GNU bug report logs - #34494
proot-based non-root setup: refusing to run with elevated privileges (UID 0)

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 34494 in the body.
You can then email your comments to 34494 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Florian Thevissen <mail <at> florian-thevissen.de>
To: bug-Guix <at> gnu.org
Subject: proot-based non-root setup: refusing to run with elevated privileges
 (UID 0)
Date: Fri, 15 Feb 2019 21:39:21 +0100

[Message part 1 (text/plain, inline)]

Hi,

I am trying to get guix to run on a system where I do not have root 
access, following a guide by pjotrp involving proot, here: 
https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org .

All guix operations that involve the script perform-download fail with 
the error:

   guix perform-download: error: refusing to run with elevated
   privileges (UID 0)

I am not sure if this hints at a bug in guix itself, but a comment in 
the guix sources lets me assume so. It says in package-management.scm:355

   “Note that scripts like ‘guix perform-download’ do not run as root (…)”

In my setup, following this guide, however, it apparently is run as 
root, and (assert-low-privileges) in the script perform-download.scm:89 
acts accordingly by signalling the error and exiting.

(By the way - running guix-daemon with proot root privileges fails (-0), 
and running it without (no -0) fails also.)

Now my question: why is perform-download run as root following pjotrs 
guide, and is there anything that can be done about it?

I am a bit at a loss here, being unfamiliar with the guix sources and 
overall system setup.

Looking forward to help, thanks,

Florian

​

[Message part 2 (text/html, inline)]

Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Pjotr Prins <pjotr.public12 <at> thebird.nl>
To: Florian Thevissen <mail <at> florian-thevissen.de>
Cc: bug-Guix <at> gnu.org
Subject: Re: bug#34494: proot-based non-root setup: refusing to run with
 elevated privileges (UID 0)
Date: Sat, 16 Feb 2019 07:34:52 +0100

Did you try something like

proot -0 -b /proc -b /dev -b /etc -r . -b etc_guix/acl:/etc/guix/acl gnu/store/vir3l..-guix-0.x/bin/guix-daemon --disable-chroot

(note the extra -0 and chroot switches) and you should see on a guix package install.

That used to work. But maybe no longer?

On Fri, Feb 15, 2019 at 09:39:21PM +0100, Florian Thevissen wrote:
>    Hi,
> 
>    I am trying to get guix to run on a system where I do not have root
>    access, following a guide by pjotrp involving proot, here:
>    [1]https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org .
> 
>    All guix operations that involve the script perform-download fail with
>    the error:
> 
>      guix perform-download: error: refusing to run with elevated
>      privileges (UID 0)
> 
>    I am not sure if this hints at a bug in guix itself, but a comment in
>    the guix sources lets me assume so. It says in
>    package-management.scm:355
> 
>      “Note that scripts like ‘guix perform-download’ do not run as root
>      (…)”
> 
>    In my setup, following this guide, however, it apparently is run as
>    root, and (assert-low-privileges) in the script perform-download.scm:89
>    acts accordingly by signalling the error and exiting.
> 
>    (By the way - running guix-daemon with proot root privileges fails
>    (-0), and running it without (no -0) fails also.)
> 
>    Now my question: why is perform-download run as root following pjotrs
>    guide, and is there anything that can be done about it?
> 
>    I am a bit at a loss here, being unfamiliar with the guix sources and
>    overall system setup.
> 
>    Looking forward to help, thanks,
> 
>    Florian
>    ​
> 
> References
> 
>    1. https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org

Message #11 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Florian Thevissen <mail <at> florian-thevissen.de>
To: Pjotr Prins <pjotr.public12 <at> thebird.nl>
Cc: bug-Guix <at> gnu.org
Subject: Re: bug#34494: proot-based non-root setup: refusing to run with
 elevated privileges (UID 0)
Date: Sat, 16 Feb 2019 10:04:03 +0100

[Message part 1 (text/plain, inline)]

Hi pjotr,

   Did you try something like

   proot -0 -b /proc -b /dev -b /etc -r . -b etc_guix/acl:/etc/guix/acl
   gnu/store/vir3l..-guix-0.x/bin/guix-daemon —disable-chroot

Yes, this doesn’t work - with or without the -0 flag.

   That used to work. But maybe no longer?

I tried the new guix binaries (0.16.0), and the ones that were recent 
when you wrote the guide (0.13.0), and proot has not, if I see 
correctly, significantly changed since then (v.5.1.0).

To me, this looks as if the setup on my particular system had something 
special to it that would lead guix to not behave correctly. Here’s a 
#guix chat-log, where Saone (at 00:25:29) comes to the same conclusion: 
https://gnunet.org/bot/log/guix/2017-09-21 .

For the record - this happens on an Debian 4.9.130-2 x86_64 system. I'll 
try this out on other systems/VMs today...



