From a quick glance, Guix seems to have a similar learning curve as Nix (at least it's based on Scheme, which I know). Is that impression correct? Anyway, I didn't find this “intuitively comprehensible” as an outsider.
rnhmjoj · 1h ago
Does GNU Shepherd support some form of sanboxing?
systemd has many options to reduce the privileges of a service: like running as a normal user with only certain POSIX capabilities, setting up a mount namespace with a limited view of the root filesystem, locking down which system calls can be invoked, etc.
einpoklum · 1h ago
Two notes from reading the first several paragraphs:
1.
It seems one needs to know some Scheme in order to write these files:
I don't think it's possible to just "wing it" by copy-and-paste.
2.
I did not understand the introductory paragraph about how services "extend" each other. Does every service have hooks for possible extensions? What if a new service doesn't fit existing extension hooks?
(I can understand service dependencies of course, but it seems to go beyond that.)
systemd has many options to reduce the privileges of a service: like running as a normal user with only certain POSIX capabilities, setting up a mount namespace with a limited view of the root filesystem, locking down which system calls can be invoked, etc.
1. It seems one needs to know some Scheme in order to write these files:
https://www.scheme.org/
I don't think it's possible to just "wing it" by copy-and-paste.
2. I did not understand the introductory paragraph about how services "extend" each other. Does every service have hooks for possible extensions? What if a new service doesn't fit existing extension hooks?
(I can understand service dependencies of course, but it seems to go beyond that.)