Hello, b...@bokr.com writes: > Naively: > > Why does "the" guix daemon per se need root access at all?
The main thing is that all files in the store end up being written by the guix daemon user. So if we want the files to be easily substitutable, they'd need to have a fixed uid/gid, and the only one we can guarantee is root. Other than that, it needs to use a bunch of Linux namespaces to isolate the builds from the rest of the system, which depending on the kernel build-time configuration might not be possible when unprivileged. Best, -- Josselin Poiret
