On 01-22-16, Thompson, David wrote: > On GuixSD, /gnu/store is mounted *read-only* and remounted read/write > for the purposes of the daemon only. So, for any particular build, a > build user can *only* write to their specific output directories and > nothing else.
Got it. Off to fix the Arch package... Unfortunately, I doubt this will make grsecurity happy (and TPE is a really nice security feature) because the store *could* be mounted read-write somewhere. > Note as well that the items in the store are owned by root and cannot > be touched. The only user that can trash things is the superuser, if > they so choose. FYI, in my Arch install (not GuixSD, as far as I can tell), some of the files in /gnu/store/ files are owned by the guixbuild group (but not group writable). I assume these are failed in-progress builds (for some reason, Guix on Arch keeps on trying to build gcc on my poor laptop even though I've enabled substitutes but that's another issue...) > > So, why exactly does the guixbuild group need write access to this > > directory? I'd think that the guix-daemon would be responsible for > > moving finished builds into the store, not the builders themselves. > > Builders write directly to their output directories. In GNU terms, > this is the directory used for './configure --prefix=/gnu/store/foo'. Then why does /gnu/store need to be writable by the guixbuild group? If the builders can only write to their output directories, e.g. /gnu/store/foo, /gnu/store shouldn't need to be writable by guixbuild. > I don't see an issue with this. There isn't any. I was under the impression that store directories were named after the hash of the output so I was assuming that the guix builder was creating them. Now I understand that they are named after the hash of the inputs which is *really* cool. My only reservation with this is that directories in /gnu/store may or may not be "complete" (one could have half-completed builds). However, given that no build can go from complete to in-progress (builds are deterministic so there are no rebuilds), this isn't really a problem as long as programs never assume that all builds in the store are complete. > > On a related note, why do all builders use guixbuild as their primary > > group. > In the long term, it would be cool to just use user namespaces... In the short term, is there any reason not to give each of these users its own group? -- Steven Allen ((Do Not Email <[email protected]>))
signature.asc
Description: PGP signature
