daemon: Build `nix-setuid-helper'.
* daemon.am (libexec_PROGRAMS, nix_setuid_helper_SOURCES, nix_setuid_helper_CPPFLAGS, nix_setuid_helper_LDADD): New variables. * test-env.in: Set and export `NIX_SETUID_HELPER'. * README (Installing Guix as non-root): New section.master
parent
b3a53fb361
commit
e1b7096acd
|
@ -63,3 +63,4 @@ stamp-h[0-9]
|
||||||
/test-tmp
|
/test-tmp
|
||||||
/nix/scripts/list-runtime-roots
|
/nix/scripts/list-runtime-roots
|
||||||
/test-env
|
/test-env
|
||||||
|
/nix/nix-setuid-helper/nix-setuid-helper.cc
|
||||||
|
|
27
README
27
README
|
@ -59,10 +59,29 @@ the promise of a build; it is stored as a text file under
|
||||||
`derivation' primitive, as well as higher-level wrappers such as
|
`derivation' primitive, as well as higher-level wrappers such as
|
||||||
`build-expression->derivation'.
|
`build-expression->derivation'.
|
||||||
|
|
||||||
Guix does remote procedure calls (RPCs) to the Nix daemon (the
|
Guix does remote procedure calls (RPCs) to the Guix or Nix daemon (the
|
||||||
=nix-worker --daemon= command), which in turn performs builds and
|
=guix-daemon= or =nix-daemon= command), which in turn performs builds
|
||||||
accesses to the Nix store on its behalf. The RPCs are implemented in
|
and accesses to the Nix store on its behalf. The RPCs are implemented
|
||||||
the (guix store) module.
|
in the (guix store) module.
|
||||||
|
|
||||||
|
* Installing Guix as non-root
|
||||||
|
|
||||||
|
The Guix daemon allows software builds to be performed under alternate
|
||||||
|
user accounts, which are normally created specifically for this
|
||||||
|
purpose. For instance, you may have a pool of accounts in the
|
||||||
|
=guixbuild= group, and then you can instruct =guix-daemon= to use them
|
||||||
|
like this:
|
||||||
|
|
||||||
|
$ guix-daemon --build-users-group=guixbuild
|
||||||
|
|
||||||
|
However, unless it is run as root, =guix-daemon= cannot switch users.
|
||||||
|
In that case, it falls back to using a setuid-root helper program call
|
||||||
|
=nix-setuid-helper=. That program is not setuid-root by default when
|
||||||
|
you install it; instead you should run a command along these lines
|
||||||
|
(assuming Guix is installed under /usr/local):
|
||||||
|
|
||||||
|
# chown root.root /usr/local/libexec/nix-setuid-helper
|
||||||
|
# chmod 4755 /usr/local/libexec/nix-setuid-helper
|
||||||
|
|
||||||
* Contact
|
* Contact
|
||||||
|
|
||||||
|
|
10
daemon.am
10
daemon.am
|
@ -136,6 +136,16 @@ guix_daemon_LDADD = \
|
||||||
guix_daemon_headers = \
|
guix_daemon_headers = \
|
||||||
nix/nix-daemon/shared.hh
|
nix/nix-daemon/shared.hh
|
||||||
|
|
||||||
|
libexec_PROGRAMS = nix-setuid-helper
|
||||||
|
nix_setuid_helper_SOURCES = \
|
||||||
|
nix/nix-setuid-helper/nix-setuid-helper.cc
|
||||||
|
|
||||||
|
nix_setuid_helper_CPPFLAGS = \
|
||||||
|
$(libutil_a_CPPFLAGS)
|
||||||
|
|
||||||
|
nix_setuid_helper_LDADD = \
|
||||||
|
libutil.a libformat.a
|
||||||
|
|
||||||
noinst_HEADERS = \
|
noinst_HEADERS = \
|
||||||
$(libformat_headers) $(libutil_headers) $(libstore_headers) \
|
$(libformat_headers) $(libutil_headers) $(libstore_headers) \
|
||||||
$(guix_daemon_headers)
|
$(guix_daemon_headers)
|
||||||
|
|
|
@ -27,6 +27,7 @@
|
||||||
if [ -x "@abs_top_builddir@/guix-daemon" ]
|
if [ -x "@abs_top_builddir@/guix-daemon" ]
|
||||||
then
|
then
|
||||||
NIX_SUBSTITUTERS="" # don't resort to substituters
|
NIX_SUBSTITUTERS="" # don't resort to substituters
|
||||||
|
NIX_SETUID_HELPER="@abs_top_builddir@/nix-setuid-helper" # normally unused
|
||||||
NIX_IGNORE_SYMLINK_STORE=1 # in case the store is a symlink
|
NIX_IGNORE_SYMLINK_STORE=1 # in case the store is a symlink
|
||||||
NIX_STORE_DIR="@GUIX_TEST_ROOT@/store"
|
NIX_STORE_DIR="@GUIX_TEST_ROOT@/store"
|
||||||
NIX_LOCALSTATE_DIR="@GUIX_TEST_ROOT@/var"
|
NIX_LOCALSTATE_DIR="@GUIX_TEST_ROOT@/var"
|
||||||
|
@ -42,7 +43,7 @@ then
|
||||||
|
|
||||||
export NIX_SUBSTITUTERS NIX_IGNORE_SYMLINK_STORE NIX_STORE_DIR \
|
export NIX_SUBSTITUTERS NIX_IGNORE_SYMLINK_STORE NIX_STORE_DIR \
|
||||||
NIX_LOCALSTATE_DIR NIX_LOG_DIR NIX_STATE_DIR NIX_DB_DIR \
|
NIX_LOCALSTATE_DIR NIX_LOG_DIR NIX_STATE_DIR NIX_DB_DIR \
|
||||||
NIX_ROOT_FINDER
|
NIX_ROOT_FINDER NIX_SETUID_HELPER
|
||||||
|
|
||||||
# Do that because store.scm calls `canonicalize-path' on it.
|
# Do that because store.scm calls `canonicalize-path' on it.
|
||||||
mkdir -p "$NIX_STORE_DIR"
|
mkdir -p "$NIX_STORE_DIR"
|
||||||
|
|
Reference in New Issue