summary refs log tree commit diff
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2014-06-04 22:19:30 +0200
committerLudovic Courtès <ludo@gnu.org>2014-06-04 22:19:30 +0200
commit185f669109eb56b61c3d51dc8b2e3eeded9b2be9 (patch)
tree8024e91e4f644e3de117307fe4c08510f820ad41
parent3d116a70f9b18027b31be2e11e8c9c9192622607 (diff)
downloadguix-185f669109eb56b61c3d51dc8b2e3eeded9b2be9.tar.gz
services: Make sure the store's group is the build group.
* gnu/services/base.scm (guix-service)[activate]: New variable.  Add
  'chown' call for (%store-prefix).  Set the 'activate' field to
  ACTIVATE.
* guix/build/install.scm (directives): Add comment about STORE's group.
-rw-r--r--gnu/services/base.scm18
-rw-r--r--guix/build/install.scm5
2 files changed, 19 insertions, 4 deletions
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 3f7f453c9b..94fa919c0f 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -17,6 +17,8 @@
 ;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
 
 (define-module (gnu services base)
+  #:use-module ((guix store)
+                #:select (%store-prefix))
   #:use-module (gnu services)
   #:use-module (gnu system shadow)                ; 'user-account', etc.
   #:use-module (gnu system linux)                 ; 'pam-service', etc.
@@ -348,7 +350,6 @@ GUIX."
                   (port (open-file key "r0b")))
              (format #t "registering public key '~a'...~%" key)
              (close-port (current-input-port))
-             ;; (close-fdes 0)
              (dup port 0)
              (execl (string-append #$guix "/bin/guix")
                     "guix" "archive" "--authorize")
@@ -367,6 +368,18 @@ BUILD-ACCOUNTS user accounts available under BUILD-USER-GID.
 When AUTHORIZE-HYDRA-KEY? is true, the hydra.gnu.org public key provided by
 GUIX is authorized upon activation, meaning that substitutes from
 hydra.gnu.org are used by default."
+  (define activate
+    #~(begin
+        ;; Make sure the store has BUILDER-GROUP as its group.  This may fail
+        ;; with EACCES when the store is a 9p mount, so catch exceptions.
+        (false-if-exception
+         (chown #$(%store-prefix) 0
+                (group:gid (getgrnam #$builder-group))))
+
+        ;; Optionally authorize hydra.gnu.org's key.
+        #$(and authorize-hydra-key?
+               (hydra-key-authorization guix))))
+
   (mlet %store-monad ((accounts (guix-build-accounts build-accounts
                                                      #:group builder-group)))
     (return (service
@@ -383,8 +396,7 @@ hydra.gnu.org are used by default."
                                  (name builder-group)
                                  (members (map user-account-name
                                                user-accounts)))))
-             (activate (and authorize-hydra-key?
-                            (hydra-key-authorization guix)))))))
+             (activate activate)))))
 
 (define %base-services
   ;; Convenience variable holding the basic services.
diff --git a/guix/build/install.scm b/guix/build/install.scm
index afa7d1dd8f..ea787b63e2 100644
--- a/guix/build/install.scm
+++ b/guix/build/install.scm
@@ -73,7 +73,10 @@ directory TARGET."
 (define (directives store)
   "Return a list of directives to populate the root file system that will host
 STORE."
-  `((directory ,store 0 0)
+  `(;; Note: The store's group is changed to the "guixbuild" group at
+    ;; activation time.
+    (directory ,store 0 0)
+
     (directory "/etc")
     (directory "/var/log")                          ; for dmd
     (directory "/var/guix/gcroots")