Hi again Guix, I am trying to run a VPN client within a Guix shell container, but it appears (probably unsurprisingly) that this VPN client needs to run the `ip` command (from the `iproute2` package) in order to add a network route for the new VPN connection. This fails unceremoniously for me with this rather basic error:
Failed to add appliance routes: exit status 2 stderr: RTNETLINK answers: Operation not permitted I can recreate the same error with this minimal example: $ guix shell -CN iproute2 -- ip route add 12.34.56.78 dev wls6 RTNETLINK answers: Operation not permitted The problem here is, of course, that I need to run the `ip` command with root privileges in order to update the system-wide network routing tables. And...as far as I can tell, there is no way to run a command as root within a Guix shell container. :( I tried to run `sudo guix shell -CN ...`, but that simply fails with this scheme error: guix shell: error: fport_write: Operation not permitted I then tried becoming the root user and running `guix shell -CN` directly, but that gave me the same error, indicating the it would appear that Guix shell containers can't be created by users with root privileges. Next, I explored trying to run `sudo` within the container, but that failed with this error: $ guix shell -CN iproute2 sudo -- sudo ip route add 12.34.56.78 dev wls6 sudo: /gnu/store/mjb020kkj4xx1h1cja1ydc8nlbpyp7lp-profile/bin/sudo must be owned by uid 0 and have the setuid bit set Unfortunately, there is no user with uid 0 (a.k.a., root) in the /etc/passwd file inside my container, and since I can't run `chmod` with root privileges within the container, I can't set the setuid bit on the `sudo` command. I know about the `privileged-programs` field in an `operating-system` record, but there doesn't appear to be any way of leveraging that from `guix shell`, so...another dead end. In an extremely questionable move, I even went so far as to expose the setuid sudo binary at /run/privileged/bin/sudo to the container like so: $ guix shell -CN --expose=/run/privileged/bin/sudo coreutils sudo -- ls -l /run/privileged/bin/sudo -r-sr-xr-x 1 65534 overflow 275168 Jul 8 15:31 /run/privileged/bin/sudo But that still won't work, presumably because it is owned by user 65534 instead of user 0 (root): $ guix shell -CN --expose=/run/privileged/bin/sudo coreutils sudo -- /run/privileged/bin/sudo ls / sudo: /run/privileged/bin/sudo must be owned by uid 0 and have the setuid bit set So at this point, I've exhausted every option that I can think of for running a command with root privileges within a Guix shell container. Perhaps one of you mighty Guix wizards will know of a way to make this happen? Fingers crossed, Gary -- GPG Key ID: C4FBEDBD Use `gpg --search-keys [email protected]' to find me Protect yourself from surveillance: https://emailselfdefense.fsf.org ======================================================================= () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Why is HTML email a security nightmare? See https://useplaintext.email/ Please avoid sending me MS-Office attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
