Browse Source

daemon: Build `nix-setuid-helper'.

* daemon.am (libexec_PROGRAMS, nix_setuid_helper_SOURCES,
  nix_setuid_helper_CPPFLAGS, nix_setuid_helper_LDADD): New variables.
* test-env.in: Set and export `NIX_SETUID_HELPER'.
* README (Installing Guix as non-root): New section.
wip-grafts
Ludovic Courtès 9 years ago
parent
commit
e1b7096acd
  1. 1
      .gitignore
  2. 27
      README
  3. 10
      daemon.am
  4. 3
      test-env.in

1
.gitignore

@ -63,3 +63,4 @@ stamp-h[0-9]
/test-tmp
/nix/scripts/list-runtime-roots
/test-env
/nix/nix-setuid-helper/nix-setuid-helper.cc

27
README

@ -59,10 +59,29 @@ the promise of a build; it is stored as a text file under
`derivation' primitive, as well as higher-level wrappers such as
`build-expression->derivation'.
Guix does remote procedure calls (RPCs) to the Nix daemon (the
=nix-worker --daemon= command), which in turn performs builds and
accesses to the Nix store on its behalf. The RPCs are implemented in
the (guix store) module.
Guix does remote procedure calls (RPCs) to the Guix or Nix daemon (the
=guix-daemon= or =nix-daemon= command), which in turn performs builds
and accesses to the Nix store on its behalf. The RPCs are implemented
in the (guix store) module.
* Installing Guix as non-root
The Guix daemon allows software builds to be performed under alternate
user accounts, which are normally created specifically for this
purpose. For instance, you may have a pool of accounts in the
=guixbuild= group, and then you can instruct =guix-daemon= to use them
like this:
$ guix-daemon --build-users-group=guixbuild
However, unless it is run as root, =guix-daemon= cannot switch users.
In that case, it falls back to using a setuid-root helper program call
=nix-setuid-helper=. That program is not setuid-root by default when
you install it; instead you should run a command along these lines
(assuming Guix is installed under /usr/local):
# chown root.root /usr/local/libexec/nix-setuid-helper
# chmod 4755 /usr/local/libexec/nix-setuid-helper
* Contact

10
daemon.am

@ -136,6 +136,16 @@ guix_daemon_LDADD = \
guix_daemon_headers = \
nix/nix-daemon/shared.hh
libexec_PROGRAMS = nix-setuid-helper
nix_setuid_helper_SOURCES = \
nix/nix-setuid-helper/nix-setuid-helper.cc
nix_setuid_helper_CPPFLAGS = \
$(libutil_a_CPPFLAGS)
nix_setuid_helper_LDADD = \
libutil.a libformat.a
noinst_HEADERS = \
$(libformat_headers) $(libutil_headers) $(libstore_headers) \
$(guix_daemon_headers)

3
test-env.in

@ -27,6 +27,7 @@
if [ -x "@abs_top_builddir@/guix-daemon" ]
then
NIX_SUBSTITUTERS="" # don't resort to substituters
NIX_SETUID_HELPER="@abs_top_builddir@/nix-setuid-helper" # normally unused
NIX_IGNORE_SYMLINK_STORE=1 # in case the store is a symlink
NIX_STORE_DIR="@GUIX_TEST_ROOT@/store"
NIX_LOCALSTATE_DIR="@GUIX_TEST_ROOT@/var"
@ -42,7 +43,7 @@ then
export NIX_SUBSTITUTERS NIX_IGNORE_SYMLINK_STORE NIX_STORE_DIR \
NIX_LOCALSTATE_DIR NIX_LOG_DIR NIX_STATE_DIR NIX_DB_DIR \
NIX_ROOT_FINDER
NIX_ROOT_FINDER NIX_SETUID_HELPER
# Do that because store.scm calls `canonicalize-path' on it.
mkdir -p "$NIX_STORE_DIR"

Loading…
Cancel
Save