On Fri, Jan 22, 2016 at 9:41 AM, Steven Allen <[email protected]> wrote: > All, > > While the builders run in containers, it still feels like a really bad > idea. Being able to write to /gnu/store gives one the power to overwrite > any binary. Furthermore, it makes grsecurity's TPE mad :(.
On GuixSD, /gnu/store is mounted *read-only* and remounted read/write for the purposes of the daemon only. So, for any particular build, a build user can *only* write to their specific output directories and nothing else. Note as well that the items in the store are owned by root and cannot be touched. The only user that can trash things is the superuser, if they so choose. > So, why exactly does the guixbuild group need write access to this > directory? I'd think that the guix-daemon would be responsible for > moving finished builds into the store, not the builders themselves. Builders write directly to their output directories. In GNU terms, this is the directory used for './configure --prefix=/gnu/store/foo'. I don't see an issue with this. > On a related note, why do all builders use guixbuild as their primary > group. It would be safer to make guixbuild a supplementary group and > give every build user it's own primary group. This way, any group > writable files that the build process happens to create will not be > writable by all build users. In the long term, it would be cool to just use user namespaces instead of build users, but this would cause issues for a number of Guix users (and some of our donated build slaves) who do not have a new enough kernel. Some day. - Dave
