daemon: Consider the current user as trusted.

This allows use of ‘guix gc --verify=repair’ when running guix-daemon as an unprivileged user. * nix/nix-daemon/nix-daemon.cc (acceptConnection): Consider the current user as trusted. Reported-by: David Elsing <david.elsing@posteo.net> Change-Id: I559e56cf0640e8dc9bbc510317aa2bdc024ff681
author: Ludovic Courtès <ludo@gnu.org> 2025-07-10 15:25:29 +0200
committer: Ludovic Courtès <ludo@gnu.org> 2025-07-16 23:50:51 +0200
commit: 9cd3b961e4e530b4361ef25132fc8ee9756aab4b (patch)
tree: 832f0d521682e3858530f8d74193ef24d85c4c05
parent: 38e82ca727512754c4ac9b43353255c91cadab8c (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/nix/nix-daemon/nix-daemon.cc b/nix/nix-daemon/nix-daemon.cc
index 9fff31a587..f2ffe8fa6f 100644
--- a/nix/nix-daemon/nix-daemon.cc
+++ b/nix/nix-daemon/nix-daemon.cc
@@ -963,7 +963,10 @@ static void acceptConnection(int fdSocket)
 	    clientPid = cred.pid;
 	    clientUid = cred.uid;
 	    clientGid = cred.gid;
-	    trusted = clientUid == 0;
+
+	    /* The root user is always trusted; additionally, when running as
+	       an unprivileged user, that user is also trusted.  */
+	    trusted = (clientUid == 0) || (clientUid == getuid());
 
             struct passwd * pw = getpwuid(cred.uid);
             string user = pw ? pw->pw_name : std::to_string(cred.uid);
author	Ludovic Courtès <ludo@gnu.org>	2025-07-10 15:25:29 +0200
committer	Ludovic Courtès <ludo@gnu.org>	2025-07-16 23:50:51 +0200
commit	9cd3b961e4e530b4361ef25132fc8ee9756aab4b (patch)
tree	832f0d521682e3858530f8d74193ef24d85c4c05
parent	38e82ca727512754c4ac9b43353255c91cadab8c (diff)