From: Liliana Marie Prikler <liliana.prikler@ist.tugraz.at>
To: Zacchaeus Scheffer <zaccysc@gmail.com>, 53752@debbugs.gnu.org
Subject: bug#53752: guix home symlink permissions
Date: Fri, 04 Feb 2022 10:58:22 +0100 [thread overview]
Message-ID: <af6b7c3774458e0c199f3ffc33dd6cebfc4e9ccd.camel@ist.tugraz.at> (raw)
In-Reply-To: <CAJejy7=okwP6Sous-ab_Ta44CgDDT9i795AxBcaZKyWaM8WErQ@mail.gmail.com>
Am Donnerstag, dem 03.02.2022 um 13:08 -0500 schrieb Zacchaeus
Scheffer:
> I finally migrated my home configuration to guix home. However, it
> seems guix home creates all symlinks with 777 permissions. This causes
> problems with openssh as it will not recognize my
> ~/.ssh/authorized_keys. It seems the directories have reasonable
> permissions (maybe because they already existed?), but it seems like
> someone could in theory edit the symlinks in-place (though I wasn't
> able to figure that out).
Instead of using symllinks for ~/.ssh/authorized_keys, you could try to
write a home-activation-service, which
1. creates ~/.ssh with chmod 700
1a. if it already existed, enforces chmod 700 anyways
2. creates authorized_keys with chmod 600 if it doesn't exist
3. writes the authorized keys.
I would strongly advise against that however. While user homes are by
default 700 in Guix, the store is world readable and so are your
authorized keys if you put them there. A malicious user can't
necessarily change them, but they can spy on you.
Guix currently has no way of securely storing your data in the store
(in a cryptographic sense). This is exacerbated by the fact that such
files aren't well-encrypted by default -- user read-only is "good
enough" in many cases, e.g. gnome-keyring does encrypt passwords, but
stores metadata in plain. Emacs plstores and Recfiles likewise support
partial encryption based on GPG.
This issue has been known since June 2020 [1]. While there would in
theory exist solutions that can work for (guix home) but not (guix
system), I can not yet make any statements regarding their quality.
Indeed, storing secrets with Guix is an open issue, that will likely be
given some attention during the upcoming Guix Days.
Cheers
[1] https://lists.gnu.org/archive/html/guix-devel/2020-06/msg00091.html
next prev parent reply other threads:[~2022-02-04 10:09 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-03 18:08 bug#53752: guix home symlink permissions Zacchaeus Scheffer
2022-02-03 19:56 ` Thiago Jung Bauermann via Bug reports for GNU Guix
2022-02-03 21:22 ` Zacchaeus Scheffer
2022-02-03 23:06 ` Thiago Jung Bauermann via Bug reports for GNU Guix
2022-02-04 9:58 ` Liliana Marie Prikler [this message]
2022-02-04 18:17 ` Zacchaeus Scheffer
2022-02-07 19:47 ` Zacchaeus Scheffer
2022-02-07 21:02 ` Maxime Devos
2022-02-08 7:01 ` Liliana Marie Prikler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=af6b7c3774458e0c199f3ffc33dd6cebfc4e9ccd.camel@ist.tugraz.at \
--to=liliana.prikler@ist.tugraz.at \
--cc=53752@debbugs.gnu.org \
--cc=zaccysc@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).