tribes/guix
1
0
Fork 0
mirror of https://git.savannah.gnu.org/git/guix.git synced 2026-04-06 21:20:33 +02:00
Code Activity

daemon: Allow running as non-root with unprivileged user namespaces.

Browse Source 
Many thanks to Reepca Russelstein for their review and guidance on these
changes.

* nix/libstore/build.cc (guestUID, guestGID): New variables.
(DerivationGoal)[readiness]: New field.
(initializeUserNamespace): New function.
(DerivationGoal::runChild): When ‘readiness.readSide’ is positive, read
from it.
(DerivationGoal::startBuilder): Call ‘chown’
only when ‘buildUser.enabled()’ is true.  Pass CLONE_NEWUSER to ‘clone’
when ‘buildUser.enabled()’ is false or not running as root.  Retry
‘clone’ without CLONE_NEWUSER upon EPERM.
(DerivationGoal::registerOutputs): Make ‘actualPath’ writable before
‘rename’.
(DerivationGoal::deleteTmpDir): Catch ‘SysError’ around ‘_chown’ call.
* nix/libstore/local-store.cc (LocalStore::createUser): Do nothing if
‘dirs’ already exists.  Warn instead of failing when failing to chown
‘dir’.
* guix/substitutes.scm (%narinfo-cache-directory): Check for
‘_NIX_OPTIONS’ rather than getuid() == 0 to determine the cache
location.
* doc/guix.texi (Build Environment Setup): Reorganize a bit.  Add
section headings “Daemon Running as Root” and “The Isolated Build
Environment”.  Add “Daemon Running Without Privileges” subsection.
Remove paragraph about ‘--disable-chroot’.
(Invoking guix-daemon): Warn against ‘--disable-chroot’ and explain why.
* tests/derivations.scm ("builder is outside the store"): New test.

Reviewed-by: Reepca Russelstein <reepca@russelstein.xyz>
This commit is contained in:
Ludovic Courtès
2025-01-22 23:40:24 +01:00
committed by Ludovic Courtès
parent 40f69b586a
commit ae18b3d9e6
5 changed files with 264 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
tests/derivations.scm
View File

@@ -858,6 +858,20 @@
(call-with-input-file (derivation->output-path drv)
get-string-all))))
(test-assert "builder is outside the store"
;; Ensure that attempts to build derivations whose builder is outside the
;; store are rejected. This is a protection against attacks similar to
;; CVE-2019-5736, which abuse the fact that /proc/self/exe can be opened
;; even when it presents itself as a symlink to a file not in the chroot.
(let* ((builder (add-file-tree-to-store %store
`("builder" symlink "/proc/self/exe")))
(drv (derivation %store "attempt-to-run-guix-daemon" builder '()
#:env-vars
'(("LD_PRELOAD" . "attacker-controlled.so")))))
(guard (c ((store-protocol-error? c) c))
(build-derivations %store (list drv))
#f)))
(define %coreutils
(false-if-exception