From mboxrd@z Thu Jan 1 00:00:00 1970 From: Maxim Cournoyer Subject: bug#39819: guix-service-type authorized keys are not honored when /etc/guix/acl exists Date: Thu, 27 Feb 2020 23:30:33 -0500 Message-ID: <87tv3bl4eu.fsf@apteryx.i-did-not-set--mail-host-address--so-tickle-me> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:43492) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1j7XIl-0004dJ-Sy for bug-guix@gnu.org; Thu, 27 Feb 2020 23:31:05 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1j7XIk-0001xY-Ic for bug-guix@gnu.org; Thu, 27 Feb 2020 23:31:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:54545) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1j7XIk-0001xJ-Fa for bug-guix@gnu.org; Thu, 27 Feb 2020 23:31:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1j7XIk-0007zY-D8 for bug-guix@gnu.org; Thu, 27 Feb 2020 23:31:02 -0500 Sender: "Debbugs-submit" Resent-Message-ID: Received: from eggs.gnu.org ([2001:470:142:3::10]:43420) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1j7XIM-0004aP-1s for bug-guix@gnu.org; Thu, 27 Feb 2020 23:30:39 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1j7XIK-0001VO-Vm for bug-guix@gnu.org; Thu, 27 Feb 2020 23:30:37 -0500 Received: from mail-qt1-x832.google.com ([2607:f8b0:4864:20::832]:42268) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1j7XIK-0001V9-Q7 for bug-guix@gnu.org; Thu, 27 Feb 2020 23:30:36 -0500 Received: by mail-qt1-x832.google.com with SMTP id r5so1122248qtt.9 for ; Thu, 27 Feb 2020 20:30:36 -0800 (PST) Received: from apteryx (dsl-205-233-125-220.b2b2c.ca. [205.233.125.220]) by smtp.gmail.com with ESMTPSA id q196sm3571175qke.80.2020.02.27.20.30.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2020 20:30:35 -0800 (PST) List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane-mx.org@gnu.org Sender: "bug-Guix" To: 39819@debbugs.gnu.org Hello, I spent the evening debugging why my authorized keys for the guix-service-type wouldn't appear under /etc/guix/acl upon reconfiguration (and 'guix offload test' would be unhelpfully reporting "guix offload: error: program `/gnu/store/n9633hls7097236l4j8i1aiv5bppyf0q-guix-1.0.1-13.50299ad/bin/guix' failed with exit code 1", see issue ). It turns out that the guix-activation script that is supposed to add the authorized keys does this: --8<---------------cut here---------------start------------->8--- (unless (file-exists? "/etc/guix/acl") (mkdir-p "/etc/guix") (copy-file #+default-acl "/etc/guix/acl") (chmod "/etc/guix/acl" #o600))))) --8<---------------cut here---------------end--------------->8--- i.e., it doesn't do anything if a /etc/guix/acl file already exists. This means that the only time it ought to do anything is the first time the system was reconfigured (or perhaps, init?). I would have expected the keys declared in my operating system configuration to be used along those with /etc/guix/acl, or added to it. Maxim