From e1b7096acdd3dedbdca92a6d20ade94b21d8561d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Fri, 14 Dec 2012 18:15:37 +0100 Subject: [PATCH] daemon: Build `nix-setuid-helper'. * daemon.am (libexec_PROGRAMS, nix_setuid_helper_SOURCES, nix_setuid_helper_CPPFLAGS, nix_setuid_helper_LDADD): New variables. * test-env.in: Set and export `NIX_SETUID_HELPER'. * README (Installing Guix as non-root): New section. --- .gitignore | 1 + README | 27 +++++++++++++++++++++++---- daemon.am | 10 ++++++++++ test-env.in | 3 ++- 4 files changed, 36 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 8f224467c9..b6786d212b 100644 --- a/.gitignore +++ b/.gitignore @@ -63,3 +63,4 @@ stamp-h[0-9] /test-tmp /nix/scripts/list-runtime-roots /test-env +/nix/nix-setuid-helper/nix-setuid-helper.cc diff --git a/README b/README index d2bbfacd5a..09433586be 100644 --- a/README +++ b/README @@ -59,10 +59,29 @@ the promise of a build; it is stored as a text file under `derivation' primitive, as well as higher-level wrappers such as `build-expression->derivation'. -Guix does remote procedure calls (RPCs) to the Nix daemon (the -=nix-worker --daemon= command), which in turn performs builds and -accesses to the Nix store on its behalf. The RPCs are implemented in -the (guix store) module. +Guix does remote procedure calls (RPCs) to the Guix or Nix daemon (the +=guix-daemon= or =nix-daemon= command), which in turn performs builds +and accesses to the Nix store on its behalf. The RPCs are implemented +in the (guix store) module. + +* Installing Guix as non-root + +The Guix daemon allows software builds to be performed under alternate +user accounts, which are normally created specifically for this +purpose. For instance, you may have a pool of accounts in the +=guixbuild= group, and then you can instruct =guix-daemon= to use them +like this: + + $ guix-daemon --build-users-group=guixbuild + +However, unless it is run as root, =guix-daemon= cannot switch users. +In that case, it falls back to using a setuid-root helper program call +=nix-setuid-helper=. That program is not setuid-root by default when +you install it; instead you should run a command along these lines +(assuming Guix is installed under /usr/local): + + # chown root.root /usr/local/libexec/nix-setuid-helper + # chmod 4755 /usr/local/libexec/nix-setuid-helper * Contact diff --git a/daemon.am b/daemon.am index aa75c6ed29..26b07c4105 100644 --- a/daemon.am +++ b/daemon.am @@ -136,6 +136,16 @@ guix_daemon_LDADD = \ guix_daemon_headers = \ nix/nix-daemon/shared.hh +libexec_PROGRAMS = nix-setuid-helper +nix_setuid_helper_SOURCES = \ + nix/nix-setuid-helper/nix-setuid-helper.cc + +nix_setuid_helper_CPPFLAGS = \ + $(libutil_a_CPPFLAGS) + +nix_setuid_helper_LDADD = \ + libutil.a libformat.a + noinst_HEADERS = \ $(libformat_headers) $(libutil_headers) $(libstore_headers) \ $(guix_daemon_headers) diff --git a/test-env.in b/test-env.in index 4e388053f9..afcf3afedc 100644 --- a/test-env.in +++ b/test-env.in @@ -27,6 +27,7 @@ if [ -x "@abs_top_builddir@/guix-daemon" ] then NIX_SUBSTITUTERS="" # don't resort to substituters + NIX_SETUID_HELPER="@abs_top_builddir@/nix-setuid-helper" # normally unused NIX_IGNORE_SYMLINK_STORE=1 # in case the store is a symlink NIX_STORE_DIR="@GUIX_TEST_ROOT@/store" NIX_LOCALSTATE_DIR="@GUIX_TEST_ROOT@/var" @@ -42,7 +43,7 @@ then export NIX_SUBSTITUTERS NIX_IGNORE_SYMLINK_STORE NIX_STORE_DIR \ NIX_LOCALSTATE_DIR NIX_LOG_DIR NIX_STATE_DIR NIX_DB_DIR \ - NIX_ROOT_FINDER + NIX_ROOT_FINDER NIX_SETUID_HELPER # Do that because store.scm calls `canonicalize-path' on it. mkdir -p "$NIX_STORE_DIR"