[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Running guix-daemon as an unprivileged user (Was: [PATCH] syscalls:
From: |
韋嘉誠 |
Subject: |
Re: Running guix-daemon as an unprivileged user (Was: [PATCH] syscalls: setns: Skip binding if there is no such C function.) |
Date: |
Mon, 17 Aug 2015 17:16:54 +0200 |
On Mon, Aug 17, 2015 at 4:34 PM, Thompson, David
<address@hidden> wrote:
> On Mon, Aug 17, 2015 at 4:33 AM, Eric Bavier <address@hidden> wrote:
>> On Mon, 17 Aug 2015 14:45:28 +0200
>> Claes Wallin (韋嘉誠) <address@hidden> wrote:
>>> https://www.gnu.org/software/guix/manual/guix.html#Build-Environment-Setup
>>>
>>> "If you are installing Guix as an unprivileged user, it is still
>>> possible to run guix-daemon provided you pass --disable-chroot."
>>>
>>
>> I have experimented with this a bit lately. It works to some extent,
>> but I have had to apply a few patches to some package recipes. Some
>> packages have failing tests (where presumably they would pass or be
>> skipped in the chroot), which I have disabled for the time being just
>> to move along.
>
> I think that to really make unprivileged use of Guix work acceptably,
> we need to use the user namespaces feature first introduced in Linux
> 3.8. This would allow unprivileged users to build software in the
> same type of isolated environments that are used when running the
> daemon as root.
Working at all is acceptable to me.
Do namespaces really work for non-root? That's more awesome than I
expected. But without being able to point out how, it sounds to me
like it could easily be a privilege escalation waiting to happen,
unless you do it as compartmentalized as the Hurd does it ... which
Linux won't.
--
/c
- Running guix-daemon as an unprivileged user (Was: [PATCH] syscalls: setns: Skip binding if there is no such C function.), 韋嘉誠, 2015/08/16
- Running guix-daemon as an unprivileged user (Was: [PATCH] syscalls: setns: Skip binding if there is no such C function.), 韋嘉誠, 2015/08/16
- Re: Running guix-daemon as an unprivileged user (Was: [PATCH] syscalls: setns: Skip binding if there is no such C function.), 韋嘉誠, 2015/08/17
- Re: Running guix-daemon as an unprivileged user (Was: [PATCH] syscalls: setns: Skip binding if there is no such C function.), Eric Bavier, 2015/08/17
- Re: Running guix-daemon as an unprivileged user (Was: [PATCH] syscalls: setns: Skip binding if there is no such C function.), 韋嘉誠, 2015/08/17
- Re: Running guix-daemon as an unprivileged user (Was: [PATCH] syscalls: setns: Skip binding if there is no such C function.), 韋嘉誠, 2015/08/17
- Re: Running guix-daemon as an unprivileged user (Was: [PATCH] syscalls: setns: Skip binding if there is no such C function.), 韋嘉誠, 2015/08/17
- Re: Running guix-daemon as an unprivileged user (Was: [PATCH] syscalls: setns: Skip binding if there is no such C function.), 韋嘉誠, 2015/08/17
- Re: Running guix-daemon as an unprivileged user (Was: [PATCH] syscalls: setns: Skip binding if there is no such C function.), Thompson, David, 2015/08/17
- Re: Running guix-daemon as an unprivileged user (Was: [PATCH] syscalls: setns: Skip binding if there is no such C function.),
韋嘉誠 <=
- Re: Running guix-daemon as an unprivileged user (Was: [PATCH] syscalls: setns: Skip binding if there is no such C function.), Thompson, David, 2015/08/17
- Re: Running guix-daemon as an unprivileged user (Was: [PATCH] syscalls: setns: Skip binding if there is no such C function.), 韋嘉誠, 2015/08/17
- Re: Running guix-daemon as an unprivileged user, Ludovic Courtès, 2015/08/23
- Re: Running guix-daemon as an unprivileged user (Was: [PATCH] syscalls: setns: Skip binding if there is no such C function.), 韋嘉誠, 2015/08/17
- Re: Running guix-daemon as an unprivileged user (Was: [PATCH] syscalls: setns: Skip binding if there is no such C function.), Eric Bavier, 2015/08/17
- Re: Running guix-daemon as an unprivileged user (Was: [PATCH] syscalls: setns: Skip binding if there is no such C function.), 韋嘉誠, 2015/08/17
- Re: Running guix-daemon as an unprivileged user (Was: [PATCH] syscalls: setns: Skip binding if there is no such C function.), 韋嘉誠, 2015/08/18
- Re: Running guix-daemon as an unprivileged user, Ludovic Courtès, 2015/08/23