On 16/02/19 07:34, Pjotr Prins wrote:

> Did you try something like
>
> proot -0 -b /proc -b /dev -b /etc -r . -b etc_guix/acl:/etc/guix/acl gnu/store/vir3l..-guix-0.x/bin/guix-daemon --disable-chroot
>
> (note the extra -0 and chroot switches) and you should see on a guix package install.
>
> That used to work. But maybe no longer?
>
> On Fri, Feb 15, 2019 at 09:39:21PM +0100, Florian Thevissen wrote:
>>     Hi,
>>
>>     I am trying to get guix to run on a system where I do not have root
>>     access, following a guide by pjotrp involving proot, here:
>>     [1]https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org .
>>
>>     All guix operations that involve the script perform-download fail with
>>     the error:
>>
>>       guix perform-download: error: refusing to run with elevated
>>       privileges (UID 0)
>>
>>     I am not sure if this hints at a bug in guix itself, but a comment in
>>     the guix sources lets me assume so. It says in
>>     package-management.scm:355
>>
>>       “Note that scripts like ‘guix perform-download’ do not run as root
>>       (…)”
>>
>>     In my setup, following this guide, however, it apparently is run as
>>     root, and (assert-low-privileges) in the script perform-download.scm:89
>>     acts accordingly by signalling the error and exiting.
>>
>>     (By the way - running guix-daemon with proot root privileges fails
>>     (-0), and running it without (no -0) fails also.)
>>
>>     Now my question: why is perform-download run as root following pjotrs
>>     guide, and is there anything that can be done about it?
>>
>>     I am a bit at a loss here, being unfamiliar with the guix sources and
>>     overall system setup.
>>
>>     Looking forward to help, thanks,
>>
>>     Florian
>>     ​
>>
>> References
>>
>>     1. https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org

​

[Message part 2 (text/html, inline)]

Message #14 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Florian Thevissen <mail <at> florian-thevissen.de>
To: Pjotr Prins <pjotr2019 <at> thebird.nl>
Cc: ludo <at> gnu.org, bug-Guix <at> gnu.org
Subject: Re: bug#34494: proot-based non-root setup: refusing to run with
 elevated privileges (UID 0)
Date: Sat, 16 Feb 2019 11:07:42 +0100

[Message part 1 (text/plain, inline)]

Thanks, Pjotr.

So I got it working on one system out of four, following the exact same 
steps each time:

 * Debian 9 (Stretch) - 4.9.130-2 x86_64 (real system) - *_fail_*
 * Ubuntu 17.10 (Artful Aardvark) - 4.13.0-46-lowlatency (real system)
         - _*fail*_
 * Ubuntu 14.04 (Trusty Tahr)  - 4.4.0-31-generic - _*fail*_
 * Debian 9 (Stretch) - 4.9.0-8-amd64 (VM)    - _*works*_

I don't know what the significant differentiating factor could be, that 
lets guix behave correctly on that one debian system but not on the others.

But what I also noticed, is that the "list of substitutes" is also not 
being updated on the three failing systems. Is the update process using 
the download script internally, maybe, and that silently fails? Or maybe 
this hints at another problem?

I fear there's nothing more I can immediately do. @Ludo - can you help?



On 16/02/19 10:17, Pjotr Prins wrote:
> Sorry about that.
>
> If you get it to work, do update the document - or me by E-mail. Maybe
> Ludo has something to say about this.
>
> Pj.
>
> On Sat, Feb 16, 2019 at 10:04:03AM +0100, Florian Thevissen wrote:
>>     Hi pjotr,
>>
>>       Did you try something like
>>
>>       proot -0 -b /proc -b /dev -b /etc -r . -b etc_guix/acl:/etc/guix/acl
>>       gnu/store/vir3l..-guix-0.x/bin/guix-daemon —disable-chroot
>>
>>     Yes, this doesn’t work - with or without the -0 flag.
>>
>>       That used to work. But maybe no longer?
>>
>>     I tried the new guix binaries (0.16.0), and the ones that were recent
>>     when you wrote the guide (0.13.0), and proot has not, if I see
>>     correctly, significantly changed since then (v.5.1.0).
>>
>>     To me, this looks as if the setup on my particular system had something
>>     special to it that would lead guix to not behave correctly. Here’s a
>>     #guix chat-log, where Saone (at 00:25:29) comes to the same conclusion:
>>     [1]https://gnunet.org/bot/log/guix/2017-09-21 .
>>     For the record - this happens on an Debian 4.9.130-2 x86_64 system.
>>     I'll try this out on other systems/VMs today...
>>
>>     On 16/02/19 07:34, Pjotr Prins wrote:
>>
>> Did you try something like
>>
>> proot -0 -b /proc -b /dev -b /etc -r . -b etc_guix/acl:/etc/guix/acl gnu/store/v
>> ir3l..-guix-0.x/bin/guix-daemon --disable-chroot
>>
>> (note the extra -0 and chroot switches) and you should see on a guix package ins
>> tall.
>>
>> That used to work. But maybe no longer?
>>
>> On Fri, Feb 15, 2019 at 09:39:21PM +0100, Florian Thevissen wrote:
>>
>>     Hi,
>>
>>     I am trying to get guix to run on a system where I do not have root
>>     access, following a guide by pjotrp involving proot, here:
>>     [1][2]https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org .
>>
>>     All guix operations that involve the script perform-download fail with
>>     the error:
>>
>>       guix perform-download: error: refusing to run with elevated
>>       privileges (UID 0)
>>
>>     I am not sure if this hints at a bug in guix itself, but a comment in
>>     the guix sources lets me assume so. It says in
>>     package-management.scm:355
>>
>>       “Note that scripts like ‘guix perform-download’ do not run as root
>>       (…)”
>>
>>     In my setup, following this guide, however, it apparently is run as
>>     root, and (assert-low-privileges) in the script perform-download.scm:89
>>     acts accordingly by signalling the error and exiting.
>>
>>     (By the way - running guix-daemon with proot root privileges fails
>>     (-0), and running it without (no -0) fails also.)
>>
>>     Now my question: why is perform-download run as root following pjotrs
>>     guide, and is there anything that can be done about it?
>>
>>     I am a bit at a loss here, being unfamiliar with the guix sources and
>>     overall system setup.
>>
>>     Looking forward to help, thanks,
>>
>>     Florian
>>     ​
>>
>> References
>>
>>     1. [3]https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org
>>
>>     ​
>>
>> References
>>
>>     1. https://gnunet.org/bot/log/guix/2017-09-21
>>     2. https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org
>>     3. https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org

