mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2025-01-25 12:09:15 -05:00
daemon: Build `nix-setuid-helper'.
* daemon.am (libexec_PROGRAMS, nix_setuid_helper_SOURCES, nix_setuid_helper_CPPFLAGS, nix_setuid_helper_LDADD): New variables. * test-env.in: Set and export `NIX_SETUID_HELPER'. * README (Installing Guix as non-root): New section.
This commit is contained in:
parent
b3a53fb361
commit
e1b7096acd
4 changed files with 36 additions and 5 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -63,3 +63,4 @@ stamp-h[0-9]
|
|||
/test-tmp
|
||||
/nix/scripts/list-runtime-roots
|
||||
/test-env
|
||||
/nix/nix-setuid-helper/nix-setuid-helper.cc
|
||||
|
|
27
README
27
README
|
@ -59,10 +59,29 @@ the promise of a build; it is stored as a text file under
|
|||
`derivation' primitive, as well as higher-level wrappers such as
|
||||
`build-expression->derivation'.
|
||||
|
||||
Guix does remote procedure calls (RPCs) to the Nix daemon (the
|
||||
=nix-worker --daemon= command), which in turn performs builds and
|
||||
accesses to the Nix store on its behalf. The RPCs are implemented in
|
||||
the (guix store) module.
|
||||
Guix does remote procedure calls (RPCs) to the Guix or Nix daemon (the
|
||||
=guix-daemon= or =nix-daemon= command), which in turn performs builds
|
||||
and accesses to the Nix store on its behalf. The RPCs are implemented
|
||||
in the (guix store) module.
|
||||
|
||||
* Installing Guix as non-root
|
||||
|
||||
The Guix daemon allows software builds to be performed under alternate
|
||||
user accounts, which are normally created specifically for this
|
||||
purpose. For instance, you may have a pool of accounts in the
|
||||
=guixbuild= group, and then you can instruct =guix-daemon= to use them
|
||||
like this:
|
||||
|
||||
$ guix-daemon --build-users-group=guixbuild
|
||||
|
||||
However, unless it is run as root, =guix-daemon= cannot switch users.
|
||||
In that case, it falls back to using a setuid-root helper program call
|
||||
=nix-setuid-helper=. That program is not setuid-root by default when
|
||||
you install it; instead you should run a command along these lines
|
||||
(assuming Guix is installed under /usr/local):
|
||||
|
||||
# chown root.root /usr/local/libexec/nix-setuid-helper
|
||||
# chmod 4755 /usr/local/libexec/nix-setuid-helper
|
||||
|
||||
* Contact
|
||||
|
||||
|
|
10
daemon.am
10
daemon.am
|
@ -136,6 +136,16 @@ guix_daemon_LDADD = \
|
|||
guix_daemon_headers = \
|
||||
nix/nix-daemon/shared.hh
|
||||
|
||||
libexec_PROGRAMS = nix-setuid-helper
|
||||
nix_setuid_helper_SOURCES = \
|
||||
nix/nix-setuid-helper/nix-setuid-helper.cc
|
||||
|
||||
nix_setuid_helper_CPPFLAGS = \
|
||||
$(libutil_a_CPPFLAGS)
|
||||
|
||||
nix_setuid_helper_LDADD = \
|
||||
libutil.a libformat.a
|
||||
|
||||
noinst_HEADERS = \
|
||||
$(libformat_headers) $(libutil_headers) $(libstore_headers) \
|
||||
$(guix_daemon_headers)
|
||||
|
|
|
@ -27,6 +27,7 @@
|
|||
if [ -x "@abs_top_builddir@/guix-daemon" ]
|
||||
then
|
||||
NIX_SUBSTITUTERS="" # don't resort to substituters
|
||||
NIX_SETUID_HELPER="@abs_top_builddir@/nix-setuid-helper" # normally unused
|
||||
NIX_IGNORE_SYMLINK_STORE=1 # in case the store is a symlink
|
||||
NIX_STORE_DIR="@GUIX_TEST_ROOT@/store"
|
||||
NIX_LOCALSTATE_DIR="@GUIX_TEST_ROOT@/var"
|
||||
|
@ -42,7 +43,7 @@ then
|
|||
|
||||
export NIX_SUBSTITUTERS NIX_IGNORE_SYMLINK_STORE NIX_STORE_DIR \
|
||||
NIX_LOCALSTATE_DIR NIX_LOG_DIR NIX_STATE_DIR NIX_DB_DIR \
|
||||
NIX_ROOT_FINDER
|
||||
NIX_ROOT_FINDER NIX_SETUID_HELPER
|
||||
|
||||
# Do that because store.scm calls `canonicalize-path' on it.
|
||||
mkdir -p "$NIX_STORE_DIR"
|
||||
|
|
Loading…
Reference in a new issue