GNU bug report logs - #34494
proot-based non-root setup: refusing to run with elevated privileges (UID 0)

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Florian Thevissen <mail@HIDDEN>; Keywords: notabug; Done: Ludovic Courtès <ludo@HIDDEN>; Maintainer for guix is bug-guix@HIDDEN.
bug closed, send any further explanations to 34494 <at> debbugs.gnu.org and Florian Thevissen <mail@HIDDEN> Request was from Ludovic Courtès <ludo@HIDDEN> to control <at> debbugs.gnu.org. Full text available.
Added tag(s) notabug. Request was from Ludovic Courtès <ludo@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 6 Mar 2019 16:00:54 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Mar 06 11:00:54 2019
Received: from localhost ([127.0.0.1]:34607 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1h1YyT-0002Hx-TJ
	for submit <at> debbugs.gnu.org; Wed, 06 Mar 2019 11:00:54 -0500
Received: from eggs.gnu.org ([209.51.188.92]:49875)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1h1YyS-0002HX-4r
 for submit <at> debbugs.gnu.org; Wed, 06 Mar 2019 11:00:52 -0500
Received: from lists.gnu.org ([209.51.188.17]:55811)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <ludo@HIDDEN>) id 1h1YyM-0004z4-3p
 for submit <at> debbugs.gnu.org; Wed, 06 Mar 2019 11:00:46 -0500
Received: from eggs.gnu.org ([209.51.188.92]:36021)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1h1YyL-0000iq-32
 for bug-Guix@HIDDEN; Wed, 06 Mar 2019 11:00:45 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_05,URIBL_BLOCKED
 autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1h1YyF-0004se-BW
 for bug-Guix@HIDDEN; Wed, 06 Mar 2019 11:00:45 -0500
Received: from hera.aquilenet.fr ([2a0c:e300::1]:43568)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <ludo@HIDDEN>) id 1h1YyF-0004qA-3Z
 for bug-Guix@HIDDEN; Wed, 06 Mar 2019 11:00:39 -0500
Received: from localhost (localhost [127.0.0.1])
 by hera.aquilenet.fr (Postfix) with ESMTP id 896E1AACE;
 Wed,  6 Mar 2019 17:00:36 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at aquilenet.fr
Received: from hera.aquilenet.fr ([127.0.0.1])
 by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id pGBbJF1SGfil; Wed,  6 Mar 2019 17:00:35 +0100 (CET)
Received: from ribbon (unknown [IPv6:2a01:e0a:1d:7270:af76:b9b:ca24:c465])
 by hera.aquilenet.fr (Postfix) with ESMTPSA id 83FDBAABD;
 Wed,  6 Mar 2019 17:00:35 +0100 (CET)
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Florian Thevissen <mail@HIDDEN>
Subject: Re: bug#34494: proot-based non-root setup: refusing to run with
 elevated privileges (UID 0)
References: <81415b97-6e02-33dc-a4da-b1b046d5a4e7@HIDDEN>
 <87lg1unwje.fsf@HIDDEN>
 <3ecb593e-49d1-e728-4a48-d4eaf9a675d2@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 16 =?utf-8?Q?Vent=C3=B4se?= an 227 de la =?utf-8?Q?R?=
 =?utf-8?Q?=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Wed, 06 Mar 2019 17:00:34 +0100
In-Reply-To: <3ecb593e-49d1-e728-4a48-d4eaf9a675d2@HIDDEN>
 (Florian Thevissen's message of "Tue, 5 Mar 2019 19:57:42 +0100")
Message-ID: <87d0n4f0wt.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-Received-From: 2a0c:e300::1
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: submit
Cc: bug-Guix@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Florian,

Florian Thevissen <mail@HIDDEN> skribis:

> Hi Ludovic,
>
>    Not really answering your question, but would user namespaces be an
>    option for you? If so,
>    <https://lists.gnu.org/archive/html/guix-devel/2018-05/msg00139.html>
>    might be a simpler option.
>
> Thank you for the suggestion, this does look interesting.
>
> However, the original use-case of using guix in a non-root scenario is
> no longer relevant to me: I was convincing enough to get guix
> root-installed on all relevant machines on which I do not have root
> access. So I can enjoy guix properly, now.

Well, congrats.  :-)

Note that <https://guix-hpc.bordeaux.inria.fr/blog> has some thoughts on
non-root usage that may be of interest to you.

> However, I could very well imagine guix to be used on a per-user
> basis, acting on some sub-directory of $HOME. Afterall, many (most?)
> desktop-systems are used by a single user - or so I would argue=E2=80=A6

I agree that non-root usage would be useful; it=E2=80=99s just that the ker=
nel
Linux doesn=E2=80=99t make it easy, unless user namespaces are enabled=E2=
=80=A6

Thanks,
Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#34494; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 5 Mar 2019 18:58:34 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Mar 05 13:58:34 2019
Received: from localhost ([127.0.0.1]:33453 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1h1FGs-0004wj-7G
	for submit <at> debbugs.gnu.org; Tue, 05 Mar 2019 13:58:34 -0500
Received: from eggs.gnu.org ([209.51.188.92]:47840)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mail@HIDDEN>) id 1h1FGq-0004wV-KN
 for submit <at> debbugs.gnu.org; Tue, 05 Mar 2019 13:58:33 -0500
Received: from lists.gnu.org ([209.51.188.17]:45599)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <mail@HIDDEN>)
 id 1h1FGl-0001l3-Dn
 for submit <at> debbugs.gnu.org; Tue, 05 Mar 2019 13:58:27 -0500
Received: from eggs.gnu.org ([209.51.188.92]:33988)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <mail@HIDDEN>) id 1h1FGk-0005nh-8L
 for bug-Guix@HIDDEN; Tue, 05 Mar 2019 13:58:27 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_40,HTML_MESSAGE,
 URIBL_BLOCKED autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <mail@HIDDEN>) id 1h1FGj-0001cw-45
 for bug-Guix@HIDDEN; Tue, 05 Mar 2019 13:58:26 -0500
Received: from h2712310.stratoserver.net ([81.169.247.85]:60136
 helo=mail.florian-thevissen.de)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <mail@HIDDEN>)
 id 1h1FGi-0001Ai-LK; Tue, 05 Mar 2019 13:58:25 -0500
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by mail.florian-thevissen.de (Postfix) with ESMTPSA id 77CE920451;
 Tue,  5 Mar 2019 18:57:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=florian-thevissen.de; 
 s=default; t=1551812263;
 h=from:from:sender:reply-to:subject:subject:date:date:
 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
 content-type:content-type:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=y3nLF6uR49iUTQ/Zv6B63aPRkroKvpi+qIf+KgK9V3E=;
 b=xk09K7LgxohDyedZYYfrZceU+OK6gSK/VQdow+fpX2O2STm4Tbv9dKc3rzluq8N7NGN3k5
 0BcNIKo22VLoEKkw4sU7B2TsIYjEwsdnUfWCfA6UtAF3foXcADWPl5kCQFaV3CHIAsBXDA
 Uph48NvkuETH6jUsbqu35iLMVGyEDhA=
Subject: Re: bug#34494: proot-based non-root setup: refusing to run with
 elevated privileges (UID 0)
To: =?UTF-8?Q?Ludovic_Court=c3=a8s?= <ludo@HIDDEN>
References: <81415b97-6e02-33dc-a4da-b1b046d5a4e7@HIDDEN>
 <87lg1unwje.fsf@HIDDEN>
From: Florian Thevissen <mail@HIDDEN>
Message-ID: <3ecb593e-49d1-e728-4a48-d4eaf9a675d2@HIDDEN>
Date: Tue, 5 Mar 2019 19:57:42 +0100
MIME-Version: 1.0
In-Reply-To: <87lg1unwje.fsf@HIDDEN>
Content-Type: multipart/alternative;
 boundary="------------D359429A0A6A4E876CC398CC"
Content-Language: en-US
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 81.169.247.85
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Spam-Score: 0.9 (/)
X-Debbugs-Envelope-To: submit
Cc: bug-Guix@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.1 (/)

This is a multi-part message in MIME format.
--------------D359429A0A6A4E876CC398CC
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Hi Ludovic,

    Not really answering your question, but would user namespaces be an
    option for you? If so,
    <https://lists.gnu.org/archive/html/guix-devel/2018-05/msg00139.html>
    might be a simpler option.

Thank you for the suggestion, this does look interesting.

However, the original use-case of using guix in a non-root scenario is=20
no longer relevant to me: I was convincing enough to get guix=20
root-installed on all relevant machines on which I do not have root=20
access. So I can enjoy guix properly, now.

However, I could very well imagine guix to be used on a per-user basis,=20
acting on some sub-directory of $HOME. Afterall, many (most?)=20
desktop-systems are used by a single user - or so I would argue=E2=80=A6

On the original topic - I recently learned that the mechanisms proot=20
employs might just not work on all systems. So the issue may not per-se=20
have been with guix, but with proot. I=E2=80=99m no expert on the subject=
=20
though, and didn=E2=80=99t dig deeper yet.

