guix_mirror_bot pushed a commit to branch master
in repository guix.
commit 9cd3b961e4e530b4361ef25132fc8ee9756aab4b
Author: Ludovic Courtès <[email protected]>
AuthorDate: Thu Jul 10 15:25:29 2025 +0200
daemon: Consider the current user as trusted.
This allows use of ‘guix gc --verify=repair’ when running guix-daemon as
an unprivileged user.
* nix/nix-daemon/nix-daemon.cc (acceptConnection): Consider the current
user as trusted.
Reported-by: David Elsing <[email protected]>
Change-Id: I559e56cf0640e8dc9bbc510317aa2bdc024ff681
---
nix/nix-daemon/nix-daemon.cc | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/nix/nix-daemon/nix-daemon.cc b/nix/nix-daemon/nix-daemon.cc
index 9fff31a587..f2ffe8fa6f 100644
--- a/nix/nix-daemon/nix-daemon.cc
+++ b/nix/nix-daemon/nix-daemon.cc
@@ -963,7 +963,10 @@ static void acceptConnection(int fdSocket)
clientPid = cred.pid;
clientUid = cred.uid;
clientGid = cred.gid;
- trusted = clientUid == 0;
+
+ /* The root user is always trusted; additionally, when running as
+ an unprivileged user, that user is also trusted. */
+ trusted = (clientUid == 0) || (clientUid == getuid());
struct passwd * pw = getpwuid(cred.uid);
string user = pw ? pw->pw_name : std::to_string(cred.uid);
