Looks like everything under /gnu/store is owned by guix-daemon: $ ls -l /gnu/store | grep "guix-command" -r--r--r-- 1 guix-daemon guix-daemon 940 Dec 31 1969 0i5p73pqh0za37zb8nz2jjs6dcwdi22r-guix-command.drv -r-xr-xr-x 1 guix-daemon guix-daemon 1254 Dec 31 1969 2x9cd6rvkvnvkad9lyn9sw1r6hags2kd-guix-command -r--r--r-- 1 guix-daemon guix-daemon 940 Dec 31 1969 5p0ipgq7blb4ixgh1bsg228qzjpssf7z-guix-command.drv -r--r--r-- 1 guix-daemon guix-daemon 940 Dec 31 1969 60dds9ax06g52mbajvcrx5zybmfwnhmq-guix-command.drv -r-xr-xr-x 1 guix-daemon guix-daemon 1254 Dec 31 1969 78n0xsrpvbsr7ysmkkjgi0kdvxc7fw6p-guix-command -r--r--r-- 1 guix-daemon guix-daemon 1417 Dec 31 1969 7d639f2bxp0wsrnln05n9qivdggcbz21-guix-command-builder
and so on; $ find . -type f -printf '%u\n' | sort | uniq -c | sort -nr 1296498 guix-daemon Thanks for the question. Not sure if it's an important detail, but it looks like the symlinks under $USER/.cache/guix/profiles are owned by me, but the destinations under /gnu/store are owned by guix-daemon. $ ls -l /home/$USER/.cache/guix/profiles total 20 lrwxrwxrwx 1 irandms users 51 Aug 18 17:34 3qtve7hukxu634zssjpxq4e6smxhcovt76bmzs3l3ifxfrbbyuiq -> /gnu/store/2b3j1h9jipc6w58zwfc65x6wbrrdadhi-profile/ -rw-r--r-- 1 irandms users 10 Aug 21 05:45 last-expiry-cleanup lrwxrwxrwx 1 irandms users 51 Aug 17 22:58 pdnta3ytreusehxd7kjtmoz6i26ge7fac3ydtfez4fmtumavcora -> /gnu/store/zij89ac21alza2g5zyaijvlqx4hrmzqm-profile/ lrwxrwxrwx 1 irandms users 51 Aug 20 23:20 sysjqjnyqkycbwd2ro5nni3ysm2ok75et6bi6q5h7fumdqym2ila -> /gnu/store/2b3j1h9jipc6w58zwfc65x6wbrrdadhi-profile/ lrwxrwxrwx 1 irandms users 51 Aug 11 21:45 xzxpocerpox26p3fjqejwq2drwt3gdz7ki4mfa76etjvspnehpqq -> /gnu/store/ndwl21x865z3nn1k1jf6r8vbd7iif9j9-profile/ $ ls -l /gnu/store/2b3j1h9jipc6w58zwfc65x6wbrrdadhi-profile/ total 4 dr-xr-xr-x 1 guix-daemon guix-daemon 5048 Dec 31 1969 bin/ ... On Thu, Aug 21, 2025 at 3:36 AM Rutherther <[email protected]> wrote: > > Hi irandms, > > radio <[email protected]> writes: > > > Hello fantastic Guix enthusiasts! > > > > I've been using the Guix System for a bit over a year now and it's been > > pretty fun. Following from the security issues posted in June, I became > > interested in hardening the system further, and found the following: > > > > https://hpc.guix.info/blog/2025/03/build-daemon-drops-its-privileges/ > > > > This led me to > > > https://guix.gnu.org/manual/devel/en/html_node/Build-Environment-Setup.html#Daemon-Running-Without-Privileges > > and ultimately > > > https://guix.gnu.org/manual/devel/en/html_node/Base-Services.html#guix_002dconfiguration_002dtype > > , revealing that setting privileged to #f within my guix-configuration > > would allow me to swap over to the rootless build daemon. > > > > So what I did was define this in my system.scm: > > > > (define rootless-guix-daemon > > (modify-services %base-services > > (guix-service-type > > config => (guix-configuration > > (privileged? #f))))) > > > > And appended my existing list of services to this rootless-guix-daemon, > > rather than %base-services, in my system.scm. > > > > It seems like things more or less worked after that, but I noticed that > > guix gc would fail, and I didn't end up finding an obvious answer. I > > figured the migration may have been messed up since I had many > generations > > in place already in the store, and it sounds like filesystem permission > > changes