Best regards,
Florian

=E2=80=8B

--------------D359429A0A6A4E876CC398CC
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html>
  <head>
    <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf=
-8">
  </head>
  <body text=3D"#000000" bgcolor=3D"#FFFFFF">
    <div class=3D"markdown-here-wrapper" data-md-url=3D"Thunderbird"
      style=3D"" markdown-here-wrapper-content-modified=3D"true">
      <p style=3D"margin: 0px 0px 1.2em ! important;">Hi Ludovic,</p>
      <blockquote style=3D"margin: 1.2em 0px;border-left: 4px solid
        rgb(221, 221, 221); padding: 0px 1em; color: rgb(119, 119, 119);
        quotes: none;">
        <p style=3D"margin: 0px 0px 1.2em ! important;">Not really
          answering your question, but would user namespaces be an=C2=A0
          option for you? If so, &lt;<a
href=3D"https://lists.gnu.org/archive/html/guix-devel/2018-05/msg00139.ht=
ml">https://lists.gnu.org/archive/html/guix-devel/2018-05/msg00139.html</=
a>&gt;
          might be a simpler option. </p>
      </blockquote>
      <p style=3D"margin: 0px 0px 1.2em ! important;">Thank you for the
        suggestion, this does look interesting.</p>
      <p style=3D"margin: 0px 0px 1.2em ! important;">However, the
        original use-case of using guix in a non-root scenario is no
        longer relevant to me: I was convincing enough to get guix
        root-installed on all relevant machines on which I do not have
        root access. So I can enjoy guix properly, now.</p>
      <p style=3D"margin: 0px 0px 1.2em ! important;">However, I could
        very well imagine guix to be used on a per-user basis, acting on
        some sub-directory of $HOME. Afterall, many (most?)
        desktop-systems are used by a single user - or so I would argue=E2=
=80=A6</p>
      <p style=3D"margin: 0px 0px 1.2em ! important;">On the original
        topic - I recently learned that the mechanisms proot employs
        might just not work on all systems. So the issue may not per-se
        have been with guix, but with proot. I=E2=80=99m no expert on the
        subject though, and didn=E2=80=99t dig deeper yet.</p>
      <p style=3D"margin: 0px 0px 1.2em ! important;">Best regards,<br>
        Florian</p>
      <div
title=3D"MDH:PHA+SGkgTHVkb3ZpYyw8L3A+PHByZSB3cmFwPSIiPiZndDsgTm90IHJlYWxs=
eSBhbnN3ZXJpbmcgeW91ciBxdWVzdGlvbiwgYnV0IHdvdWxkIHVzZXIgbmFtZXNwYWNlcyBiZ=
SBhbgomZ3Q7IG9wdGlv
biBmb3IgeW91PwoKJmd0OyBJZiBzbywgJmx0O2h0dHBzOi8vbGlzdHMuZ251Lm9yZy9hcmNoa=
XZl
L2h0bWwvZ3VpeC1kZXZlbC8yMDE4LTA1L21zZzAwMTM5Lmh0bWwmZ3Q7CiZndDsgbWlnaHQgY=
mUg
YSBzaW1wbGVyIG9wdGlvbi4KCjwvcHJlPgo8cD5UaGFuayB5b3UgZm9yIHRoZSBzdWdnZXN0a=
W9u
LCB0aGlzIGRvZXMgbG9vayBpbnRlcmVzdGluZy4gPGJyPjwvcD48cD5Ib3dldmVyLCB0aGUgb=
3Jp
Z2luYWwgdXNlLWNhc2Ugb2YgdXNpbmcgZ3VpeCBpbiBhIG5vbi1yb290IHNjZW5hcmlvIGlzI=
G5v
IGxvbmdlciByZWxldmFudCB0byBtZTogSSB3YXMgY29udmluY2luZyBlbm91Z2ggdG8gZ2V0I=
Gd1
aXggcm9vdC1pbnN0YWxsZWQgb24gYWxsIHJlbGV2YW50IG1hY2hpbmVzIG9uIHdoaWNoIEkgZ=
G8g
bm90IGhhdmUgcm9vdCBhY2Nlc3MuIFNvIEkgY2FuIGVuam95IGd1aXggcHJvcGVybHksIG5vd=
y48
YnI+PC9wPjxwPkhvd2V2ZXIsIEkgY291bGQgdmVyeSB3ZWxsIGltYWdpbmUgZ3VpeCB0byBiZ=
SB1
c2VkIG9uIGEgcGVyLXVzZXIgYmFzaXMsIGFjdGluZyBvbiBzb21lIHN1Yi1kaXJlY3Rvcnkgb=
2Yg
JEhPTUUuIEFmdGVyYWxsLCBtYW55IChtb3N0PykgZGVza3RvcC1zeXN0ZW1zIGFyZSB1c2VkI=
GJ5
IGEgc2luZ2xlIHVzZXIgLSBvciBzbyBJIHdvdWxkIGFyZ3VlLi4uPC9wPjxwPk9uIHRoZSBvc=
mln
aW5hbCB0b3BpYyAtIEkgcmVjZW50bHkgbGVhcm5lZCB0aGF0IHRoZSBtZWNoYW5pc21zIHByb=
290
IGVtcGxveXMgbWlnaHQganVzdCBub3Qgd29yayBvbiBhbGwgc3lzdGVtcy4gU28gdGhlIGlzc=
3Vl
IG1heSBub3QndmUgYmVlbiB3aXRoIGd1aXgsIGJ1dCB3aXRoIHByb290LiBJJ20gbm8gZXhwZ=
XJ0
IG9uIHRoZXNlIHN1YmplY3RzIHRob3VnaCwgYW5kIGRpZG4ndCBkaWcgZGVlcGVyIHlldC48Y=
nI+
PC9wPjxwPkJlc3QgcmVnYXJkcyw8YnI+PC9wPjxwPkZsb3JpYW48YnI+PC9wPjxicj4=3D"
style=3D"height:0;width:0;max-height:0;max-width:0;overflow:hidden;font-s=
ize:0em;padding:0;margin:0;">=E2=80=8B</div>
    </div>
  </body>
</html>

--------------D359429A0A6A4E876CC398CC--




Information forwarded to bug-guix@HIDDEN:
bug#34494; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 4 Mar 2019 21:46:02 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Mar 04 16:46:02 2019
Received: from localhost ([127.0.0.1]:60323 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1h0vPN-00018R-TV
	for submit <at> debbugs.gnu.org; Mon, 04 Mar 2019 16:46:02 -0500
Received: from eggs.gnu.org ([209.51.188.92]:56504)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1h0vPM-000188-Go
 for submit <at> debbugs.gnu.org; Mon, 04 Mar 2019 16:46:00 -0500
Received: from lists.gnu.org ([209.51.188.17]:51154)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <ludo@HIDDEN>) id 1h0vPH-0003RM-9P
 for submit <at> debbugs.gnu.org; Mon, 04 Mar 2019 16:45:55 -0500
Received: from eggs.gnu.org ([209.51.188.92]:42653)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1h0vPG-0006QT-Hl
 for bug-Guix@HIDDEN; Mon, 04 Mar 2019 16:45:55 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED
 autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <ludo@HIDDEN>) id 1h0vPE-0003PA-T2
 for bug-Guix@HIDDEN; Mon, 04 Mar 2019 16:45:54 -0500
Received: from hera.aquilenet.fr ([2a0c:e300::1]:56432)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <ludo@HIDDEN>) id 1h0vPC-0003DI-UK
 for bug-Guix@HIDDEN; Mon, 04 Mar 2019 16:45:52 -0500
Received: from localhost (localhost [127.0.0.1])
 by hera.aquilenet.fr (Postfix) with ESMTP id 5EBCF11D15;
 Mon,  4 Mar 2019 22:45:43 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at aquilenet.fr
Received: from hera.aquilenet.fr ([127.0.0.1])
 by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id TLzTDuiiM8dl; Mon,  4 Mar 2019 22:45:42 +0100 (CET)
Received: from ribbon (unknown [IPv6:2a01:e0a:1d:7270:af76:b9b:ca24:c465])
 by hera.aquilenet.fr (Postfix) with ESMTPSA id 2659511D0D;
 Mon,  4 Mar 2019 22:45:42 +0100 (CET)
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Florian Thevissen <mail@HIDDEN>
Subject: Re: bug#34494: proot-based non-root setup: refusing to run with
 elevated privileges (UID 0)
References: <81415b97-6e02-33dc-a4da-b1b046d5a4e7@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 14 =?utf-8?Q?Vent=C3=B4se?= an 227 de la =?utf-8?Q?R?=
 =?utf-8?Q?=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Mon, 04 Mar 2019 22:45:41 +0100
In-Reply-To: <81415b97-6e02-33dc-a4da-b1b046d5a4e7@HIDDEN>
 (Florian Thevissen's message of "Fri, 15 Feb 2019 21:39:21 +0100")
Message-ID: <87lg1unwje.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-Received-From: 2a0c:e300::1
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: submit
Cc: bug-Guix@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Florian,

Florian Thevissen <mail@HIDDEN> skribis:

> I am trying to get guix to run on a system where I do not have root
> access, following a guide by pjotrp involving proot, here:
> https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org .

