[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
“guix system container” script must run as root
From: |
Ricardo Wurmus |
Subject: |
“guix system container” script must run as root |
Date: |
Tue, 09 Aug 2022 17:13:28 +0200 |
User-agent: |
mu4e 1.8.7; emacs 28.1 |
Hi Guix,
I see that the container script generated by “guix system container”
must be run as root. Looking at “initialize-user-namespace” in (gnu
build linux-container) there is conditional code to be executed only
when running as an unprivileged user, namely writing to
/proc/pid/setgroups. This makes me think that this was originally meant
to be usable without root privileges.
Without root privileges write access to /proc/pid/* is denied. The
child process here is the result of issuing a clone syscall.
Why can’t the parent process write to the child’s /proc/pid/* files?
Why does the parent process need to do this at all? Can’t the child
process take care of writing its /proc/self/uid_map?
--
Ricardo
- “guix system container” script must run as root,
Ricardo Wurmus <=