> On Jun 13, 2014, at 12:54, Eelco Dolstra <[email protected]> wrote: > > Hi, > >> On 13/06/14 08:12, Ertugrul Söylemez wrote: >> >> The path-rewriting proposal is a very bad idea and will cause a lot of >> breakage. For many/enough applications rewriting will not work at all, >> because they might encode paths in data structures or be using a >> non-UTF8 multi-byte encoding. > > Packages that store paths in UTF-16 don't work with Nix anyway, independent > from > hash rewriting, because Nix finds runtime dependencies by scanning for plain > ASCII hashes. To my knowledge we've never encountered such a package in > Nixpkgs. > > This paper has a small evaluation of hash rewriting: > http://nixos.org/~eelco/pubs/secsharing-ase2005-final.pdf (section 6.1) > >> One simple and safe way to do this would involve using private mounts >> with chrooting: Create a private bind-mount of "/" somewhere, then >> bind-mount the Nix store at "/nix/store". Run the application within a >> chroot in that directory. To the application the Nix store will appear >> to be mounted at "/nix/store". >> >> The drawback of this method is that it requires the administrator to >> allow one SetUID executable for the setup, or perhaps a bunch of entries >> in the fstab. After that no further support from the administrator is >> required. > > Or even better, ask the admin to use pam_namespace: > > http://www.linux-pam.org/Linux-PAM-html/sag-pam_namespace.html > > And hopefully, one day users won't need to be root to do bind mounts. >
I think user namespaces plus mount namespaces means you don't have to be root. > -- > Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ > _______________________________________________ > nix-dev mailing list > [email protected] > http://lists.science.uu.nl/mailman/listinfo/nix-dev _______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
