services: package-database: Run ‘guix locate’ without root privileges.

* gnu/services/admin.scm (%package-database-file) (%package-database-accounts, %package-database-activation): New variables. (package-database-shepherd-services): Pass explicit ‘--database’ flag to ‘guix locate’. Pass #:user and #:group to ‘command’. Pass #:log-file. (package-database-service-type): Extend ‘activation-service-type’ and ‘account-service-type’. Change-Id: Ifbf65e004766d049d99a16e163339ac168c1f73c Signed-off-by: Ludovic Courtès <ludo@gnu.org> Merges: #7527
author: Ludovic Courtès <ludo@gnu.org> 2026-03-27 18:02:05 +0100
committer: Ludovic Courtès <ludo@gnu.org> 2026-04-04 00:30:52 +0200
commit: 985715e1e33b463e09709c947dd5b185c187e64f (patch)
tree: 58bafb60f888b73ce887775e8322c1ee8b7653dc /gnu/services
parent: cfd36ce667897deefc1a79b47ca2b13e3d17ecf1 (diff)
1 files changed, 37 insertions, 5 deletions
diff --git a/gnu/services/admin.scm b/gnu/services/admin.scm
index 2e310983b8b..0829d67574a 100644
--- a/gnu/services/admin.scm
+++ b/gnu/services/admin.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
-;;; Copyright © 2016-2025 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2016-2026 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2020 Brice Waegeneire <brice@waegenei.re>
 ;;; Copyright © 2023 Giacomo Leidi <therewasa@fishinthecalculator.me>
 ;;; Copyright © 2024 Gabriel Wicki <gabriel@erlikon.ch>
@@ -380,6 +380,31 @@ terms of CPU and input/output.")
             "G-exp denoting the channels to use when updating the database
 (@pxref{Channels})."))
 
+(define %package-database-file
+  ;; System-wide package database used by 'guix locate'.
+  ;; See 'system-database-file' in (guix scripts locate).
+  "/var/cache/guix/locate/db.sqlite")
+
+(define %package-database-accounts
+  (list (user-account
+          (name "guix-locate")
+          (group "guix-locate")
+          (system? #t)
+          (comment "Account running 'guix locate'")
+          (home-directory "/var/run/guix-locate"))
+        (user-group
+          (name "guix-locate")
+          (system? #t))))
+
+(define %package-database-activation
+  ;; Create the package database directory at activation time.  Make it
+  ;; writable by 'guix-locate' and world-readable.
+  #~(begin
+      (use-modules (guix build utils))
+      (let ((directory #$(dirname %package-database-file))
+            (owner (getpwnam "guix-locate")))
+        (mkdir-p/perms directory owner #o755))))
+
 (define (package-database-shepherd-services configuration)
   (match-record configuration <package-database-configuration>
     (package schedule method channels)
@@ -388,8 +413,6 @@ terms of CPU and input/output.")
              (provision '(package-database-update))
              (requirement '(user-processes guix-daemon))
              (modules '((shepherd service timer)))
-             ;; XXX: The whole thing's running as "root" just because it needs
-             ;; write access to /var/cache/guix/locate.
              (start #~(make-timer-constructor
                        #$(if (string? schedule)
                              #~(cron-string->calendar-event #$schedule)
@@ -397,8 +420,13 @@ terms of CPU and input/output.")
                        (command '(#$(file-append package "/bin/guix")
                                   "time-machine" "-C" #$channels
                                   "--" "locate" "--update"
+                                  #$(string-append "--database="
+                                                   %package-database-file)
                                   #$(string-append
-                                     "--method=" (symbol->string method))))
+                                     "--method=" (symbol->string method)))
+                                #:user "guix-locate"
+                                #:group "guix-locate")
+                       #:log-file "/var/log/guix-locate.log"
                        #:wait-for-termination? #t))
              (stop #~(make-timer-destructor))
              (documentation
@@ -410,7 +438,11 @@ be queried by the 'guix locate' command.")
   (service-type
    (name 'package-database)
    (extensions (list (service-extension shepherd-root-service-type
-                                        package-database-shepherd-services)))
+                                        package-database-shepherd-services)
+                     (service-extension activation-service-type
+                                        (const %package-database-activation))
+                     (service-extension account-service-type
+                                        (const %package-database-accounts))))
    (description
     "Periodically update the package database used by the @code{guix locate} command,
 which lets you search for packages that provide a given file.")
author	Ludovic Courtès <ludo@gnu.org>	2026-03-27 18:02:05 +0100
committer	Ludovic Courtès <ludo@gnu.org>	2026-04-04 00:30:52 +0200
commit	985715e1e33b463e09709c947dd5b185c187e64f (patch)
tree	58bafb60f888b73ce887775e8322c1ee8b7653dc /gnu/services
parent	cfd36ce667897deefc1a79b47ca2b13e3d17ecf1 (diff)