

From: Steven Allen
Subject: Re: Why is /gnu/store writable by the guixbuild group?
Date: Fri, 22 Jan 2016 10:45:17 -0500
User-agent: Mutt/ (2014-03-12)

On 01-22-16, Thompson, David wrote:
> On GuixSD, /gnu/store is mounted *read-only* and remounted read/write
> for the purposes of the daemon only.  So, for any particular build, a
> build user can *only* write to their specific output directories and
> nothing else.

Got it. Off to fix the Arch package... Unfortunately, I doubt this will
make grsecurity happy (and TPE is a really nice security feature)
because the store *could* be mounted read-write somewhere.

> Note as well that the items in the store are owned by root and cannot
> be touched.  The only user that can trash things is the superuser, if
> they so choose.

FYI, in my Arch install (not GuixSD, as far as I can tell), some of the
files in /gnu/store/ files are owned by the guixbuild group (but not
group writable). I assume these are failed in-progress builds (for some
reason, Guix on Arch keeps on trying to build gcc on my poor laptop even
though I've enabled substitutes but that's another issue...)

> > So, why exactly does the guixbuild group need write access to this
> > directory? I'd think that the guix-daemon would be responsible for
> > moving finished builds into the store, not the builders themselves.
> Builders write directly to their output directories.  In GNU terms,
> this is the directory used for './configure --prefix=/gnu/store/foo'.

Then why does /gnu/store need to be writable by the guixbuild group?  If
the builders can only write to their output directories, e.g.
/gnu/store/foo, /gnu/store shouldn't need to be writable by guixbuild.

> I don't see an issue with this.

There isn't any. I was under the impression that store directories were
named after the hash of the output so I was assuming that the guix
builder was creating them. Now I understand that they are named after
the hash of the inputs which is *really* cool.

My only reservation with this is that directories in /gnu/store may or
may not be "complete" (one could have half-completed builds). However,
given that no build can go from complete to in-progress (builds are
deterministic so there are no rebuilds), this isn't really a problem as
long as programs never assume that all builds in the store are complete.

> > On a related note, why do all builders use guixbuild as their primary
> > group.
> In the long term, it would be cool to just use user namespaces...

In the short term, is there any reason not to give each of these users
its own group?

Steven Allen
((Do Not Email <address@hidden>))

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]