daemon: Build `nix-setuid-helper'.

* daemon.am (libexec_PROGRAMS, nix_setuid_helper_SOURCES,
  nix_setuid_helper_CPPFLAGS, nix_setuid_helper_LDADD): New variables.
* test-env.in: Set and export `NIX_SETUID_HELPER'.
* README (Installing Guix as non-root): New section.
This commit is contained in:
Ludovic Courtès 2012-12-14 18:15:37 +01:00
parent b3a53fb361
commit e1b7096acd
4 changed files with 36 additions and 5 deletions

1
.gitignore vendored
View File

@ -63,3 +63,4 @@ stamp-h[0-9]
/test-tmp /test-tmp
/nix/scripts/list-runtime-roots /nix/scripts/list-runtime-roots
/test-env /test-env
/nix/nix-setuid-helper/nix-setuid-helper.cc

27
README
View File

@ -59,10 +59,29 @@ the promise of a build; it is stored as a text file under
`derivation' primitive, as well as higher-level wrappers such as `derivation' primitive, as well as higher-level wrappers such as
`build-expression->derivation'. `build-expression->derivation'.
Guix does remote procedure calls (RPCs) to the Nix daemon (the Guix does remote procedure calls (RPCs) to the Guix or Nix daemon (the
=nix-worker --daemon= command), which in turn performs builds and =guix-daemon= or =nix-daemon= command), which in turn performs builds
accesses to the Nix store on its behalf. The RPCs are implemented in and accesses to the Nix store on its behalf. The RPCs are implemented
the (guix store) module. in the (guix store) module.
* Installing Guix as non-root
The Guix daemon allows software builds to be performed under alternate
user accounts, which are normally created specifically for this
purpose. For instance, you may have a pool of accounts in the
=guixbuild= group, and then you can instruct =guix-daemon= to use them
like this:
$ guix-daemon --build-users-group=guixbuild
However, unless it is run as root, =guix-daemon= cannot switch users.
In that case, it falls back to using a setuid-root helper program call
=nix-setuid-helper=. That program is not setuid-root by default when
you install it; instead you should run a command along these lines
(assuming Guix is installed under /usr/local):
# chown root.root /usr/local/libexec/nix-setuid-helper
# chmod 4755 /usr/local/libexec/nix-setuid-helper
* Contact * Contact

View File

@ -136,6 +136,16 @@ guix_daemon_LDADD = \
guix_daemon_headers = \ guix_daemon_headers = \
nix/nix-daemon/shared.hh nix/nix-daemon/shared.hh
libexec_PROGRAMS = nix-setuid-helper
nix_setuid_helper_SOURCES = \
nix/nix-setuid-helper/nix-setuid-helper.cc
nix_setuid_helper_CPPFLAGS = \
$(libutil_a_CPPFLAGS)
nix_setuid_helper_LDADD = \
libutil.a libformat.a
noinst_HEADERS = \ noinst_HEADERS = \
$(libformat_headers) $(libutil_headers) $(libstore_headers) \ $(libformat_headers) $(libutil_headers) $(libstore_headers) \
$(guix_daemon_headers) $(guix_daemon_headers)

View File

@ -27,6 +27,7 @@
if [ -x "@abs_top_builddir@/guix-daemon" ] if [ -x "@abs_top_builddir@/guix-daemon" ]
then then
NIX_SUBSTITUTERS="" # don't resort to substituters NIX_SUBSTITUTERS="" # don't resort to substituters
NIX_SETUID_HELPER="@abs_top_builddir@/nix-setuid-helper" # normally unused
NIX_IGNORE_SYMLINK_STORE=1 # in case the store is a symlink NIX_IGNORE_SYMLINK_STORE=1 # in case the store is a symlink
NIX_STORE_DIR="@GUIX_TEST_ROOT@/store" NIX_STORE_DIR="@GUIX_TEST_ROOT@/store"
NIX_LOCALSTATE_DIR="@GUIX_TEST_ROOT@/var" NIX_LOCALSTATE_DIR="@GUIX_TEST_ROOT@/var"
@ -42,7 +43,7 @@ then
export NIX_SUBSTITUTERS NIX_IGNORE_SYMLINK_STORE NIX_STORE_DIR \ export NIX_SUBSTITUTERS NIX_IGNORE_SYMLINK_STORE NIX_STORE_DIR \
NIX_LOCALSTATE_DIR NIX_LOG_DIR NIX_STATE_DIR NIX_DB_DIR \ NIX_LOCALSTATE_DIR NIX_LOG_DIR NIX_STATE_DIR NIX_DB_DIR \
NIX_ROOT_FINDER NIX_ROOT_FINDER NIX_SETUID_HELPER
# Do that because store.scm calls `canonicalize-path' on it. # Do that because store.scm calls `canonicalize-path' on it.
mkdir -p "$NIX_STORE_DIR" mkdir -p "$NIX_STORE_DIR"