Not really answering your question, but would user namespaces be an
option for you?

If so,
<https://lists.gnu.org/archive/html/guix-devel/2018-05/msg00139.html>
might be a simpler option.

Thanks,
Ludo=E2=80=99.




Information forwarded to bug-guix@HIDDEN:
bug#34494; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 16 Feb 2019 10:08:30 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Feb 16 05:08:30 2019
Received: from localhost ([127.0.0.1]:50002 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1guwtZ-0006oy-Nz
	for submit <at> debbugs.gnu.org; Sat, 16 Feb 2019 05:08:30 -0500
Received: from eggs.gnu.org ([209.51.188.92]:54241)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mail@HIDDEN>) id 1guwtY-0006om-3n
 for submit <at> debbugs.gnu.org; Sat, 16 Feb 2019 05:08:28 -0500
Received: from lists.gnu.org ([209.51.188.17]:34358)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <mail@HIDDEN>)
 id 1guwtP-0002sC-Fd
 for submit <at> debbugs.gnu.org; Sat, 16 Feb 2019 05:08:22 -0500
Received: from eggs.gnu.org ([209.51.188.92]:40388)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <mail@HIDDEN>) id 1guwtN-0007se-UH
 for bug-Guix@HIDDEN; Sat, 16 Feb 2019 05:08:19 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,HTML_MESSAGE,
 URIBL_BLOCKED autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <mail@HIDDEN>) id 1guwtM-0002pb-AK
 for bug-Guix@HIDDEN; Sat, 16 Feb 2019 05:08:17 -0500
Received: from h2712310.stratoserver.net ([81.169.247.85]:53648
 helo=mail.florian-thevissen.de)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <mail@HIDDEN>)
 id 1guwtL-0002nS-SI; Sat, 16 Feb 2019 05:08:16 -0500
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by mail.florian-thevissen.de (Postfix) with ESMTPSA id DB18E20405;
 Sat, 16 Feb 2019 10:07:42 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=florian-thevissen.de; 
 s=default; t=1550311663;
 h=from:from:sender:reply-to:subject:subject:date:date:
 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
 content-type:content-type:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=1jlXVFc3Qk+6wEsh0l3/C9QtYqup/1ZTwZOoZjs5FNQ=;
 b=Tw8s7ntEkFiGEv48JHQ7gQojSqp6J53J2g/BexaujsqIQ1j+5Gf3x6a8x3YWv7Z6Jpky24
 pbLzxA25VVKWFWgb8KZVTDDp940tZJQ88oNVNPKHewDtbzXMWp9MewUQE1wBUDjPts/sov
 XRQepqmCnHsVTooPCDv1oyjGgXlUx94=
Subject: Re: bug#34494: proot-based non-root setup: refusing to run with
 elevated privileges (UID 0)
To: Pjotr Prins <pjotr2019@HIDDEN>
References: <81415b97-6e02-33dc-a4da-b1b046d5a4e7@HIDDEN>
 <20190216063452.xllpdkhz4lc4jz4q@HIDDEN>
 <0d4fc2ca-da74-dbb4-7e7d-df090b19a19f@HIDDEN>
 <20190216091747.eb6g7znptifbqqbt@HIDDEN>
From: Florian Thevissen <mail@HIDDEN>
Message-ID: <e1babb24-bfb2-e591-1bc0-e00aade073d1@HIDDEN>
Date: Sat, 16 Feb 2019 11:07:42 +0100
MIME-Version: 1.0
In-Reply-To: <20190216091747.eb6g7znptifbqqbt@HIDDEN>
Content-Type: multipart/alternative;
 boundary="------------E1817396E343EF5C6AD4E5A4"
Content-Language: en-US
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 81.169.247.85
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Spam-Score: 0.9 (/)
X-Debbugs-Envelope-To: submit
Cc: ludo@HIDDEN, bug-Guix@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.1 (/)

This is a multi-part message in MIME format.
--------------E1817396E343EF5C6AD4E5A4
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Thanks, Pjotr.

So I got it working on one system out of four, following the exact same=20
steps each time:

  * Debian 9 (Stretch) - 4.9.130-2 x86_64 (real system) - *_fail_*
  * Ubuntu 17.10 (Artful Aardvark) - 4.13.0-46-lowlatency (real system)
     =C2=A0=C2=A0=C2=A0=C2=A0 - _*fail*_
  * Ubuntu 14.04 (Trusty Tahr)=C2=A0 - 4.4.0-31-generic - _*fail*_
  * Debian 9 (Stretch) - 4.9.0-8-amd64 (VM) =C2=A0=C2=A0 - _*works*_

I don't know what the significant differentiating factor could be, that=20
lets guix behave correctly on that one debian system but not on the other=
s.

But what I also noticed, is that the "list of substitutes" is also not=20
being updated on the three failing systems. Is the update process using=20
the download script internally, maybe, and that silently fails? Or maybe=20
this hints at another problem?

I fear there's nothing more I can immediately do. @Ludo - can you help?



On 16/02/19 10:17, Pjotr Prins wrote:
> Sorry about that.
>
> If you get it to work, do update the document - or me by E-mail. Maybe
> Ludo has something to say about this.
>
> Pj.
>
> On Sat, Feb 16, 2019 at 10:04:03AM +0100, Florian Thevissen wrote:
>>     Hi pjotr,
>>
>>       Did you try something like
>>
>>       proot -0 -b /proc -b /dev -b /etc -r . -b etc_guix/acl:/etc/guix=
/acl
>>       gnu/store/vir3l..-guix-0.x/bin/guix-daemon =E2=80=94disable-chro=
ot
>>
>>     Yes, this doesn=E2=80=99t work - with or without the -0 flag.
>>
>>       That used to work. But maybe no longer?
>>
>>     I tried the new guix binaries (0.16.0), and the ones that were rec=
ent
>>     when you wrote the guide (0.13.0), and proot has not, if I see
>>     correctly, significantly changed since then (v.5.1.0).
>>
>>     To me, this looks as if the setup on my particular system had some=
thing
>>     special to it that would lead guix to not behave correctly. Here=E2=
=80=99s a
>>     #guix chat-log, where Saone (at 00:25:29) comes to the same conclu=
sion:
>>     [1]https://gnunet.org/bot/log/guix/2017-09-21 .
>>     For the record - this happens on an Debian 4.9.130-2 x86_64 system=
.
>>     I'll try this out on other systems/VMs today...
>>
>>     On 16/02/19 07:34, Pjotr Prins wrote:
>>
>> Did you try something like
>>
>> proot -0 -b /proc -b /dev -b /etc -r . -b etc_guix/acl:/etc/guix/acl g=
nu/store/v
>> ir3l..-guix-0.x/bin/guix-daemon --disable-chroot
>>
>> (note the extra -0 and chroot switches) and you should see on a guix p=
ackage ins
>> tall.
>>
>> That used to work. But maybe no longer?
>>
>> On Fri, Feb 15, 2019 at 09:39:21PM +0100, Florian Thevissen wrote:
>>
>>     Hi,
>>
>>     I am trying to get guix to run on a system where I do not have roo=
t
>>     access, following a guide by pjotrp involving proot, here:
>>     [1][2]https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROO=
T.org .
>>
>>     All guix operations that involve the script perform-download fail =
with
>>     the error:
>>
>>       guix perform-download: error: refusing to run with elevated
>>       privileges (UID 0)
>>
>>     I am not sure if this hints at a bug in guix itself, but a comment=
 in
>>     the guix sources lets me assume so. It says in
>>     package-management.scm:355
>>
>>       =E2=80=9CNote that scripts like =E2=80=98guix perform-download=E2=
=80=99 do not run as root
>>       (=E2=80=A6)=E2=80=9D
>>
>>     In my setup, following this guide, however, it apparently is run a=
s
>>     root, and (assert-low-privileges) in the script perform-download.s=
cm:89
>>     acts accordingly by signalling the error and exiting.
>>
>>     (By the way - running guix-daemon with proot root privileges fails
>>     (-0), and running it without (no -0) fails also.)
>>
>>     Now my question: why is perform-download run as root following pjo=
trs
>>     guide, and is there anything that can be done about it?
>>
>>     I am a bit at a loss here, being unfamiliar with the guix sources =
and
>>     overall system setup.
>>
>>     Looking forward to help, thanks,
>>
>>     Florian
>>     =E2=80=8B
>>
>> References
>>
>>     1. [3]https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROO=
T.org
>>
>>     =E2=80=8B
>>
>> References
>>
>>     1. https://gnunet.org/bot/log/guix/2017-09-21
>>     2. https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.o=
rg
>>     3. https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.o=
rg


