Hi, Joshua Branson <jbra...@dismail.de> skribis:
> Apologies if I'm speaking for something I know very little > about...Wouldn't it be nice if guix home services would accept a user > and a group field? For the syncthing service, perhaps the user wants to > limit Syncthing's runtime permissions. So instead of running as the > user, the user would run synthing as a different user with less permissions? That’s not possible unless the calling user is root, since you’d need the ability to switch users somehow. > Please note it may be much better to just container-ize the synthing > service. Does guix home have that ability? > > https://guix.gnu.org/en/blog/2017/running-system-services-in-containers/ It can gain that availability without doing anything actually: service implementations “just” need to use ‘make-forkexec-constructor/container’ instead of ‘make-forkexec-constructor’. However, that would only work on systems where unprivileged user namespaces are enabled, so we’d need a way to turn it off. Ludo’.
