pull: Fail if cache directory ownership is suspect.

New users frequently run ‘sudo guix pull’ which breaks subsequent unprivileged ‘guix pull’s until manually fixed with chmod -R. * guix/scripts/pull.scm (guix-pull): Fail if the cache directory (or its innermost extant parent) is not owned by the user pulling the Guix, with a hint about ‘sudo -i’.
2022-06-05 02:00:05 +02:00 · 2022-06-05 02:00:05 +02:00 · 7c52cad046
commit 7c52cad046
parent 34c7c922f5
1 changed files with 28 additions and 0 deletions
--- a/guix/scripts/pull.scm
+++ b/guix/scripts/pull.scm
@ -49,6 +49,7 @@
  #:autoload   (gnu packages bootstrap) (%bootstrap-guile)
  #:autoload   (gnu packages certs) (le-certs)
  #:use-module (srfi srfi-1)
+  #:use-module (srfi srfi-11)
  #:use-module (srfi srfi-26)
  #:use-module (srfi srfi-34)
  #:use-module (srfi srfi-35)
@ -810,6 +811,33 @@ Use '~/.config/guix/channels.scm' instead."))
        ((assoc-ref opts 'generation)
         (process-generation-change opts profile))
        (else
+         ;; Bail out early when users accidentally run, e.g., ’sudo guix pull’.
+         ;; If CACHE-DIRECTORY doesn't yet exist, test where it would end up.
+         (let-values (((stats dir) (let loop ((dir (cache-directory)))
+                                     (let ((stats (stat dir #f)))
+                                       (if stats
+                                           (values stats dir)
+                                           (loop (dirname dir)))))))
+           (let ((dir:uid (stat:uid stats))
+                 (our:uid (getuid)))
+             (unless (= dir:uid our:uid)
+               (let* ((user (lambda (uid)    ; handle the unthinkable invalid UID
+                              (or (false-if-exception (passwd:name
+                                                       (getpwuid uid)))
+                                  uid)))
+                      (our:user (user our:uid))
+                      (dir:user (user dir:uid)))
+                 (raise
+                  (condition
+                   (&message
+                    (message
+                     (format #f (G_ "directory ‘~a’ is not owned by user ~a")
+                             dir dir:user)))
+                   (&fix-hint
+                    (hint
+                     (format #f (G_ "You should run this command as ~a; use ‘sudo -i’ or equivalent if you really want to pull as ~a.")
+                             dir:user our:user)))))))))
+
         (with-store store
           (with-status-verbosity (assoc-ref opts 'verbosity)
             (parameterize ((%current-system (assoc-ref opts 'system))