--------------E1817396E343EF5C6AD4E5A4
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html>
  <head>
    <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf=
-8">
  </head>
  <body text=3D"#000000" bgcolor=3D"#FFFFFF">
    <p>Thanks, Pjotr.</p>
    <p>So I got it working on one system out of four, following the
      exact same steps each time:<br>
    </p>
    <ul>
      <li>Debian 9 (Stretch) - 4.9.130-2 x86_64 (real system) - <b><u>fai=
l</u></b></li>
      <li>Ubuntu 17.10 (Artful Aardvark) - 4.13.0-46-lowlatency (real
        system) =C2=A0=C2=A0=C2=A0=C2=A0 - <u><b>fail</b></u></li>
      <li>Ubuntu 14.04 (Trusty Tahr)=C2=A0 - 4.4.0-31-generic -=C2=A0 <u>=
<b>fail</b></u><br>
      </li>
      <li>Debian 9 (Stretch) - 4.9.0-8-amd64 (VM) =C2=A0=C2=A0 -=C2=A0 <u=
><b>works</b></u></li>
    </ul>
    <p>I don't know what the significant differentiating factor could
      be, that lets guix behave correctly on that one debian system but
      not on the others.<br>
    </p>
    <p>But what I also noticed, is that the "list of substitutes" is
      also not being updated on the three failing systems. Is the update
      process using the download script internally, maybe, and that
      silently fails? Or maybe this hints at another problem?<br>
    </p>
    <p>I fear there's nothing more I can immediately do. @Ludo - can you
      help?<br>
    </p>
    <p><br>
    </p>
    <p><br>
    </p>
    <div class=3D"moz-cite-prefix">On 16/02/19 10:17, Pjotr Prins wrote:<=
br>
    </div>
    <blockquote type=3D"cite"
      cite=3D"mid:20190216091747.eb6g7znptifbqqbt@HIDDEN">
      <pre wrap=3D"">Sorry about that.

If you get it to work, do update the document - or me by E-mail. Maybe
Ludo has something to say about this.

Pj.

On Sat, Feb 16, 2019 at 10:04:03AM +0100, Florian Thevissen wrote:
</pre>
      <blockquote type=3D"cite">
        <pre wrap=3D"">   Hi pjotr,

     Did you try something like

     proot -0 -b /proc -b /dev -b /etc -r . -b etc_guix/acl:/etc/guix/acl
     gnu/store/vir3l..-guix-0.x/bin/guix-daemon =E2=80=94disable-chroot

   Yes, this doesn=E2=80=99t work - with or without the -0 flag.

     That used to work. But maybe no longer?

   I tried the new guix binaries (0.16.0), and the ones that were recent
   when you wrote the guide (0.13.0), and proot has not, if I see
   correctly, significantly changed since then (v.5.1.0).

   To me, this looks as if the setup on my particular system had somethin=
g
   special to it that would lead guix to not behave correctly. Here=E2=80=
=99s a
   #guix chat-log, where Saone (at 00:25:29) comes to the same conclusion=
:
   [1]<a class=3D"moz-txt-link-freetext" href=3D"https://gnunet.org/bot/l=
og/guix/2017-09-21">https://gnunet.org/bot/log/guix/2017-09-21</a> .
   For the record - this happens on an Debian 4.9.130-2 x86_64 system.
   I'll try this out on other systems/VMs today...

   On 16/02/19 07:34, Pjotr Prins wrote:

Did you try something like

proot -0 -b /proc -b /dev -b /etc -r . -b etc_guix/acl:/etc/guix/acl gnu/=
store/v
ir3l..-guix-0.x/bin/guix-daemon --disable-chroot

(note the extra -0 and chroot switches) and you should see on a guix pack=
age ins
tall.

That used to work. But maybe no longer?

On Fri, Feb 15, 2019 at 09:39:21PM +0100, Florian Thevissen wrote:

   Hi,

   I am trying to get guix to run on a system where I do not have root
   access, following a guide by pjotrp involving proot, here:
   [1][2]<a class=3D"moz-txt-link-freetext" href=3D"https://github.com/pj=
otrp/guix-notes/blob/master/GUIX-NO-ROOT.org">https://github.com/pjotrp/g=
uix-notes/blob/master/GUIX-NO-ROOT.org</a> .

   All guix operations that involve the script perform-download fail with
   the error:

     guix perform-download: error: refusing to run with elevated
     privileges (UID 0)

   I am not sure if this hints at a bug in guix itself, but a comment in
   the guix sources lets me assume so. It says in
   package-management.scm:355

     =E2=80=9CNote that scripts like =E2=80=98guix perform-download=E2=80=
=99 do not run as root
     (=E2=80=A6)=E2=80=9D

   In my setup, following this guide, however, it apparently is run as
   root, and (assert-low-privileges) in the script perform-download.scm:8=
9
   acts accordingly by signalling the error and exiting.

   (By the way - running guix-daemon with proot root privileges fails
   (-0), and running it without (no -0) fails also.)

   Now my question: why is perform-download run as root following pjotrs
   guide, and is there anything that can be done about it?

   I am a bit at a loss here, being unfamiliar with the guix sources and
   overall system setup.

   Looking forward to help, thanks,

   Florian
   =E2=80=8B

References

   1. [3]<a class=3D"moz-txt-link-freetext" href=3D"https://github.com/pj=
otrp/guix-notes/blob/master/GUIX-NO-ROOT.org">https://github.com/pjotrp/g=
uix-notes/blob/master/GUIX-NO-ROOT.org</a>

   =E2=80=8B

References

   1. <a class=3D"moz-txt-link-freetext" href=3D"https://gnunet.org/bot/l=
og/guix/2017-09-21">https://gnunet.org/bot/log/guix/2017-09-21</a>
   2. <a class=3D"moz-txt-link-freetext" href=3D"https://github.com/pjotr=
p/guix-notes/blob/master/GUIX-NO-ROOT.org">https://github.com/pjotrp/guix=
-notes/blob/master/GUIX-NO-ROOT.org</a>
   3. <a class=3D"moz-txt-link-freetext" href=3D"https://github.com/pjotr=
p/guix-notes/blob/master/GUIX-NO-ROOT.org">https://github.com/pjotrp/guix=
-notes/blob/master/GUIX-NO-ROOT.org</a>
</pre>
      </blockquote>
    </blockquote>
    <br>
  </body>
</html>

--------------E1817396E343EF5C6AD4E5A4--




Information forwarded to bug-guix@HIDDEN:
bug#34494; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 16 Feb 2019 09:05:09 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Feb 16 04:05:09 2019
Received: from localhost ([127.0.0.1]:49986 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1guvuH-0005M4-B0
	for submit <at> debbugs.gnu.org; Sat, 16 Feb 2019 04:05:09 -0500
Received: from eggs.gnu.org ([209.51.188.92]:48508)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mail@HIDDEN>) id 1guvuE-0005La-EM
 for submit <at> debbugs.gnu.org; Sat, 16 Feb 2019 04:05:07 -0500
Received: from lists.gnu.org ([209.51.188.17]:42120)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <mail@HIDDEN>)
 id 1guvu2-0006qO-3P
 for submit <at> debbugs.gnu.org; Sat, 16 Feb 2019 04:04:56 -0500
Received: from eggs.gnu.org ([209.51.188.92]:34620)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <mail@HIDDEN>) id 1guvtz-00015o-6z
 for bug-Guix@HIDDEN; Sat, 16 Feb 2019 04:04:53 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,HTML_MESSAGE,
 URIBL_BLOCKED autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <mail@HIDDEN>) id 1guvtn-000625-Gv
 for bug-Guix@HIDDEN; Sat, 16 Feb 2019 04:04:43 -0500
Received: from h2712310.stratoserver.net ([81.169.247.85]:40316
 helo=mail.florian-thevissen.de)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <mail@HIDDEN>)
 id 1guvtm-0005r7-L8
 for bug-Guix@HIDDEN; Sat, 16 Feb 2019 04:04:39 -0500
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by mail.florian-thevissen.de (Postfix) with ESMTPSA id E1F4420021;
 Sat, 16 Feb 2019 09:04:03 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=florian-thevissen.de; 
 s=default; t=1550307844;
 h=from:from:sender:reply-to:subject:subject:date:date:
 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
 content-type:content-type:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=PuAt14hwVuyKy5WV5ns8akFSydKn/FnrrZZ5KtNEnRw=;
 b=Uhwg+SdGTqy13oVndXONM1VsLGORVTkmzCEZntk0VYkklQ3jQiNit1qCYVnNorDeKvO7t0
 kIublkGRXGt3bh5MbbtqJsnMOkyO8vCNmhR+oGk4KlwvTb1buso+kiIe0cAy+t9hYxxKMv
 tNNvHvLnKOhRdYYz2Xn9g+Po/UfilNI=
Subject: Re: bug#34494: proot-based non-root setup: refusing to run with
 elevated privileges (UID 0)
To: Pjotr Prins <pjotr.public12@HIDDEN>
References: <81415b97-6e02-33dc-a4da-b1b046d5a4e7@HIDDEN>
 <20190216063452.xllpdkhz4lc4jz4q@HIDDEN>
From: Florian Thevissen <mail@HIDDEN>
Message-ID: <0d4fc2ca-da74-dbb4-7e7d-df090b19a19f@HIDDEN>
Date: Sat, 16 Feb 2019 10:04:03 +0100
MIME-Version: 1.0
In-Reply-To: <20190216063452.xllpdkhz4lc4jz4q@HIDDEN>
Content-Type: multipart/alternative;
 boundary="------------161F3BA1602DECC7E34BE6DF"
Content-Language: en-US
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 81.169.247.85
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Spam-Score: 0.9 (/)
X-Debbugs-Envelope-To: submit
Cc: bug-Guix@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.1 (/)

