From mboxrd@z Thu Jan 1 00:00:00 1970 From: Maxim Cournoyer Subject: bug#39819: guix-service-type authorized keys are not honored when /etc/guix/acl exists Date: Thu, 27 Feb 2020 23:32:53 -0500 Message-ID: <87pndzl4ay.fsf@gmail.com> References: <87tv3bl4eu.fsf@apteryx.i-did-not-set--mail-host-address--so-tickle-me> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:43794) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1j7XLg-0004wi-2j for bug-guix@gnu.org; Thu, 27 Feb 2020 23:34:05 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1j7XLf-0005Vg-1p for bug-guix@gnu.org; Thu, 27 Feb 2020 23:34:04 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:54550) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1j7XLe-0005VK-Uy for bug-guix@gnu.org; Thu, 27 Feb 2020 23:34:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1j7XLd-000856-Ss for bug-guix@gnu.org; Thu, 27 Feb 2020 23:34:01 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87tv3bl4eu.fsf@apteryx.i-did-not-set--mail-host-address--so-tickle-me> (Maxim Cournoyer's message of "Thu, 27 Feb 2020 23:30:33 -0500") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org Sender: "bug-Guix" To: 39819@debbugs.gnu.org Maxim Cournoyer writes: > Hello, > > I spent the evening debugging why my authorized keys for the > guix-service-type wouldn't appear under /etc/guix/acl upon > reconfiguration (and 'guix offload test' would be unhelpfully reporting > "guix offload: error: program > `/gnu/store/n9633hls7097236l4j8i1aiv5bppyf0q-guix-1.0.1-13.50299ad/bin/guix' > failed with exit code 1", see issue ). > > It turns out that the guix-activation script that is supposed to add the authorized keys does this: > > (unless (file-exists? "/etc/guix/acl") > (mkdir-p "/etc/guix") > (copy-file #+default-acl "/etc/guix/acl") > (chmod "/etc/guix/acl" #o600))))) > > i.e., it doesn't do anything if a /etc/guix/acl file already exists. > This means that the only time it ought to do anything is the first time > the system was reconfigured (or perhaps, init?). > > I would have expected the keys declared in my operating system > configuration to be used along those with /etc/guix/acl, or added to it. I forgot to mention, the above code is from (gnu services base), more specifically from the `substitute-key-authorization' procedure.