From: "Ludovic Courtès" <ludo@gnu.org>
To: Elias Kueny <elias.kueny@posteo.net>
Cc: 57217@debbugs.gnu.org
Subject: bug#57217: home-openssh-service-type creates .ssh/config with wrong permissions
Date: Fri, 23 Sep 2022 09:13:47 +0200 [thread overview]
Message-ID: <8735ciftqs.fsf@gnu.org> (raw)
In-Reply-To: <877d3ais5w.fsf@posteo.net> (Elias Kueny's message of "Sun, 14 Aug 2022 18:04:14 +0000")
Hi Elias,
Elias Kueny <elias.kueny@posteo.net> skribis:
> The files are created with too open permissions, so ssh refuses to run:
>
> $ ssh xxx
> Bad owner or permissions on ~/.ssh/config
>
> $ ls -l .ssh
> lrwxrwxrwx 1 user users 59 Aug 14 18:17 authorized_keys -> /gnu/store/y8g2d9kmlrhfna23r26cfgp5mr1sxl72-authorized_keys
> lrwxrwxrwx 1 user users 52 Aug 14 18:17 config -> /gnu/store/dnnzwrz4hp1z6wnr76a6j57v95vyrbf3-ssh.conf
Here’s what I see in a container:
--8<---------------cut here---------------start------------->8---
$ ls -ld .ssh
drwx------ 2 ludo users 80 Sep 23 06:39 .ssh/
$ ls -l .ssh/config
lrwxrwxrwx 1 ludo users 52 Sep 23 06:39 .ssh/config -> /gnu/store/5lksmnx3mlyinlja2lhd84p0jkp06bg5-ssh.conf
$ ls -l $(readlink .ssh/config)
-r--r--r-- 1 65534 overflow 6219 Jan 1 1970 /gnu/store/5lksmnx3mlyinlja2lhd84p0jkp06bg5-ssh.conf
--8<---------------cut here---------------end--------------->8---
The relevant check in OpenSSH is this:
--8<---------------cut here---------------start------------->8---
if (fstat(fileno(f), &sb) == -1)
fatal("fstat %s: %s", filename, strerror(errno));
if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
(sb.st_mode & 022) != 0))
fatal("Bad owner or permissions on %s", filename);
--8<---------------cut here---------------end--------------->8---
That is, if ~/.ssh/config is owned by root, it’s fine; and this is
exactly what happens outside the container:
--8<---------------cut here---------------start------------->8---
$ ls -l $(readlink ~/.ssh/config)
-r--r--r-- 1 root root 6219 Jan 1 1970 /gnu/store/5lksmnx3mlyinlja2lhd84p0jkp06bg5-ssh.conf
--8<---------------cut here---------------end--------------->8---
So ‘ssh’ works fine outside the container, but not inside.
To address the issue at hand, we would need to map UID 0 of the host as
UID 0 of the guest, but I’m not sure this can be done.
To be continued…
Ludo’.
next prev parent reply other threads:[~2022-09-23 7:16 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-14 18:04 bug#57217: home-openssh-service-type creates .ssh/config with wrong permissions Elias Kueny
2022-09-23 7:13 ` Ludovic Courtès [this message]
2022-09-23 20:15 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8735ciftqs.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=57217@debbugs.gnu.org \
--cc=elias.kueny@posteo.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).