[Message part 2 (text/html, inline)]

Message #17 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Florian Thevissen <mail <at> florian-thevissen.de>
Cc: bug-Guix <at> gnu.org
Subject: Re: bug#34494: proot-based non-root setup: refusing to run with
 elevated privileges (UID 0)
Date: Mon, 04 Mar 2019 22:45:41 +0100

Hi Florian,

Florian Thevissen <mail <at> florian-thevissen.de> skribis:

> I am trying to get guix to run on a system where I do not have root
> access, following a guide by pjotrp involving proot, here:
> https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org .

Not really answering your question, but would user namespaces be an
option for you?

If so,
<https://lists.gnu.org/archive/html/guix-devel/2018-05/msg00139.html>
might be a simpler option.

Thanks,
Ludo’.

Message #20 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Florian Thevissen <mail <at> florian-thevissen.de>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: bug-Guix <at> gnu.org
Subject: Re: bug#34494: proot-based non-root setup: refusing to run with
 elevated privileges (UID 0)
Date: Tue, 5 Mar 2019 19:57:42 +0100

[Message part 1 (text/plain, inline)]

Hi Ludovic,

   Not really answering your question, but would user namespaces be an
   option for you? If so,
   <https://lists.gnu.org/archive/html/guix-devel/2018-05/msg00139.html>
   might be a simpler option.

Thank you for the suggestion, this does look interesting.

However, the original use-case of using guix in a non-root scenario is 
no longer relevant to me: I was convincing enough to get guix 
root-installed on all relevant machines on which I do not have root 
access. So I can enjoy guix properly, now.

However, I could very well imagine guix to be used on a per-user basis, 
acting on some sub-directory of $HOME. Afterall, many (most?) 
desktop-systems are used by a single user - or so I would argue…

On the original topic - I recently learned that the mechanisms proot 
employs might just not work on all systems. So the issue may not per-se 
have been with guix, but with proot. I’m no expert on the subject 
though, and didn’t dig deeper yet.

Best regards,
Florian

​

[Message part 2 (text/html, inline)]

Message #23 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Florian Thevissen <mail <at> florian-thevissen.de>
Cc: bug-Guix <at> gnu.org
Subject: Re: bug#34494: proot-based non-root setup: refusing to run with
 elevated privileges (UID 0)
Date: Wed, 06 Mar 2019 17:00:34 +0100

Hi Florian,

Florian Thevissen <mail <at> florian-thevissen.de> skribis:

> Hi Ludovic,
>
>    Not really answering your question, but would user namespaces be an
>    option for you? If so,
>    <https://lists.gnu.org/archive/html/guix-devel/2018-05/msg00139.html>
>    might be a simpler option.
>
> Thank you for the suggestion, this does look interesting.
>
> However, the original use-case of using guix in a non-root scenario is
> no longer relevant to me: I was convincing enough to get guix
> root-installed on all relevant machines on which I do not have root
> access. So I can enjoy guix properly, now.

Well, congrats.  :-)

Note that <https://guix-hpc.bordeaux.inria.fr/blog> has some thoughts on
non-root usage that may be of interest to you.

> However, I could very well imagine guix to be used on a per-user
> basis, acting on some sub-directory of $HOME. Afterall, many (most?)
> desktop-systems are used by a single user - or so I would argue…

I agree that non-root usage would be useful; it’s just that the kernel
Linux doesn’t make it easy, unless user namespaces are enabled…

Thanks,
Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.