would be involved to make /gnu/store accessible to the non-root > > daemon users/groups. > > > > Unrelated to that, I got a new storage device and decided to do a fresh > > install, figuring that this time since I would be reusing my system.scm > > that my store could be set up "from the very beginning" to use rootless > > Guix builds. > > > > Unfortunately, I still see the same issues - or similar enough ones - and > > have not been able to run guix gc this entire time, leading to disk space > > slowly disappearing as I continue to create new generations: > > > > irandms@firelink ~> guix gc > > finding garbage collector roots... > > removing stale link from > > `/var/guix/gcroots/auto/f011k8wxdbzhp0k92b2s8a0ld2w626ii' to > > > `/home/irandms/.cache/guix/profiles/qil6j44krodwz7bmtn6cflnkh7yjwxuec7qrvltflevq3graktyq' > > removing stale link from > > `/var/guix/gcroots/auto/wg6rbbqbszcm3qrha8jjjhz6wf73wc3i' to > > > `/home/irandms/.cache/guix/profiles/p6tfph2p743qhrxub24lw5fftujirj7v45e2b2xvawk7krjfhh3q' > > removing stale link from > > `/var/guix/gcroots/auto/w0r0i9y06argglwg22lv91wg157dvx8v' to > > > `/home/irandms/.cache/guix/profiles/t37ttccjtewrggfiutxb5jz3c23tsiklsdi2zr6qcvnahwotcn6q' > > removing stale link from > > `/var/guix/gcroots/auto/7rclhnw3lysqvg8hgkbfvb4v5hnnyfa3' to > > > `/home/irandms/.cache/guix/profiles/37uubhsdb53jtmqdh6cpfiib3hyjbfl5yhv6dnvw7rzaojeltzsa' > > removing stale link from > > `/var/guix/gcroots/auto/2d7v7k5vmmdr3agmklymi41qhy8iw41m' to > > > `/home/irandms/.cache/guix/profiles/4oqmejpiuoljny4uv4wozvpyewzj7mg7ueqprbfoeeqijtzcmmiq' > > removing stale link from > > `/var/guix/gcroots/auto/xnr6gi37zyg7n92lw43jdicxb416rax3' to > > > `/home/irandms/.cache/guix/profiles/tzqgpkskscayqletb3ehdz7725ff2klsvtw4wdhso6rw3wjqv45a' > > removing stale link from > > `/var/guix/gcroots/auto/671qjr4ma1v16qn0p99xn73j5bymhcpa' to > > > `/home/irandms/.cache/guix/profiles/utqsir2fxsipoaq77bzexenvh3xezc7kckpb242lvvrl3kaie54a' > > removing stale link from > > `/var/guix/gcroots/auto/5apxj94305vr6wpvrrj8wibg1xlklgxv' to > > > `/home/irandms/.cache/guix/profiles/jmuajyp4jk56727sc2wid3feeju5rtncp6ql4tdjz5afd5l7cl6a' > > removing stale link from > > `/var/guix/gcroots/auto/rafgib0497hjb8vvlgfclyjpibzlzsgy' to > > > `/home/irandms/.cache/guix/profiles/eqqltc2o56tg6ej2ekovmxnrjq6aogf3tydq3xfzohmnvovujera' > > guix gc: error: program > > > `/gnu/store/v0jn99jlpdy6449apv91x752h39q9y51-guix-1.4.0-41.826e305/bin/guix' > > failed with exit code 1 > > > > spaced I initially asked a question a few weeks ago in IRC if anyone > > experienced issues with guix gc after changing this parameter > > (privileged?), but didn't seem to get any response. > > > > I was hoping someone here could point me in the right direction to debug > > guix gc, or just know outright what the issue is. I imagine this is > related > > to filesystem permission/visibility, but even after trying to (very > > hackily) modify permissions to both restrictive and permissive settings > > (e.g. chmod 777 recursively on /gnu) on my old/previous drive's Guix > > System, it still seemed quite broken, with guix gc failing with exit > code 1. > > So who owns the file in your /gnu/store? - Are all files in there owned > by the non-root daemon user? > > Rutherther > > > > > Thanks to anyone who can help me figure this out, and to all the > > contributors to this awesome project. > > > > - irandms >
