“guix system container” script must run as root

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

“guix system container” script must run as root

From:	Ricardo Wurmus
Subject:	“guix system container” script must run as root
Date:	Tue, 09 Aug 2022 17:13:28 +0200
User-agent:	mu4e 1.8.7; emacs 28.1

Hi Guix,

I see that the container script generated by “guix system container”
must be run as root.  Looking at “initialize-user-namespace” in (gnu
build linux-container) there is conditional code to be executed only
when running as an unprivileged user, namely writing to
/proc/pid/setgroups.  This makes me think that this was originally meant
to be usable without root privileges.

Without root privileges write access to /proc/pid/* is denied.  The
child process here is the result of issuing a clone syscall.

Why can’t the parent process write to the child’s /proc/pid/* files?
Why does the parent process need to do this at all?  Can’t the child
process take care of writing its /proc/self/uid_map?

-- 
Ricardo

[Prev in Thread]

Current Thread

[Next in Thread]

“guix system container” script must run as root, Ricardo Wurmus <=
- Re: “guix system container” script must run as root, Ricardo Wurmus, 2022/08/09

Prev by Date: Re: v2: A proposal of a consistent set of clear rules and guidelines involving snippets, phases and patches.
Next by Date: Re: v2: A proposal of a consistent set of clear rules and guidelines involving snippets, phases and patches.
Previous by thread: Python-symengine fails to build
Next by thread: Re: “guix system container” script must run as root
Index(es):
- Date
- Thread