Hi, I'm creating a bug to keep track of a problem that was uncovered when attempting to migrate the jami-service-type service to use the least-authority-wrapper [0], to avoid forgetting about it. It was found that using something like: --8<---------------cut here---------------start------------->8--- (make-forkexec-constructor (least-authority (list (file-append coreutils "/bin/true")) (mappings (delq 'user %namespaces)) #:user "nobody" #:group "nobody")) --8<---------------cut here---------------end--------------->8--- Would fail with EPERM, because in order to be able to drop the user namespace, the CAP_SYS_ADMIN capability is required, but in the above case, make-forkexec-constructor has already changed the user to "nobody", which lacks such capability. The solution proposed by Ludovic in would be to [1]: > [...] add #:user and #:group to ‘least-authority-wrapper’ and > have it call setuid/setgid. ‘make-forkexec-constructor’ doesn’t need to > be modified, but the user simply won’t pass #:user and #:group to it. [0] https://issues.guix.gnu.org/54786#16 [1] https://issues.guix.gnu.org/54786#17 -- Thanks, Maxim