GNU bug report logs -
#34494
proot-based non-root setup: refusing to run with elevated privileges (UID 0)
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 34494 in the body.
You can then email your comments to 34494 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org
:
bug#34494
; Package
guix
.
(Fri, 15 Feb 2019 21:10:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Florian Thevissen <mail <at> florian-thevissen.de>
:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org
.
(Fri, 15 Feb 2019 21:10:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi,
I am trying to get guix to run on a system where I do not have root
access, following a guide by pjotrp involving proot, here:
https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org .
All guix operations that involve the script perform-download fail with
the error:
guix perform-download: error: refusing to run with elevated
privileges (UID 0)
I am not sure if this hints at a bug in guix itself, but a comment in
the guix sources lets me assume so. It says in package-management.scm:355
“Note that scripts like ‘guix perform-download’ do not run as root (…)”
In my setup, following this guide, however, it apparently is run as
root, and (assert-low-privileges) in the script perform-download.scm:89
acts accordingly by signalling the error and exiting.
(By the way - running guix-daemon with proot root privileges fails (-0),
and running it without (no -0) fails also.)
Now my question: why is perform-download run as root following pjotrs
guide, and is there anything that can be done about it?
I am a bit at a loss here, being unfamiliar with the guix sources and
overall system setup.
Looking forward to help, thanks,
Florian
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#34494
; Package
guix
.
(Sat, 16 Feb 2019 06:44:02 GMT)
Full text and
rfc822 format available.
Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):
Did you try something like
proot -0 -b /proc -b /dev -b /etc -r . -b etc_guix/acl:/etc/guix/acl gnu/store/vir3l..-guix-0.x/bin/guix-daemon --disable-chroot
(note the extra -0 and chroot switches) and you should see on a guix package install.
That used to work. But maybe no longer?
On Fri, Feb 15, 2019 at 09:39:21PM +0100, Florian Thevissen wrote:
> Hi,
>
> I am trying to get guix to run on a system where I do not have root
> access, following a guide by pjotrp involving proot, here:
> [1]https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org .
>
> All guix operations that involve the script perform-download fail with
> the error:
>
> guix perform-download: error: refusing to run with elevated
> privileges (UID 0)
>
> I am not sure if this hints at a bug in guix itself, but a comment in
> the guix sources lets me assume so. It says in
> package-management.scm:355
>
> “Note that scripts like ‘guix perform-download’ do not run as root
> (…)”
>
> In my setup, following this guide, however, it apparently is run as
> root, and (assert-low-privileges) in the script perform-download.scm:89
> acts accordingly by signalling the error and exiting.
>
> (By the way - running guix-daemon with proot root privileges fails
> (-0), and running it without (no -0) fails also.)
>
> Now my question: why is perform-download run as root following pjotrs
> guide, and is there anything that can be done about it?
>
> I am a bit at a loss here, being unfamiliar with the guix sources and
> overall system setup.
>
> Looking forward to help, thanks,
>
> Florian
>
>
> References
>
> 1. https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org
Information forwarded
to
bug-guix <at> gnu.org
:
bug#34494
; Package
guix
.
(Sat, 16 Feb 2019 09:06:01 GMT)
Full text and
rfc822 format available.
Message #11 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi pjotr,
Did you try something like
proot -0 -b /proc -b /dev -b /etc -r . -b etc_guix/acl:/etc/guix/acl
gnu/store/vir3l..-guix-0.x/bin/guix-daemon —disable-chroot
Yes, this doesn’t work - with or without the -0 flag.
That used to work. But maybe no longer?
I tried the new guix binaries (0.16.0), and the ones that were recent
when you wrote the guide (0.13.0), and proot has not, if I see
correctly, significantly changed since then (v.5.1.0).
To me, this looks as if the setup on my particular system had something
special to it that would lead guix to not behave correctly. Here’s a
#guix chat-log, where Saone (at 00:25:29) comes to the same conclusion:
https://gnunet.org/bot/log/guix/2017-09-21 .
For the record - this happens on an Debian 4.9.130-2 x86_64 system. I'll
try this out on other systems/VMs today...
On 16/02/19 07:34, Pjotr Prins wrote:
> Did you try something like
>
> proot -0 -b /proc -b /dev -b /etc -r . -b etc_guix/acl:/etc/guix/acl gnu/store/vir3l..-guix-0.x/bin/guix-daemon --disable-chroot
>
> (note the extra -0 and chroot switches) and you should see on a guix package install.