This is a multi-part message in MIME format.
--------------161F3BA1602DECC7E34BE6DF
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Hi pjotr,

    Did you try something like

    proot -0 -b /proc -b /dev -b /etc -r . -b etc_guix/acl:/etc/guix/acl
    gnu/store/vir3l..-guix-0.x/bin/guix-daemon =E2=80=94disable-chroot

Yes, this doesn=E2=80=99t work - with or without the -0 flag.

    That used to work. But maybe no longer?

I tried the new guix binaries (0.16.0), and the ones that were recent=20
when you wrote the guide (0.13.0), and proot has not, if I see=20
correctly, significantly changed since then (v.5.1.0).

To me, this looks as if the setup on my particular system had something=20
special to it that would lead guix to not behave correctly. Here=E2=80=99=
s a=20
#guix chat-log, where Saone (at 00:25:29) comes to the same conclusion:=20
https://gnunet.org/bot/log/guix/2017-09-21 .

For the record - this happens on an Debian 4.9.130-2 x86_64 system. I'll=20
try this out on other systems/VMs today...



On 16/02/19 07:34, Pjotr Prins wrote:

> Did you try something like
>
> proot -0 -b /proc -b /dev -b /etc -r . -b etc_guix/acl:/etc/guix/acl gn=
u/store/vir3l..-guix-0.x/bin/guix-daemon --disable-chroot
>
> (note the extra -0 and chroot switches) and you should see on a guix pa=
ckage install.
>
> That used to work. But maybe no longer?
>
> On Fri, Feb 15, 2019 at 09:39:21PM +0100, Florian Thevissen wrote:
>>     Hi,
>>
>>     I am trying to get guix to run on a system where I do not have roo=
t
>>     access, following a guide by pjotrp involving proot, here:
>>     [1]https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.o=
rg .
>>
>>     All guix operations that involve the script perform-download fail =
with
>>     the error:
>>
>>       guix perform-download: error: refusing to run with elevated
>>       privileges (UID 0)
>>
>>     I am not sure if this hints at a bug in guix itself, but a comment=
 in
>>     the guix sources lets me assume so. It says in
>>     package-management.scm:355
>>
>>       =E2=80=9CNote that scripts like =E2=80=98guix perform-download=E2=
=80=99 do not run as root
>>       (=E2=80=A6)=E2=80=9D
>>
>>     In my setup, following this guide, however, it apparently is run a=
s
>>     root, and (assert-low-privileges) in the script perform-download.s=
cm:89
>>     acts accordingly by signalling the error and exiting.
>>
>>     (By the way - running guix-daemon with proot root privileges fails
>>     (-0), and running it without (no -0) fails also.)
>>
>>     Now my question: why is perform-download run as root following pjo=
trs
>>     guide, and is there anything that can be done about it?
>>
>>     I am a bit at a loss here, being unfamiliar with the guix sources =
and
>>     overall system setup.
>>
>>     Looking forward to help, thanks,
>>
>>     Florian
>>     =E2=80=8B
>>
>> References
>>
>>     1. https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.o=
rg

=E2=80=8B

--------------161F3BA1602DECC7E34BE6DF
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html>
  <head>
    <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf=
-8">
  </head>
  <body text=3D"#000000" bgcolor=3D"#FFFFFF">
    <div class=3D"markdown-here-wrapper" data-md-url=3D"Thunderbird"
      style=3D"" markdown-here-wrapper-content-modified=3D"true">
      <p style=3D"margin: 0px 0px 1.2em ! important;">Hi pjotr,</p>
      <blockquote style=3D"margin: 1.2em 0px;border-left: 4px solid
        rgb(221, 221, 221); padding: 0px 1em; color: rgb(119, 119, 119);
        quotes: none;">
        <p style=3D"margin: 0px 0px 1.2em ! important;">Did you try
          something like <br>
        </p>
        <p style=3D"margin: 0px 0px 1.2em ! important;"> proot -0 -b /pro=
c
          -b /dev -b /etc -r . -b etc_guix/acl:/etc/guix/acl
          gnu/store/vir3l..-guix-0.x/bin/guix-daemon =E2=80=94disable-chr=
oot</p>
      </blockquote>
      <p style=3D"margin: 0px 0px 1.2em ! important;">Yes, this doesn=E2=80=
=99t
        work - with or without the -0 flag.</p>
      <blockquote style=3D"margin: 1.2em 0px;border-left: 4px solid
        rgb(221, 221, 221); padding: 0px 1em; color: rgb(119, 119, 119);
        quotes: none;">
        <p style=3D"margin: 0px 0px 1.2em ! important;">That used to work=
.
          But maybe no longer? </p>
      </blockquote>
      <p style=3D"margin: 0px 0px 1.2em ! important;">I tried the new gui=
x
        binaries (0.16.0), and the ones that were recent when you wrote
        the guide (0.13.0), and proot has not, if I see correctly,
        significantly changed since then (v.5.1.0).</p>
      <p style=3D"margin: 0px 0px 1.2em ! important;">To me, this looks a=
s
        if the setup on my particular system had something special to it
        that would lead guix to not behave correctly. Here=E2=80=99s a #g=
uix
        chat-log, where Saone (at 00:25:29) comes to the same
        conclusion: <a
          href=3D"https://gnunet.org/bot/log/guix/2017-09-21">https://gnu=
net.org/bot/log/guix/2017-09-21</a>
        .</p>
      For the record - this happens on an Debian 4.9.130-2 x86_64
      system. I'll try this out on other systems/VMs today...<br>
      <br>
      <br>
      <br>
      <p style=3D"margin: 0px 0px 1.2em ! important;">On 16/02/19 07:34,
        Pjotr Prins wrote:</p>
      <p style=3D"margin: 0px 0px 1.2em ! important;"></p>
      <div class=3D"markdown-here-exclude">
        <p></p>
        <blockquote type=3D"cite"
          cite=3D"mid:20190216063452.xllpdkhz4lc4jz4q@HIDDEN">
          <pre wrap=3D"">Did you try something like

proot -0 -b /proc -b /dev -b /etc -r . -b etc_guix/acl:/etc/guix/acl gnu/=
store/vir3l..-guix-0.x/bin/guix-daemon --disable-chroot

(note the extra -0 and chroot switches) and you should see on a guix pack=
age install.

That used to work. But maybe no longer?

On Fri, Feb 15, 2019 at 09:39:21PM +0100, Florian Thevissen wrote:
</pre>
          <blockquote type=3D"cite">
            <pre wrap=3D"">   Hi,

   I am trying to get guix to run on a system where I do not have root
   access, following a guide by pjotrp involving proot, here:
   [1]<a class=3D"moz-txt-link-freetext" href=3D"https://github.com/pjotr=
p/guix-notes/blob/master/GUIX-NO-ROOT.org">https://github.com/pjotrp/guix=
-notes/blob/master/GUIX-NO-ROOT.org</a> .

   All guix operations that involve the script perform-download fail with
   the error:

     guix perform-download: error: refusing to run with elevated
     privileges (UID 0)

   I am not sure if this hints at a bug in guix itself, but a comment in
   the guix sources lets me assume so. It says in
   package-management.scm:355

     =E2=80=9CNote that scripts like =E2=80=98guix perform-download=E2=80=
=99 do not run as root
     (=E2=80=A6)=E2=80=9D

   In my setup, following this guide, however, it apparently is run as
   root, and (assert-low-privileges) in the script perform-download.scm:8=
9
   acts accordingly by signalling the error and exiting.

   (By the way - running guix-daemon with proot root privileges fails
   (-0), and running it without (no -0) fails also.)

   Now my question: why is perform-download run as root following pjotrs
   guide, and is there anything that can be done about it?

   I am a bit at a loss here, being unfamiliar with the guix sources and
   overall system setup.

