services: guix: Allow ‘guix-daemon’ to run without root privileges.

* gnu/services/base.scm (run-with-writable-store) (guix-ownership-change-program): New procedures. (<guix-configuration>)[privileged?]: New field. (guix-shepherd-service): Rename to… (guix-shepherd-services): … this. Add the ‘guix-ownership’ service. Change ‘guix-daemon’ service to depend on it; when unprivileged, prefix ‘daemon-command’ by ‘run-with-writable-store’ and omit ‘--build-users-group’; adjust socket activation endpoints. (guix-accounts): When unprivileged, create the “guix-daemon” user and group in addition to the others. (guix-service-type)[extensions]: Adjust to name change. * gnu/tests/base.scm (run-guix-daemon-test): Add ‘name’ parameter. (%test-guix-daemon): Adjust accordingly. (%test-guix-daemon-unprivileged): New test. * doc/guix.texi (Base Services): Document ‘privileged?’. (Migrating to the Unprivileged Daemon): Explain that this is automatic on Guix System. Reviewed-by: Maxim Cournoyer <maxim.cournoyer@gmail.com> Change-Id: I28a9a22e617416c551dccb24e43a253b544ba163
2026-04-06 13:10:33 +02:00 · 2025-03-25 17:41:57 +01:00
parent 2c7c059e0b
commit e2583b5a17
3 changed files with 253 additions and 20 deletions
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -1037,6 +1037,14 @@ number of steps must be taken: creating a new dedicated
 files to @code{guix-daemon}, and ensuring that the @command{guix-daemon}
 program runs as @code{guix-daemon}.

+On Guix System, these steps are carried out automatically when you set
+the @code{privileged?} field of the @code{guix-configuration} record to
+@code{#f} and reconfigure (@pxref{guix-configuration-type,
+@code{guix-configuration}}).
+
+However, on a foreign distribution, the process is manual.  The
+following paragraphs describe what you need to do.
+
@quotation Warning
 Follow the instructions below only after making sure you have a recent
 version of @command{guix-daemon} with support for unprivileged
@@ -20109,6 +20117,36 @@ This data type represents the configuration of the Guix build daemon.
 The Guix package to use.  @xref{Customizing the System-Wide Guix} to
 learn how to provide a package with a pre-configured set of channels.

+@cindex unprivileged @command{guix-daemon}
+@cindex rootless @command{guix-daemon}
+@item @code{privileged?} (default: @code{#t})
+Whether to run @command{guix-daemon} as root.
+
+When true, @command{guix-daemon} runs with root privileges and build
+processes run under unprivileged user accounts as specified by
+@code{build-group} and @code{build-accounts} (see below); when false,
+@command{guix-daemon} run as the @code{guix-daemon} user, which is
+unprivileged, and so do build processes.  The unprivileged or
+``rootless'' mode can reduce the impact of some classes of
+vulnerabilities that could affect the daemon.
+
+The default is currently @code{#t} (@command{guix-daemon} runs with root
+privileges) but may eventually be changed to @code{#f}.
+
+@quotation Warning
+When changing this option, @file{/gnu/store}, @file{/var/guix}, and
+@file{/etc/guix} have their ownership automatically changed by the
+@code{guix-ownership} service to either the @code{guix-daemon} user or
+the @code{root} user (@pxref{unprivileged-daemon-migration}).
+
+This can take a while, especially if @file{/gnu/store} is big; it cannot
+be interrupted and @command{guix-daemon} cannot be used until it has
+completed.
+@end quotation
+
+@xref{Build Environment Setup}, for more information on the two ways to
+run @command{guix-daemon}.
+
@item @code{build-group} (default: @code{"guixbuild"})
 Name of the group for build user accounts.