diff options
Diffstat (limited to 'doc/guix.texi')
| -rw-r--r-- | doc/guix.texi | 34 |
1 files changed, 17 insertions, 17 deletions
diff --git a/doc/guix.texi b/doc/guix.texi index 96d545698f..2aef0380fb 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -96,10 +96,9 @@ Copyright @copyright{} 2021 Domagoj Stolfa@* Copyright @copyright{} 2021 Hui Lu@* Copyright @copyright{} 2021 pukkamustard@* Copyright @copyright{} 2021 Alice Brenon@* -Copyright @copyright{} 2021 Josselin Poiret@* +Copyright @copyright{} 2021, 2022 Josselin Poiret@* Copyright @copyright{} 2021 Andrew Tropin@* Copyright @copyright{} 2021 Sarah Morgensen@* -Copyright @copyright{} 2021 Josselin Poiret@* Copyright @copyright{} 2022 Remco van 't Veer@* Copyright @copyright{} 2022 Aleksandr Vityazev@* Copyright @copyright{} 2022 Philip M@sup{c}Grath@* @@ -339,7 +338,7 @@ System Configuration * Keyboard Layout:: How the system interprets key strokes. * Locales:: Language and cultural convention settings. * Services:: Specifying system services. -* Setuid Programs:: Programs running with root privileges. +* Setuid Programs:: Programs running with elevated privileges. * X.509 Certificates:: Authenticating HTTPS servers. * Name Service Switch:: Configuring libc's name service switch. * Initial RAM Disk:: Linux-Libre bootstrapping. @@ -15414,7 +15413,7 @@ instance to support new system services. * Keyboard Layout:: How the system interprets key strokes. * Locales:: Language and cultural convention settings. * Services:: Specifying system services. -* Setuid Programs:: Programs running with root privileges. +* Setuid Programs:: Programs running with elevated privileges. * X.509 Certificates:: Authenticating HTTPS servers. * Name Service Switch:: Configuring libc's name service switch. * Initial RAM Disk:: Linux-Libre bootstrapping. @@ -25543,10 +25542,10 @@ The complete set of available configuration options is detailed below. Available @code{jami-configuration} fields are: @table @asis -@item @code{jamid} (default: @code{libjami}) (type: package) +@item @code{libjami} (default: @code{libjami}) (type: package) The Jami daemon package to use. -@item @code{dbus} (default: @code{dbus}) (type: package) +@item @code{dbus} (default: @code{dbus-for-jami}) (type: package) The D-Bus package to use to start the required D-Bus session. @item @code{nss-certs} (default: @code{nss-certs}) (type: package) @@ -35202,11 +35201,11 @@ that compression will be 2:1, it is possible that uncompressable data can be written to swap and this is a method to limit how much memory can be used. It accepts a string and can be a number of bytes or use a suffix, eg.: @code{"2G"}. -@item @code{priority} (default @code{-1}) +@item @code{priority} (default @code{#f}) This is the priority of the swap device created from the zram device. -@code{swapon} accepts values between -1 and 32767, with higher values -indicating higher priority. Higher priority swap will generally be used -first. +@xref{Swap Space} for a description of swap priorities. You might want +to set a specific priority for the zram device, otherwise it could end +up not being used much for the reasons described there. @end table @end deftp @@ -35755,22 +35754,23 @@ Extra command line options for @code{nix-service-type}. @section Setuid Programs @cindex setuid programs -Some programs need to run with ``root'' privileges, even when they are +@cindex setgid programs +Some programs need to run with elevated privileges, even when they are launched by unprivileged users. A notorious example is the @command{passwd} program, which users can run to change their password, and which needs to access the @file{/etc/passwd} and @file{/etc/shadow} files---something normally restricted to root, for -obvious security reasons. To address that, these executables are -@dfn{setuid-root}, meaning that they always run with root privileges +obvious security reasons. To address that, @command{passwd} should be +@dfn{setuid-root}, meaning that it always runs with root privileges (@pxref{How Change Persona,,, libc, The GNU C Library Reference Manual}, for more info about the setuid mechanism). The store itself @emph{cannot} contain setuid programs: that would be a security issue since any user on the system can write derivations that populate the store (@pxref{The Store}). Thus, a different mechanism is -used: instead of changing the setuid bit directly on files that are in -the store, we let the system administrator @emph{declare} which programs -should be setuid root. +used: instead of changing the setuid or setgid bits directly on files that +are in the store, we let the system administrator @emph{declare} which +programs should be entrusted with these additional privileges. The @code{setuid-programs} field of an @code{operating-system} declaration contains a list of @code{<setuid-program>} denoting the @@ -38000,7 +38000,7 @@ pointing to the given file. @defvr {Scheme Variable} setuid-program-service-type Type for the ``setuid-program service''. This service collects lists of executable file names, passed as gexps, and adds them to the set of -setuid-root programs on the system (@pxref{Setuid Programs}). +setuid and setgid programs on the system (@pxref{Setuid Programs}). @end defvr @defvr {Scheme Variable} profile-service-type |