Hi Pjotr, > On Fri, Jan 19, 2018 at 02:41:42PM +0100, Ludovic Courtès wrote: >> Authorizing keys is necessarily limited to root since the store is >> shared among all users of the machine. I don’t see any way around that > > Well, the daemon could update itself with its own privileges.
I think Ludo’s point is that this is a security issue, not a technical limitation. > How > about maintaining authentication for a channel at runtime in RAM. When > the daemon restarts it is lost. The channel will not be shared with > other users. So every user maintains their own channels. When a > channel reconnects it authenticates itself again. It all ends up in the store though and is thus available to everybody. > There really is no reason to share individual channels between users > (other then their outputs). Yes, channel configuration and state is kept in the user’s home directory. But authorization for downloading and installing substitutes in /gnu/store currently still falls to root. -- Ricardo GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC https://elephly.net
