From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 2BPhFFlw/WE6bAAAgWs5BA (envelope-from ) for ; Fri, 04 Feb 2022 19:28:41 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id QJ2XDVlw/WG2hgAAG6o9tA (envelope-from ) for ; Fri, 04 Feb 2022 19:28:41 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id DC4413BB34 for ; Fri, 4 Feb 2022 19:28:40 +0100 (CET) Received: from localhost ([::1]:35660 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nG3K3-0000nA-Ap for larch@yhetil.org; Fri, 04 Feb 2022 13:28:39 -0500 Received: from eggs.gnu.org ([209.51.188.92]:46622) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nG3Al-0004sK-Kb for bug-guix@gnu.org; Fri, 04 Feb 2022 13:19:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:38883) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nG3Al-0000Kr-9X for bug-guix@gnu.org; Fri, 04 Feb 2022 13:19:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nG3Ak-00074y-6A for bug-guix@gnu.org; Fri, 04 Feb 2022 13:19:02 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#53752: guix home symlink permissions Resent-From: Zacchaeus Scheffer Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 04 Feb 2022 18:19:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 53752 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Liliana Marie Prikler Received: via spool by 53752-submit@debbugs.gnu.org id=B53752.164399869327131 (code B ref 53752); Fri, 04 Feb 2022 18:19:02 +0000 Received: (at 53752) by debbugs.gnu.org; 4 Feb 2022 18:18:13 +0000 Received: from localhost ([127.0.0.1]:32776 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nG39x-00073W-15 for submit@debbugs.gnu.org; Fri, 04 Feb 2022 13:18:13 -0500 Received: from mail-ej1-f53.google.com ([209.85.218.53]:43549) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nG39v-00073K-Uk for 53752@debbugs.gnu.org; Fri, 04 Feb 2022 13:18:12 -0500 Received: by mail-ej1-f53.google.com with SMTP id d10so21784306eje.10 for <53752@debbugs.gnu.org>; Fri, 04 Feb 2022 10:18:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uH9PD55S/b+ddACD87B5MOkTvPUoCvpsbc+84Q7dPLk=; b=ptG/6hbD/FvcGsn0C/Tak/0kJAbX8jNUcXj4QFozlos5LJrdefXhhCM5dDGtPNxCbN xpcCo9QvnPh5sBx3uk2zAoBswhvu/af8lpAGK8StG7eaqOtpJ0kOon6epDTXQgQ6wFxW 9u0bukB2UbGjck0w9wd6stKbThNy/B0JKzWPsu2RJBdLo+Z3VwFxSvKxUFrC5XgrHplw x5VxnpZFRUeZFqdSQWEPStYDMfKYlwZ87ipQIqWKIxOaSOnc687VQiK+amPF95Zekdmg 7gz7CMmJ9MWd/Pe/U84yZ727bJdaMOQXceVlWkd49AJBDv0tsOh1u8j+iDUlB9tAAtYA YODQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uH9PD55S/b+ddACD87B5MOkTvPUoCvpsbc+84Q7dPLk=; b=DLRYEeMH8601rLn+HCQP+8Cll1lzRzNViIi+KP1CRr4Yqen5Oj6AGPU2sps5coebAx R3W42siGqBOuVvju0TX15HZXbwfJo3CAxCxy5PZ5AS/2JPW5cXGElAdCa+2vQEK3x/tr 5U75Ba8K6Kub0woIQ7ftqtntnvzIwvLqSGrb0yUDp/fZ6vXhP4lWgpi1rSUKDnTY3+1Q +qrHh3p06vFwpQihlgBqyl1zZ80VRaXLvbuIW2G/qlhOxHi/TgJyCgAPc/87XygnCGWQ 0T+wVp2sIjWc/eTXQZL2CZqJK7sitRHkXBH6IszDCMdkksacG8MbN7cuNxDBbWWk5lub dTrA== X-Gm-Message-State: AOAM530jGftffdOSTE7BDQCDYc0/anO1GzVaJ4jpeyncl+Qh5wLLU+SU gcavO2Tmwb8twbao4kBrpE/pIn7WJJ/wbxdKJ7k= X-Google-Smtp-Source: ABdhPJzVhzfgG0e2nrEO29RkECBez2XD2G8iBhvVeyaXUXx2PzM2T7d3dSuHuFu/WJ+/IudIA4QCHOmdAA6EhaUX99E= X-Received: by 2002:a17:906:eb89:: with SMTP id mh9mr94307ejb.399.1643998685326; Fri, 04 Feb 2022 10:18:05 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Zacchaeus Scheffer Date: Fri, 4 Feb 2022 13:17:54 -0500 Message-ID: Content-Type: multipart/alternative; boundary="000000000000a66f7405d7354581" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 53752@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1643999321; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=uH9PD55S/b+ddACD87B5MOkTvPUoCvpsbc+84Q7dPLk=; b=F44ViXp4giVo0Bx6pR/VQSd0tkab89Qf7u8NU4YjYvnc/GLjRZQFU3HD+VDWD1YskCPG0f hQCKCfbATyvV1rM1Qu/Dt2k3wkjsqwnuitEU3VlChSjqQX47jz0ZcFVxj/TaxcSzUSNSRH 5edBrHrdvac/u7h7Le/YTTDc7MreH+qulfRKW+wdzDOqzOZ6qMn6zNwm9wWJBYBiynw5Z4 16nKH3y28ytvpYjSmYlHawuYR3RI3Brj8hsEThevp2gtdkmW4f/6n6vstxIwcWUcl0RM7D egnueA9XMGcdBab5lLrOsg9yMzTO7u13BKvCrLRa20uL3GQp3zyUL3///3ZhLQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1643999321; a=rsa-sha256; cv=none; b=oRJP8/dOOR8SVAUr/24RB+G4bZcn+HuFQdjXR0akGtDFy12Zc7g3w6iCr5dNChW7UjVsG1 s5/QjB2VWSGXhIp0YKG+jDnvpjSlpgV+zn0SDb1TGoKdzg7XPSJF1GYwv0Jox9AT1KALk0 nOgZSxv8kMJz+/KVZRsMX5ZTcMc45nOpOv6LWjzXk+GkUfWkBiWhjymHrESVvGw5U7QO8e oikLDhACZP47Cu/vVjGk7NQ9KJdB04hiWQTfO7xTus4um0uSkoC7CDPRwFv5XV9YZYzdxF wq+MTxrtM7LvMXh0z3JL3T8xr3IwdqF17Ladzf7d6IGAENB5zpxF2arjWqXwww== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b="ptG/6hbD"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -2.03 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b="ptG/6hbD"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: DC4413BB34 X-Spam-Score: -2.03 X-Migadu-Scanner: scn1.migadu.com X-TUID: mBaohfksNBZY --000000000000a66f7405d7354581 Content-Type: text/plain; charset="UTF-8" > > > I finally migrated my home configuration to guix home. However, it > > seems guix home creates all symlinks with 777 permissions. This causes > > problems with openssh as it will not recognize my > > ~/.ssh/authorized_keys. It seems the directories have reasonable > > permissions (maybe because they already existed?), but it seems like > > someone could in theory edit the symlinks in-place (though I wasn't > > able to figure that out). > Instead of using symllinks for ~/.ssh/authorized_keys, you could try to > write a home-activation-service, which > > 1. creates ~/.ssh with chmod 700 > 1a. if it already existed, enforces chmod 700 anyways > 2. creates authorized_keys with chmod 600 if it doesn't exist > 3. writes the authorized keys. > I'll try that soon (next 1-3 days), and hopefully then we can close this issue. I would strongly advise against that however. While user homes are by > default 700 in Guix, the store is world readable and so are your > authorized keys if you put them there. A malicious user can't > necessarily change them, but they can spy on you. > For context, I keep such info in my password store, but am ok with certain things from it not being "secret". It is already standard for public keys to be kept in the store; see: - operating-system -> services -> openssh -> authorized-keys and as a more extreme example, encrypted user passwords are often kept in the store; see: - operating-system -> users -> user -> password It's not ideal that someone can snoop my public keys, but that is worth enabling me to have private keys that can reproducibly connect to my user. If one is worried about it, they could avoid usage of those specific private keys as much as possible, so I think it's ok... > Guix currently has no way of securely storing your data in the store > (in a cryptographic sense). This is exacerbated by the fact that such > files aren't well-encrypted by default -- user read-only is "good > enough" in many cases, e.g. gnome-keyring does encrypt passwords, but > stores metadata in plain. Emacs plstores and Recfiles likewise support > partial encryption based on GPG. > > This issue has been known since June 2020 [1]. While there would in > theory exist solutions that can work for (guix home) but not (guix > system), I can not yet make any statements regarding their quality. > Indeed, storing secrets with Guix is an open issue, that will likely be > given some attention during the upcoming Guix Days. > At the end of the day, there will be setup that should NOT happen automatically (should require gpg passphrase input). Currently, I do this for private keys by automatically pulling from my password store (requiring password input) using fancy emacs org tangling. I'll look into managing even this with guix home, but that is probably a discussion for guix-devel. Thanks all, Zacchaeus Scheffer --000000000000a66f7405d7354581 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
> I finally migrated my home configuration to guix ho= me.=C2=A0 However, it
> seems guix home creates all symlinks with 777 permissions.=C2=A0 This = causes
> problems with openssh as it will not recognize my
> ~/.ssh/authorized_keys.=C2=A0 It seems the directories have reasonable=
> permissions (maybe because they already existed?), but it seems like > someone could in theory edit the symlinks in-place (though I wasn'= t
> able to figure that out).
Instead of using symllinks for ~/.ssh/authorized_keys, you could try to
write a home-activation-service, which