   Looking forward to help, thanks,

   Florian
   =E2=80=8B

References

   1. <a class=3D"moz-txt-link-freetext" href=3D"https://github.com/pjotr=
p/guix-notes/blob/master/GUIX-NO-ROOT.org">https://github.com/pjotrp/guix=
-notes/blob/master/GUIX-NO-ROOT.org</a>
</pre>
          </blockquote>
        </blockquote>
        <p></p>
      </div>
      <p style=3D"margin: 0px 0px 1.2em ! important;"></p>
      <div
title=3D"MDH:PHByZSB3cmFwPSIiPkhpIHBqb3RyLDxicj48YnI+Jmd0OyBEaWQgeW91IHRy=
eSBzb21ldGhpbmcgbGlrZQoKJmd0OyBwcm9vdCAtMCAtYiAvcHJvYyAtYiAvZGV2IC1iIC9ld=
GMgLXIgLiAtYiBldGNf
Z3VpeC9hY2w6L2V0Yy9ndWl4L2FjbCBnbnUvc3RvcmUvdmlyM2wuLi1ndWl4LTAueC9iaW4vZ=
3Vp
eC1kYWVtb24gLS1kaXNhYmxlLWNocm9vdDwvcHJlPlllcywgdGhpcyBkb2Vzbid0IHdvcmsgL=
SB3
aXRoIG9yIHdpdGhvdXQgdGhlIC0wIGZsYWcuPGJyPjxicj4mZ3Q7IFRoYXQgdXNlZCB0byB3b=
3Jr
LiBCdXQgbWF5YmUgbm8gbG9uZ2VyPwo8YnI+PGJyPkkgdHJpZWQgdGhpcyB3aXRoIG5ldyBnd=
Wl4
IGJpbmFyaWVzICgwLjE2LjApLCBhbmQgdGhlIG9uZXMgdGhhdCB3ZXJlIHJlY2VudCB3aGVuI=
Hlv
dSB3cm90ZSB0aGUgZ3VpZGUgKDAuMTMuMCksIGFuZCBwcm9vdCBoYXMgbm90LCBpZiBJIHNlZ=
SBj
b3JyZWN0bHksIHNpZ25pZmljYW50bHkgY2hhbmdlZCBzaW5jZSB0aGVuICh2LjUuMS4wKS48Y=
nI+
PGJyPlRvIG1lLCB0aGlzIGxvb2tzIGFzIGlmIHRoZSBzZXR1cCBvbiBteSBwYXJ0aWN1bGFyI=
HN5
c3RlbSBoYXMgc29tZXRoaW5nIHNwZWNpYWwgdG8gaXQgdGhhdCB3b3VsZCBsZWFkIGd1aXggd=
G8g
bm90IGJlaGF2ZSBhcyBpdCBzaG91bGQuIEhlcmUncyBhICNndWl4IGNoYXQtbG9nLCB3aGVyZ=
SBT
YW9uZSAoYXQgMDA6MjU6MjkpIGNvbWVzIHRvIHRoZSBzYW1lIGNvbmNsdXNpb246IGh0dHBzO=
i8v
Z251bmV0Lm9yZy9ib3QvbG9nL2d1aXgvMjAxNy0wOS0yMSAuPGJyPjxicj48cHJlIHN0eWxlP=
SJ3
aWR0aDogMXB4OyBoZWlnaHQ6IDFweDsgcG9zaXRpb246IGZpeGVkOyB0b3A6IDVweDsiPmh0d=
HBz
Oi8vZ2l0aHViLmNvbS9wcm9vdC1tZS9QUm9vdC5naXQ8L3ByZT48YnI+PGJyPjxicj48YnI+a=
HR0
cHM6Ly9nbnVuZXQub3JnL2JvdC9sb2cvZ3VpeC8yMDE3LTA5LTIxPGJyPjxicj48YnI+PGRpd=
iBj
bGFzcz0ibW96LWNpdGUtcHJlZml4Ij5PbiAxNi8wMi8xOSAwNzozNCwgUGpvdHIgUHJpbnMgd=
3Jv
dGU6PGJyPjwvZGl2PjxibG9ja3F1b3RlIHR5cGU9ImNpdGUiIGNpdGU9Im1pZDoyMDE5MDIxN=
jA2
MzQ1Mi54bGxwZGtoejRsYzRqejRxQHRoZWJpcmQubmwiPjxwcmUgd3JhcD0iIj5EaWQgeW91I=
HRy
eSBzb21ldGhpbmcgbGlrZQoKcHJvb3QgLTAgLWIgL3Byb2MgLWIgL2RldiAtYiAvZXRjIC1yI=
C4g
LWIgZXRjX2d1aXgvYWNsOi9ldGMvZ3VpeC9hY2wgZ251L3N0b3JlL3ZpcjNsLi4tZ3VpeC0wL=
ngv
YmluL2d1aXgtZGFlbW9uIC0tZGlzYWJsZS1jaHJvb3QKCihub3RlIHRoZSBleHRyYSAtMCBhb=
mQg
Y2hyb290IHN3aXRjaGVzKSBhbmQgeW91IHNob3VsZCBzZWUgb24gYSBndWl4IHBhY2thZ2Uga=
W5z
dGFsbC4KClRoYXQgdXNlZCB0byB3b3JrLiBCdXQgbWF5YmUgbm8gbG9uZ2VyPwoKT24gRnJpL=
CBG
ZWIgMTUsIDIwMTkgYXQgMDk6Mzk6MjFQTSArMDEwMCwgRmxvcmlhbiBUaGV2aXNzZW4gd3Jvd=
GU6
CjwvcHJlPjxibG9ja3F1b3RlIHR5cGU9ImNpdGUiPjxwcmUgd3JhcD0iIj4gICBIaSwKCiAgI=
Ekg
YW0gdHJ5aW5nIHRvIGdldCBndWl4IHRvIHJ1biBvbiBhIHN5c3RlbSB3aGVyZSBJIGRvIG5vd=
CBo
YXZlIHJvb3QKICAgYWNjZXNzLCBmb2xsb3dpbmcgYSBndWlkZSBieSBwam90cnAgaW52b2x2a=
W5n
IHByb290LCBoZXJlOgogICBbMV1odHRwczovL2dpdGh1Yi5jb20vcGpvdHJwL2d1aXgtbm90Z=
XMv
YmxvYi9tYXN0ZXIvR1VJWC1OTy1ST09ULm9yZyAuCgogICBBbGwgZ3VpeCBvcGVyYXRpb25zI=
HRo
YXQgaW52b2x2ZSB0aGUgc2NyaXB0IHBlcmZvcm0tZG93bmxvYWQgZmFpbCB3aXRoCiAgIHRoZ=
SBl
cnJvcjoKCiAgICAgZ3VpeCBwZXJmb3JtLWRvd25sb2FkOiBlcnJvcjogcmVmdXNpbmcgdG8gc=
nVu
IHdpdGggZWxldmF0ZWQKICAgICBwcml2aWxlZ2VzIChVSUQgMCkKCiAgIEkgYW0gbm90IHN1c=
mUg
aWYgdGhpcyBoaW50cyBhdCBhIGJ1ZyBpbiBndWl4IGl0c2VsZiwgYnV0IGEgY29tbWVudCBpb=
gog
ICB0aGUgZ3VpeCBzb3VyY2VzIGxldHMgbWUgYXNzdW1lIHNvLiBJdCBzYXlzIGluCiAgIHBhY=
2th
Z2UtbWFuYWdlbWVudC5zY206MzU1CgogICAgIOKAnE5vdGUgdGhhdCBzY3JpcHRzIGxpa2Ug4=
oCY
Z3VpeCBwZXJmb3JtLWRvd25sb2Fk4oCZIGRvIG5vdCBydW4gYXMgcm9vdAogICAgICjigKYp4=
oCd
CgogICBJbiBteSBzZXR1cCwgZm9sbG93aW5nIHRoaXMgZ3VpZGUsIGhvd2V2ZXIsIGl0IGFwc=
GFy
ZW50bHkgaXMgcnVuIGFzCiAgIHJvb3QsIGFuZCAoYXNzZXJ0LWxvdy1wcml2aWxlZ2VzKSBpb=
iB0
aGUgc2NyaXB0IHBlcmZvcm0tZG93bmxvYWQuc2NtOjg5CiAgIGFjdHMgYWNjb3JkaW5nbHkgY=
nkg
c2lnbmFsbGluZyB0aGUgZXJyb3IgYW5kIGV4aXRpbmcuCgogICAoQnkgdGhlIHdheSAtIHJ1b=
m5p
bmcgZ3VpeC1kYWVtb24gd2l0aCBwcm9vdCByb290IHByaXZpbGVnZXMgZmFpbHMKICAgKC0wK=
Swg
YW5kIHJ1bm5pbmcgaXQgd2l0aG91dCAobm8gLTApIGZhaWxzIGFsc28uKQoKICAgTm93IG15I=
HF1
ZXN0aW9uOiB3aHkgaXMgcGVyZm9ybS1kb3dubG9hZCBydW4gYXMgcm9vdCBmb2xsb3dpbmcgc=
Gpv
dHJzCiAgIGd1aWRlLCBhbmQgaXMgdGhlcmUgYW55dGhpbmcgdGhhdCBjYW4gYmUgZG9uZSBhY=
m91
dCBpdD8KCiAgIEkgYW0gYSBiaXQgYXQgYSBsb3NzIGhlcmUsIGJlaW5nIHVuZmFtaWxpYXIgd=
2l0
aCB0aGUgZ3VpeCBzb3VyY2VzIGFuZAogICBvdmVyYWxsIHN5c3RlbSBzZXR1cC4KCiAgIExvb=
2tp
bmcgZm9yd2FyZCB0byBoZWxwLCB0aGFua3MsCgogICBGbG9yaWFuCiAgIOKAiwoKUmVmZXJlb=
mNl
cwoKICAgMS4gaHR0cHM6Ly9naXRodWIuY29tL3Bqb3RycC9ndWl4LW5vdGVzL2Jsb2IvbWFzd=
GVy
L0dVSVgtTk8tUk9PVC5vcmcKPC9wcmU+Cgo8L2Jsb2NrcXVvdGU+PC9ibG9ja3F1b3RlPjxic=
j4=3D"
style=3D"height:0;width:0;max-height:0;max-width:0;overflow:hidden;font-s=
ize:0em;padding:0;margin:0;">=E2=80=8B</div>
    </div>
  </body>
</html>

