Maxime Devos <maximede...@telenet.be> skribis: > Ludovic Courtès schreef op za 02-10-2021 om 16:27 [+0200]: >> Maxime Devos <maximede...@telenet.be> skribis: >> >> > Ludovic Courtès schreef op di 28-09-2021 om 14:21 [+0200]: >> > > Hi, >> > > >> > > Joshua Branson <jbra...@dismail.de> skribis: >> > > >> > > > Apologies if I'm speaking for something I know very little >> > > > about...Wouldn't it be nice if guix home services would accept a user >> > > > and a group field? For the syncthing service, perhaps the user wants >> > > > to >> > > > limit Syncthing's runtime permissions. So instead of running as the >> > > > user, the user would run synthing as a different user with less >> > > > permissions? >> > > >> > > That’s not possible unless the calling user is root, since you’d need >> > > the ability to switch users somehow. >> > >> > On Debian, a user has a list of ‘subordinate user IDs’ which can be >> > switched >> > to without root: >> > <https://manpages.debian.org/buster/uidmap/newuidmap.1.en.html>;. >> > >> > Maybe "guix home" could use that mechanism, and this mechanism could be >> > implemented >> > on Guix System as well? >> >> Yes but that requires unprivileged user namespaces, which may or may not >> be supported—e.g., likely unsupported when using Home on a foreign >> distro. > > I don't recall newuidmap requiring unprivileged user namespaces -- it's a > setuid binary.
Ah right. But we’re not call do (system* "/usr/sbin/newuidmap") in service code, so that’s still a problem, no? Thanks, Ludo’.
