From debbugs-submit-bounces@debbugs.gnu.org Sat Feb 16 04:05:09 2019 Received: (at submit) by debbugs.gnu.org; 16 Feb 2019 09:05:09 +0000 Received: from localhost ([127.0.0.1]:49986 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1guvuH-0005M4-B0 for submit@debbugs.gnu.org; Sat, 16 Feb 2019 04:05:09 -0500 Received: from eggs.gnu.org ([209.51.188.92]:48508) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1guvuE-0005La-EM for submit@debbugs.gnu.org; Sat, 16 Feb 2019 04:05:07 -0500 Received: from lists.gnu.org ([209.51.188.17]:42120) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1guvu2-0006qO-3P for submit@debbugs.gnu.org; Sat, 16 Feb 2019 04:04:56 -0500 Received: from eggs.gnu.org ([209.51.188.92]:34620) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1guvtz-00015o-6z for bug-Guix@gnu.org; Sat, 16 Feb 2019 04:04:53 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,HTML_MESSAGE, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1guvtn-000625-Gv for bug-Guix@gnu.org; Sat, 16 Feb 2019 04:04:43 -0500 Received: from h2712310.stratoserver.net ([81.169.247.85]:40316 helo=mail.florian-thevissen.de) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1guvtm-0005r7-L8 for bug-Guix@gnu.org; Sat, 16 Feb 2019 04:04:39 -0500 Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.florian-thevissen.de (Postfix) with ESMTPSA id E1F4420021; Sat, 16 Feb 2019 09:04:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=florian-thevissen.de; s=default; t=1550307844; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=PuAt14hwVuyKy5WV5ns8akFSydKn/FnrrZZ5KtNEnRw=; b=Uhwg+SdGTqy13oVndXONM1VsLGORVTkmzCEZntk0VYkklQ3jQiNit1qCYVnNorDeKvO7t0 kIublkGRXGt3bh5MbbtqJsnMOkyO8vCNmhR+oGk4KlwvTb1buso+kiIe0cAy+t9hYxxKMv tNNvHvLnKOhRdYYz2Xn9g+Po/UfilNI= Subject: Re: bug#34494: proot-based non-root setup: refusing to run with elevated privileges (UID 0) To: Pjotr Prins References: <81415b97-6e02-33dc-a4da-b1b046d5a4e7@florian-thevissen.de> <20190216063452.xllpdkhz4lc4jz4q@thebird.nl> From: Florian Thevissen Message-ID: <0d4fc2ca-da74-dbb4-7e7d-df090b19a19f@florian-thevissen.de> Date: Sat, 16 Feb 2019 10:04:03 +0100 MIME-Version: 1.0 In-Reply-To: <20190216063452.xllpdkhz4lc4jz4q@thebird.nl> Content-Type: multipart/alternative; boundary="------------161F3BA1602DECC7E34BE6DF" Content-Language: en-US X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 81.169.247.85 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Spam-Score: 0.9 (/) X-Debbugs-Envelope-To: submit Cc: bug-Guix@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.1 (/) This is a multi-part message in MIME format. --------------161F3BA1602DECC7E34BE6DF Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Hi pjotr, Did you try something like proot -0 -b /proc -b /dev -b /etc -r . -b etc_guix/acl:/etc/guix/acl gnu/store/vir3l..-guix-0.x/bin/guix-daemon =E2=80=94disable-chroot Yes, this doesn=E2=80=99t work - with or without the -0 flag. That used to work. But maybe no longer? I tried the new guix binaries (0.16.0), and the ones that were recent=20 when you wrote the guide (0.13.0), and proot has not, if I see=20 correctly, significantly changed since then (v.5.1.0). To me, this looks as if the setup on my particular system had something=20 special to it that would lead guix to not behave correctly. Here=E2=80=99= s a=20 #guix chat-log, where Saone (at 00:25:29) comes to the same conclusion:=20 https://gnunet.org/bot/log/guix/2017-09-21 . For the record - this happens on an Debian 4.9.130-2 x86_64 system. I'll=20 try this out on other systems/VMs today... On 16/02/19 07:34, Pjotr Prins wrote: > Did you try something like > > proot -0 -b /proc -b /dev -b /etc -r . -b etc_guix/acl:/etc/guix/acl gn= u/store/vir3l..-guix-0.x/bin/guix-daemon --disable-chroot > > (note the extra -0 and chroot switches) and you should see on a guix pa= ckage install. > > That used to work. But maybe no longer? > > On Fri, Feb 15, 2019 at 09:39:21PM +0100, Florian Thevissen wrote: >> Hi, >> >> I am trying to get guix to run on a system where I do not have roo= t >> access, following a guide by pjotrp involving proot, here: >> [1]https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.o= rg . >> >> All guix operations that involve the script perform-download fail = with >> the error: >> >> guix perform-download: error: refusing to run with elevated >> privileges (UID 0) >> >> I am not sure if this hints at a bug in guix itself, but a comment= in >> the guix sources lets me assume so. It says in >> package-management.scm:355 >> >> =E2=80=9CNote that scripts like =E2=80=98guix perform-download=E2= =80=99 do not run as root >> (=E2=80=A6)=E2=80=9D >> >> In my setup, following this guide, however, it apparently is run a= s >> root, and (assert-low-privileges) in the script perform-download.s= cm:89 >> acts accordingly by signalling the error and exiting. >> >> (By the way - running guix-daemon with proot root privileges fails >> (-0), and running it without (no -0) fails also.) >> >> Now my question: why is perform-download run as root following pjo= trs >> guide, and is there anything that can be done about it? >> >> I am a bit at a loss here, being unfamiliar with the guix sources = and >> overall system setup. >> >> Looking forward to help, thanks, >> >> Florian >> =E2=80=8B >> >> References >> >> 1. https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.o= rg =E2=80=8B --------------161F3BA1602DECC7E34BE6DF Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable

