All, While the builders run in containers, it still feels like a really bad idea. Being able to write to /gnu/store gives one the power to overwrite any binary. Furthermore, it makes grsecurity's TPE mad :(.
So, why exactly does the guixbuild group need write access to this directory? I'd think that the guix-daemon would be responsible for moving finished builds into the store, not the builders themselves. On a related note, why do all builders use guixbuild as their primary group. It would be safer to make guixbuild a supplementary group and give every build user it's own primary group. This way, any group writable files that the build process happens to create will not be writable by all build users. -- Steven Allen ((Do Not Email <[email protected]>))
signature.asc
Description: PGP signature