--------------161F3BA1602DECC7E34BE6DF--




Information forwarded to bug-guix@HIDDEN:
bug#34494; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 16 Feb 2019 06:44:00 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Feb 16 01:44:00 2019
Received: from localhost ([127.0.0.1]:49950 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1guthg-00021U-Kc
	for submit <at> debbugs.gnu.org; Sat, 16 Feb 2019 01:44:00 -0500
Received: from eggs.gnu.org ([209.51.188.92]:33885)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <pjotr2019@HIDDEN>) id 1guthe-00021E-1F
 for submit <at> debbugs.gnu.org; Sat, 16 Feb 2019 01:43:58 -0500
Received: from lists.gnu.org ([209.51.188.17]:60720)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <pjotr2019@HIDDEN>)
 id 1guthR-0007ap-WB
 for submit <at> debbugs.gnu.org; Sat, 16 Feb 2019 01:43:49 -0500
Received: from eggs.gnu.org ([209.51.188.92]:48267)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <pjotr2019@HIDDEN>) id 1guthQ-0005d6-W3
 for bug-Guix@HIDDEN; Sat, 16 Feb 2019 01:43:45 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
 version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <pjotr2019@HIDDEN>) id 1guthP-0007WJ-5A
 for bug-Guix@HIDDEN; Sat, 16 Feb 2019 01:43:44 -0500
Received: from mail.thebird.nl ([94.142.245.5]:34180)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <pjotr2019@HIDDEN>) id 1guthN-0007PI-DA
 for bug-Guix@HIDDEN; Sat, 16 Feb 2019 01:43:43 -0500
Received: by mail.thebird.nl (Postfix, from userid 1000)
 id 8EB271DB0; Sat, 16 Feb 2019 07:34:52 +0100 (CET)
Date: Sat, 16 Feb 2019 07:34:52 +0100
From: Pjotr Prins <pjotr.public12@HIDDEN>
To: Florian Thevissen <mail@HIDDEN>
Subject: Re: bug#34494: proot-based non-root setup: refusing to run with
 elevated privileges (UID 0)
Message-ID: <20190216063452.xllpdkhz4lc4jz4q@HIDDEN>
References: <81415b97-6e02-33dc-a4da-b1b046d5a4e7@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <81415b97-6e02-33dc-a4da-b1b046d5a4e7@HIDDEN>
User-Agent: NeoMutt/20170113 (1.7.2)
Content-Transfer-Encoding: quoted-printable
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 94.142.245.5
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: submit
Cc: bug-Guix@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Did you try something like

proot -0 -b /proc -b /dev -b /etc -r . -b etc_guix/acl:/etc/guix/acl gnu/=
store/vir3l..-guix-0.x/bin/guix-daemon --disable-chroot

(note the extra -0 and chroot switches) and you should see on a guix pack=
age install.

That used to work. But maybe no longer?

On Fri, Feb 15, 2019 at 09:39:21PM +0100, Florian Thevissen wrote:
>    Hi,
>=20
>    I am trying to get guix to run on a system where I do not have root
>    access, following a guide by pjotrp involving proot, here:
>    [1]https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org=
 .
>=20
>    All guix operations that involve the script perform-download fail wi=
th
>    the error:
>=20
>      guix perform-download: error: refusing to run with elevated
>      privileges (UID 0)
>=20
>    I am not sure if this hints at a bug in guix itself, but a comment i=
n
>    the guix sources lets me assume so. It says in
>    package-management.scm:355
>=20
>      =E2=80=9CNote that scripts like =E2=80=98guix perform-download=E2=80=
=99 do not run as root
>      (=E2=80=A6)=E2=80=9D
>=20
>    In my setup, following this guide, however, it apparently is run as
>    root, and (assert-low-privileges) in the script perform-download.scm=
:89
>    acts accordingly by signalling the error and exiting.
>=20
>    (By the way - running guix-daemon with proot root privileges fails
>    (-0), and running it without (no -0) fails also.)
>=20
>    Now my question: why is perform-download run as root following pjotr=
s
>    guide, and is there anything that can be done about it?
>=20
>    I am a bit at a loss here, being unfamiliar with the guix sources an=
d
>    overall system setup.
>=20
>    Looking forward to help, thanks,
>=20
>    Florian
>    =E2=80=8B
>=20
> References
>=20
>    1. https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org




Information forwarded to bug-guix@HIDDEN:
bug#34494; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 15 Feb 2019 21:09:47 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Feb 15 16:09:47 2019
Received: from localhost ([127.0.0.1]:49831 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1gukjw-0004rm-5M
	for submit <at> debbugs.gnu.org; Fri, 15 Feb 2019 16:09:47 -0500
Received: from eggs.gnu.org ([209.51.188.92]:60009)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mail@HIDDEN>) id 1gukGq-0004Ca-H2
 for submit <at> debbugs.gnu.org; Fri, 15 Feb 2019 15:39:42 -0500
Received: from lists.gnu.org ([209.51.188.17]:53118)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <mail@HIDDEN>)
 id 1gukGk-00073W-DC
 for submit <at> debbugs.gnu.org; Fri, 15 Feb 2019 15:39:35 -0500
Received: from eggs.gnu.org ([209.51.188.92]:46151)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <mail@HIDDEN>) id 1gukGj-0000mf-9v
 for bug-Guix@HIDDEN; Fri, 15 Feb 2019 15:39:34 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,HTML_MESSAGE,
 URIBL_BLOCKED autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <mail@HIDDEN>) id 1gukGi-00071x-72
 for bug-Guix@HIDDEN; Fri, 15 Feb 2019 15:39:33 -0500
Received: from h2712310.stratoserver.net ([81.169.247.85]:46110
 helo=mail.florian-thevissen.de)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <mail@HIDDEN>)
 id 1gukGh-0006vx-84
 for bug-Guix@HIDDEN; Fri, 15 Feb 2019 15:39:32 -0500
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by mail.florian-thevissen.de (Postfix) with ESMTPSA id ABB2120021
 for <bug-Guix@HIDDEN>; Fri, 15 Feb 2019 20:39:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=florian-thevissen.de; 
 s=default; t=1550263161;
 h=from:from:sender:reply-to:subject:subject:date:date:
 message-id:message-id:to:to:cc:mime-version:mime-version:
 content-type:content-type:content-transfer-encoding:in-reply-to:
 references; bh=w7WGQGbxlmOm7yz8/zMhEN2I/CGrQsf0aJ/VlhjuYYQ=;
 b=yYUm9rAq6D3EUYLmbekx1jSa8sVbWnOypldwg0mlaEKOcUs0lOtHVUsnK21rgsv5vytWwo
 5ZSeC8M4N9JAp7gEw/1GrM4tN7J4iyEk4UOv0P9f78yi7qysgiE6bxwtPwWX6foP5hbK8n
 U1PYlB+iSMXT5OLY4fVOagrMJ2XAByM=
To: bug-Guix@HIDDEN
From: Florian Thevissen <mail@HIDDEN>
Subject: proot-based non-root setup: refusing to run with elevated privileges
 (UID 0)
Message-ID: <81415b97-6e02-33dc-a4da-b1b046d5a4e7@HIDDEN>
Date: Fri, 15 Feb 2019 21:39:21 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="------------D51AD3E15D18A3155C2362EF"
Content-Language: en-US
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 81.169.247.85
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Spam-Score: 0.9 (/)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Fri, 15 Feb 2019 16:09:42 -0500
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.1 (/)

This is a multi-part message in MIME format.
--------------D51AD3E15D18A3155C2362EF
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Hi,

I am trying to get guix to run on a system where I do not have root=20
access, following a guide by pjotrp involving proot, here:=20
https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org .