Hi pjotr,

Did you try something like

proot -0 -b /pro= c -b /dev -b /etc -r . -b etc_guix/acl:/etc/guix/acl gnu/store/vir3l..-guix-0.x/bin/guix-daemon =E2=80=94disable-chr= oot

Yes, this doesn=E2=80= =99t work - with or without the -0 flag.

That used to work= . But maybe no longer?

I tried the new gui= x binaries (0.16.0), and the ones that were recent when you wrote the guide (0.13.0), and proot has not, if I see correctly, significantly changed since then (v.5.1.0).

To me, this looks a= s if the setup on my particular system had something special to it that would lead guix to not behave correctly. Here=E2=80=99s a #g= uix chat-log, where Saone (at 00:25:29) comes to the same conclusion: https://gnu= net.org/bot/log/guix/2017-09-21 .

For the record - this happens on an Debian 4.9.130-2 x86_64 system. I'll try this out on other systems/VMs today...



On 16/02/19 07:34, Pjotr Prins wrote:

Did you try something like

proot -0 -b /proc -b /dev -b /etc -r . -b etc_guix/acl:/etc/guix/acl gnu/=
store/vir3l..-guix-0.x/bin/guix-daemon --disable-chroot

(note the extra -0 and chroot switches) and you should see on a guix pack=
age install.

That used to work. But maybe no longer?

On Fri, Feb 15, 2019 at 09:39:21PM +0100, Florian Thevissen wrote:
   Hi,

   I am trying to get guix to run on a system where I do not have root
   access, following a guide by pjotrp involving proot, here:
   [1]https://github.com/pjotrp/guix=
-notes/blob/master/GUIX-NO-ROOT.org .

   All guix operations that involve the script perform-download fail with
   the error:

     guix perform-download: error: refusing to run with elevated
     privileges (UID 0)

   I am not sure if this hints at a bug in guix itself, but a comment in
   the guix sources lets me assume so. It says in
   package-management.scm:355

     =E2=80=9CNote that scripts like =E2=80=98guix perform-download=E2=80=
=99 do not run as root
     (=E2=80=A6)=E2=80=9D

   In my setup, following this guide, however, it apparently is run as
   root, and (assert-low-privileges) in the script perform-download.scm:8=
9
   acts accordingly by signalling the error and exiting.

   (By the way - running guix-daemon with proot root privileges fails
   (-0), and running it without (no -0) fails also.)

   Now my question: why is perform-download run as root following pjotrs
   guide, and is there anything that can be done about it?

   I am a bit at a loss here, being unfamiliar with the guix sources and
   overall system setup.

   Looking forward to help, thanks,

   Florian
   =E2=80=8B

References

   1. https://github.com/pjotrp/guix=
-notes/blob/master/GUIX-NO-ROOT.org

=E2=80=8B
--------------161F3BA1602DECC7E34BE6DF--