(name . bug-guix)(address . bug-guix@gnu.org)
Hi,
I'm creating a bug to keep track of a problem that was uncovered when
attempting to migrate the jami-service-type service to use the
least-authority-wrapper [0], to avoid forgetting about it.
It was found that using something like:
Toggle snippet (8 lines)
(make-forkexec-constructor
(least-authority
(list (file-append coreutils "/bin/true"))
(mappings (delq 'user %namespaces))
#:user "nobody"
#:group "nobody"))
Would fail with EPERM, because in order to be able to drop the user
namespace, the CAP_SYS_ADMIN capability is required, but in the above
case, make-forkexec-constructor has already changed the user to
"nobody", which lacks such capability.
The solution proposed by Ludovic in would be to [1]:
Toggle quote (4 lines)
> [...] add #:user and #:group to ‘least-authority-wrapper’ and
> have it call setuid/setgid. ‘make-forkexec-constructor’ doesn’t need to
> be modified, but the user simply won’t pass #:user and #:group to it.