All guix operations that involve the script perform-download fail with=20
the error:

    guix perform-download: error: refusing to run with elevated
    privileges (UID 0)

I am not sure if this hints at a bug in guix itself, but a comment in=20
the guix sources lets me assume so. It says in package-management.scm:355

    =E2=80=9CNote that scripts like =E2=80=98guix perform-download=E2=80=99=
 do not run as root (=E2=80=A6)=E2=80=9D

In my setup, following this guide, however, it apparently is run as=20
root, and (assert-low-privileges) in the script perform-download.scm:89=20
acts accordingly by signalling the error and exiting.

(By the way - running guix-daemon with proot root privileges fails (-0),=20
and running it without (no -0) fails also.)

Now my question: why is perform-download run as root following pjotrs=20
guide, and is there anything that can be done about it?

I am a bit at a loss here, being unfamiliar with the guix sources and=20
overall system setup.

Looking forward to help, thanks,

Florian

=E2=80=8B

--------------D51AD3E15D18A3155C2362EF
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html>
  <head>

    <meta http-equiv=3D"content-type" content=3D"text/html; charset=3Dutf=
-8">
  </head>
  <body text=3D"#000000" bgcolor=3D"#FFFFFF">
    <div class=3D"markdown-here-wrapper" data-md-url=3D"Thunderbird"
      style=3D"" markdown-here-wrapper-content-modified=3D"true">
      <p style=3D"margin: 0px 0px 1.2em ! important;">Hi,</p>
      <p style=3D"margin: 0px 0px 1.2em ! important;">I am trying to get
        guix to run on a system where I do not have root access,
        following a guide by pjotrp involving proot, here: <a
          href=3D"https://github.com/pjotrp/guix-notes/blob/master/GUIX-N=
O-ROOT.org">https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT=
.org</a>
        .</p>
      <p style=3D"margin: 0px 0px 1.2em ! important;">All guix operations
        that involve the script perform-download fail with the error:</p>
      <blockquote style=3D"margin: 1.2em 0px;border-left: 4px solid
        rgb(221, 221, 221); padding: 0px 1em; color: rgb(119, 119, 119);
        quotes: none;">
        <p style=3D"margin: 0px 0px 1.2em ! important;">guix
          perform-download: error: refusing to run with elevated
          privileges (UID 0)</p>
      </blockquote>
      <p style=3D"margin: 0px 0px 1.2em ! important;">I am not sure if
        this hints at a bug in guix itself, but a comment in the guix
        sources lets me assume so. It says in package-management.scm:355<=
/p>
      <blockquote style=3D"margin: 1.2em 0px;border-left: 4px solid
        rgb(221, 221, 221); padding: 0px 1em; color: rgb(119, 119, 119);
        quotes: none;">
        <p style=3D"margin: 0px 0px 1.2em ! important;">=E2=80=9CNote tha=
t scripts
          like =E2=80=98guix perform-download=E2=80=99 do not run as root=
 (=E2=80=A6)=E2=80=9D</p>
      </blockquote>
      <p style=3D"margin: 0px 0px 1.2em ! important;">In my setup,
        following this guide, however, it apparently is run as root, and
        (assert-low-privileges) in the script perform-download.scm:89
        acts accordingly by signalling the error and exiting.</p>
      <p style=3D"margin: 0px 0px 1.2em ! important;">(By the way -
        running guix-daemon with proot root privileges fails (-0), and
        running it without (no -0) fails also.)</p>
      <p style=3D"margin: 0px 0px 1.2em ! important;">Now my question: wh=
y
        is perform-download run as root following pjotrs guide, and is
        there anything that can be done about it?<br>
      </p>
      <p style=3D"margin: 0px 0px 1.2em ! important;">I am a bit at a los=
s
        here, being unfamiliar with the guix sources and overall system
        setup.<br>
      </p>
      <p style=3D"margin: 0px 0px 1.2em ! important;">Looking forward to
        help, thanks,<br>
      </p>
      <p style=3D"margin: 0px 0px 1.2em ! important;">Florian</p>
      <div
title=3D"MDH:PHA+SGksPC9wPjxwPkkgYW0gdHJ5aW5nIHRvIGdldCBndWl4IHRvIHJ1biBv=
biBhIHN5c3RlbSB3aGVyZSBJIGRvIG5vdCBoYXZlIHJvb3QgYWNjZXNzLCBmb2xsb3dpbmcgY=
SBndWlkZSBieSBwam90
cnAgaW52b2x2aW5nIHByb290LCBoZXJlOiBodHRwczovL2dpdGh1Yi5jb20vcGpvdHJwL2d1a=
Xgt
bm90ZXMvYmxvYi9tYXN0ZXIvR1VJWC1OTy1ST09ULm9yZyAuPC9wPjxwPkFsbCBndWl4IG9wZ=
XJh
dGlvbnMgdGhhdCBpbnZvbHZlIHRoZSBzY3JpcHQgcGVyZm9ybS1kb3dubG9hZCBmYWlsIHdpd=
Ggg
dGhlIGVycm9yOjwvcD48cD48YnI+PC9wPjxwPiZndDsgZ3VpeCBwZXJmb3JtLWRvd25sb2FkO=
iBl
cnJvcjogcmVmdXNpbmcgdG8gcnVuIHdpdGggZWxldmF0ZWQgcHJpdmlsZWdlcyAoVUlEIDApP=
C9w
PjxwPjxicj48L3A+PHA+SSBhbSBub3Qgc3VyZSBpZiB0aGlzIGhpbnRzIGF0IGEgYnVnIGluI=
Gd1
aXggaXRzZWxmLCBidXQgYSBjb21tZW50IGluIHRoZSBndWl4IHNvdXJjZXMgbGV0cyBtZSBhc=
3N1
bWUgc28uIEl0IHNheXMgaW4gcGFja2FnZS1tYW5hZ2VtZW50LnNjbTozNTU8YnI+PC9wPjxwP=
iZn
dDsgIk5vdGUgdGhhdCBzY3JpcHRzIGxpa2UgJ2d1aXggcGVyZm9ybS1kb3dubG9hZCcgZG8gb=
m90
IHJ1biBhcyByb290ICguLi4pIjwvcD48cD48YnI+PC9wPjxwPkluIG15IHNldHVwLCBmb2xsb=
3dp
bmcgdGhpcyBndWlkZSwgaG93ZXZlciwgaXQgYXBwYXJlbnRseSBpcyBydW4gYXMgcm9vdCwgY=
W5k
IChhc3NlcnQtbG93LXByaXZpbGVnZXMpIGluIHRoZSBzY3JpcHQgcGVyZm9ybS1kb3dubG9hZ=
C5z
Y206ODkgYWN0cyBhY2NvcmRpbmdseSBieSBzaWduYWxsaW5nIHRoZSBlcnJvciBhbmQgZXhpd=
Glu
Zy48L3A+PHA+KEJ5IHRoZSB3YXkgLSBydW5uaW5nIGd1aXgtZGFlbW9uIHdpdGggcHJvb3Qgc=
m9v
dCBwcml2aWxlZ2VzIGZhaWxzICgtMCksIGFuZCBydW5uaW5nIGl0IHdpdGhvdXQgKG5vIC0wK=
SBm
YWlscyBhbHNvLjxicj48L3A+PHA+Tm93IG15IHF1ZXN0aW9uOiB3aHkgaXMgcGVyZm9ybS1kb=
3du
bG9hZCBydW4gYXMgcm9vdCBmb2xsb3dpbmcgcGpvdHJzIGd1aWRlLCBhbmQgaXMgdGhlcmUgY=
W55
dGhpbmcgdGhhdCB3ZSBjYW4gZG8gYWJvdXQgaXQ/PC9wPjxwPkkgYW0gYSBiaXQgYXQgYSBsb=
3Nz
IGhlcmUsIHRyeWluZyBoYXJkIHRvIGhhdmUgYW5vdGhlciBsb29rIGF0IGd1aXguPGJyPjwvc=
D48
cD5UaGFua3MgaW4gYWR2YW5jZSw8YnI+PC9wPjxwPkZsb3JpYW48YnI+PC9wPjxwPjxicj48L=
3A+"
style=3D"height:0;width:0;max-height:0;max-width:0;overflow:hidden;font-s=
ize:0em;padding:0;margin:0;">=E2=80=8B</div>
    </div>
  </body>
</html>

--------------D51AD3E15D18A3155C2362EF--




Acknowledgement sent to Florian Thevissen <mail@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#34494; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Wed, 6 Mar 2019 16:15:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.