1. creates ~/.ssh with chmod 700
1a. if it already existed, enforces chmod 700 anyways
2. creates authorized_keys with chmod 600 if it doesn't exist
3. writes the authorized keys.
=C2=A0
I'= ll try that soon (next 1-3 days), and hopefully then we can close this issu= e.

Guix currently has no way of securely storing your data in the store
(in a cryptographic sense).=C2=A0 This is exacerbated by the fact that such=
files aren't well-encrypted by default -- user read-only is "good<= br> enough" in many cases, e.g. gnome-keyring does encrypt passwords, but<= br> stores metadata in plain.=C2=A0 Emacs plstores and Recfiles likewise suppor= t
partial encryption based on GPG.

This issue has been known since June 2020 [1].=C2=A0 While there would in theory exist solutions that can work for (guix home) but not (guix
system), I can not yet make any statements regarding their quality.
Indeed, storing secrets with Guix is an open issue, that will likely be
given some attention during the upcoming Guix Days.
At the end of the day, there will be setup=C2=A0that should NO= T happen automatically (should require gpg passphrase input).=C2=A0 Current= ly, I do this for private keys by automatically pulling from my password st= ore (requiring=C2=A0password input) using fancy emacs org tangling.=C2=A0 I= 'll look into=C2=A0managing even this with guix home,=C2=A0but that is = probably a discussion for guix-devel.

Thanks all,<= /div>
Zacchaeus Scheffer

--000000000000a66f7405d7354581--