15/16: etc: systemd services: Run ‘guix-daemon’ as an unprivileged user.

Wed, 26 Mar 2025 10:05:31 -0700 

civodul pushed a commit to branch master
in repository guix.

commit 107eb8ee8f5f9192c795abeb47885b49a57bacd4
Author: Ludovic Courtès <[email protected]>
AuthorDate: Thu Jan 23 09:47:22 2025 +0100

    etc: systemd services: Run ‘guix-daemon’ as an unprivileged user.
    
    * etc/guix-daemon.service.in (ExecStart): Remove ‘--build-users-group’.
    (Environment): Add ‘GUIX_STATE_DIRECTORY’.
    (Before, User, AmbientCapabilities, PrivateMounts, BindPaths): New fields.
    * etc/gnu-store.mount.in (Before): Remove.
    (WantedBy): Change to ‘multi-user.target’.
    
    Change-Id: Id826b8ab535844b6024d777f6bd15fd49db6d65e
---
 etc/gnu-store.mount.in     |  3 +--
 etc/guix-daemon.service.in | 22 ++++++++++++++++++++--
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/etc/gnu-store.mount.in b/etc/gnu-store.mount.in
index c94f2db72b..f9918c9e52 100644
--- a/etc/gnu-store.mount.in
+++ b/etc/gnu-store.mount.in
@@ -2,10 +2,9 @@
 Description=Read-only @storedir@ for GNU Guix
 DefaultDependencies=no
 ConditionPathExists=@storedir@
-Before=guix-daemon.service
 
 [Install]
-WantedBy=guix-daemon.service
+WantedBy=multi-user.target
 
 [Mount]
 What=@storedir@
diff --git a/etc/guix-daemon.service.in b/etc/guix-daemon.service.in
index 5c43d9b7f1..6a5ef97f9b 100644
--- a/etc/guix-daemon.service.in
+++ b/etc/guix-daemon.service.in
@@ -5,11 +5,29 @@
 [Unit]
 Description=Build daemon for GNU Guix
 
+# Start before 'gnu-store.mount' to get a writable view of the store.
+Before=gnu-store.mount
+
 [Service]
 
ExecStart=@localstatedir@/guix/profiles/per-user/root/current-guix/bin/guix-daemon
 \
-    --build-users-group=guixbuild --discover=no \
+    --discover=no \
     --substitute-urls='@GUIX_SUBSTITUTE_URLS@'
-Environment='GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale'
 LC_ALL=en_US.utf8
+Environment='GUIX_STATE_DIRECTORY=@localstatedir@/guix' 
'GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale'
 LC_ALL=en_US.utf8
+
+# Run under a dedicated unprivileged user account.
+User=guix-daemon
+
+# Bind-mount the store read-write in a private namespace, to counter the
+# effect of 'gnu-store.mount'.
+PrivateMounts=true
+BindPaths=@storedir@
+
+# Provide the CAP_CHOWN capability so that guix-daemon can create and chown
+# /var/guix/profiles/per-user/$USER and also chown failed build directories
+# when using '--keep-failed'.  Note that guix-daemon explicitly drops ambient
+# capabilities before executing build processes so they don't inherit them.
+AmbientCapabilities=CAP_CHOWN
+
 StandardOutput=journal
 StandardError=journal

Reply via email to