>
> That used to work. But maybe no longer?
>
> On Fri, Feb 15, 2019 at 09:39:21PM +0100, Florian Thevissen wrote:
>> Hi,
>>
>> I am trying to get guix to run on a system where I do not have root
>> access, following a guide by pjotrp involving proot, here:
>> [1]https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org .
>>
>> All guix operations that involve the script perform-download fail with
>> the error:
>>
>> guix perform-download: error: refusing to run with elevated
>> privileges (UID 0)
>>
>> I am not sure if this hints at a bug in guix itself, but a comment in
>> the guix sources lets me assume so. It says in
>> package-management.scm:355
>>
>> “Note that scripts like ‘guix perform-download’ do not run as root
>> (…)”
>>
>> In my setup, following this guide, however, it apparently is run as
>> root, and (assert-low-privileges) in the script perform-download.scm:89
>> acts accordingly by signalling the error and exiting.
>>
>> (By the way - running guix-daemon with proot root privileges fails
>> (-0), and running it without (no -0) fails also.)
>>
>> Now my question: why is perform-download run as root following pjotrs
>> guide, and is there anything that can be done about it?
>>
>> I am a bit at a loss here, being unfamiliar with the guix sources and
>> overall system setup.
>>
>> Looking forward to help, thanks,
>>
>> Florian
>>
>>
>> References
>>
>> 1. https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#34494
; Package
guix
.
(Sat, 16 Feb 2019 10:09:02 GMT)
Full text and
rfc822 format available.
Message #14 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Thanks, Pjotr.
So I got it working on one system out of four, following the exact same
steps each time:
* Debian 9 (Stretch) - 4.9.130-2 x86_64 (real system) - *_fail_*
* Ubuntu 17.10 (Artful Aardvark) - 4.13.0-46-lowlatency (real system)
- _*fail*_
* Ubuntu 14.04 (Trusty Tahr) - 4.4.0-31-generic - _*fail*_
* Debian 9 (Stretch) - 4.9.0-8-amd64 (VM) - _*works*_
I don't know what the significant differentiating factor could be, that
lets guix behave correctly on that one debian system but not on the others.
But what I also noticed, is that the "list of substitutes" is also not
being updated on the three failing systems. Is the update process using
the download script internally, maybe, and that silently fails? Or maybe
this hints at another problem?
I fear there's nothing more I can immediately do. @Ludo - can you help?
On 16/02/19 10:17, Pjotr Prins wrote:
> Sorry about that.
>
> If you get it to work, do update the document - or me by E-mail. Maybe
> Ludo has something to say about this.
>
> Pj.
>
> On Sat, Feb 16, 2019 at 10:04:03AM +0100, Florian Thevissen wrote:
>> Hi pjotr,
>>
>> Did you try something like
>>
>> proot -0 -b /proc -b /dev -b /etc -r . -b etc_guix/acl:/etc/guix/acl
>> gnu/store/vir3l..-guix-0.x/bin/guix-daemon —disable-chroot
>>
>> Yes, this doesn’t work - with or without the -0 flag.
>>
>> That used to work. But maybe no longer?
>>
>> I tried the new guix binaries (0.16.0), and the ones that were recent
>> when you wrote the guide (0.13.0), and proot has not, if I see
>> correctly, significantly changed since then (v.5.1.0).
>>
>> To me, this looks as if the setup on my particular system had something
>> special to it that would lead guix to not behave correctly. Here’s a
>> #guix chat-log, where Saone (at 00:25:29) comes to the same conclusion:
>> [1]https://gnunet.org/bot/log/guix/2017-09-21 .
>> For the record - this happens on an Debian 4.9.130-2 x86_64 system.
>> I'll try this out on other systems/VMs today...
>>
>> On 16/02/19 07:34, Pjotr Prins wrote:
>>
>> Did you try something like
>>
>> proot -0 -b /proc -b /dev -b /etc -r . -b etc_guix/acl:/etc/guix/acl gnu/store/v
>> ir3l..-guix-0.x/bin/guix-daemon --disable-chroot
>>
>> (note the extra -0 and chroot switches) and you should see on a guix package ins
>> tall.
>>
>> That used to work. But maybe no longer?
>>
>> On Fri, Feb 15, 2019 at 09:39:21PM +0100, Florian Thevissen wrote:
>>
>> Hi,
>>
>> I am trying to get guix to run on a system where I do not have root
>> access, following a guide by pjotrp involving proot, here:
>> [1][2]https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org .
>>
>> All guix operations that involve the script perform-download fail with
>> the error:
>>
>> guix perform-download: error: refusing to run with elevated
>> privileges (UID 0)
>>
>> I am not sure if this hints at a bug in guix itself, but a comment in
>> the guix sources lets me assume so. It says in
>> package-management.scm:355
>>
>> “Note that scripts like ‘guix perform-download’ do not run as root
>> (…)”
>>
>> In my setup, following this guide, however, it apparently is run as
>> root, and (assert-low-privileges) in the script perform-download.scm:89
>> acts accordingly by signalling the error and exiting.
>>
>> (By the way - running guix-daemon with proot root privileges fails
>> (-0), and running it without (no -0) fails also.)
>>
>> Now my question: why is perform-download run as root following pjotrs
>> guide, and is there anything that can be done about it?
>>
>> I am a bit at a loss here, being unfamiliar with the guix sources and
>> overall system setup.
>>
>> Looking forward to help, thanks,
>>
>> Florian
>>
>>
>> References
>>
>> 1. [3]https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org
>>
>>
>>
>> References
>>
>> 1. https://gnunet.org/bot/log/guix/2017-09-21
>> 2. https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org
>> 3. https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#34494
; Package
guix
.
(Mon, 04 Mar 2019 21:47:02 GMT)
Full text and
rfc822 format available.
Message #17 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi Florian,
Florian Thevissen <mail <at> florian-thevissen.de> skribis:
> I am trying to get guix to run on a system where I do not have root
> access, following a guide by pjotrp involving proot, here:
> https://github.com/pjotrp/guix-notes/blob/master/GUIX-NO-ROOT.org .
Not really answering your question, but would user namespaces be an
option for you?
If so,
<https://lists.gnu.org/archive/html/guix-devel/2018-05/msg00139.html>
might be a simpler option.
Thanks,
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#34494
; Package
guix
.
(Tue, 05 Mar 2019 18:59:01 GMT)
Full text and
rfc822 format available.
Message #20 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi Ludovic,
Not really answering your question, but would user namespaces be an
option for you? If so,
<https://lists.gnu.org/archive/html/guix-devel/2018-05/msg00139.html>
might be a simpler option.
Thank you for the suggestion, this does look interesting.
However, the original use-case of using guix in a non-root scenario is
no longer relevant to me: I was convincing enough to get guix
root-installed on all relevant machines on which I do not have root
access. So I can enjoy guix properly, now.
However, I could very well imagine guix to be used on a per-user basis,
acting on some sub-directory of $HOME. Afterall, many (most?)
desktop-systems are used by a single user - or so I would argue…
On the original topic - I recently learned that the mechanisms proot
employs might just not work on all systems. So the issue may not per-se
have been with guix, but with proot. I’m no expert on the subject
though, and didn’t dig deeper yet.
Best regards,
Florian
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#34494
; Package
guix
.
(Wed, 06 Mar 2019 16:01:02 GMT)
Full text and
rfc822 format available.
Message #23 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi Florian,
Florian Thevissen <mail <at> florian-thevissen.de> skribis:
> Hi Ludovic,
>
> Not really answering your question, but would user namespaces be an
> option for you? If so,
> <https://lists.gnu.org/archive/html/guix-devel/2018-05/msg00139.html>
> might be a simpler option.
>
> Thank you for the suggestion, this does look interesting.
>
> However, the original use-case of using guix in a non-root scenario is
> no longer relevant to me: I was convincing enough to get guix
> root-installed on all relevant machines on which I do not have root
> access. So I can enjoy guix properly, now.
Well, congrats. :-)
Note that <https://guix-hpc.bordeaux.inria.fr/blog> has some thoughts on
non-root usage that may be of interest to you.
> However, I could very well imagine guix to be used on a per-user
> basis, acting on some sub-directory of $HOME. Afterall, many (most?)
> desktop-systems are used by a single user - or so I would argue…
I agree that non-root usage would be useful; it’s just that the kernel
Linux doesn’t make it easy, unless user namespaces are enabled…
Thanks,
Ludo’.
Added tag(s) notabug.
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org
.
(Wed, 06 Mar 2019 16:01:02 GMT)
Full text and
rfc822 format available.
bug closed, send any further explanations to
34494 <at> debbugs.gnu.org and Florian Thevissen <mail <at> florian-thevissen.de>
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org
.
(Wed, 06 Mar 2019 16:01:03 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Thu, 04 Apr 2019 11:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 5 years and 17 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.