From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id WJtfOUn7/GHKNwAAgWs5BA (envelope-from ) for ; Fri, 04 Feb 2022 11:09:13 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id AILENkn7/GEjJwEA9RJhRA (envelope-from ) for ; Fri, 04 Feb 2022 11:09:13 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 77FDE17C9F for ; Fri, 4 Feb 2022 11:09:13 +0100 (CET) Received: from localhost ([::1]:56662 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nFvWh-0002sm-Ms for larch@yhetil.org; Fri, 04 Feb 2022 05:09:11 -0500 Received: from eggs.gnu.org ([209.51.188.92]:37178) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nFvN1-0001R7-NE for bug-guix@gnu.org; Fri, 04 Feb 2022 04:59:12 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:36675) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nFvMs-0006u8-8y for bug-guix@gnu.org; Fri, 04 Feb 2022 04:59:11 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nFvMs-0006GY-90 for bug-guix@gnu.org; Fri, 04 Feb 2022 04:59:02 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#53752: guix home symlink permissions Resent-From: Liliana Marie Prikler Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 04 Feb 2022 09:59:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 53752 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Zacchaeus Scheffer , 53752@debbugs.gnu.org Received: via spool by 53752-submit@debbugs.gnu.org id=B53752.164396871424045 (code B ref 53752); Fri, 04 Feb 2022 09:59:02 +0000 Received: (at 53752) by debbugs.gnu.org; 4 Feb 2022 09:58:34 +0000 Received: from localhost ([127.0.0.1]:58804 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nFvMQ-0006Fk-GV for submit@debbugs.gnu.org; Fri, 04 Feb 2022 04:58:34 -0500 Received: from mailrelay.tugraz.at ([129.27.2.202]:45914) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nFvMN-0006Fa-Nr for 53752@debbugs.gnu.org; Fri, 04 Feb 2022 04:58:32 -0500 Received: from lprikler-laptop.ist.intra (gw.ist.tugraz.at [129.27.202.101]) by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4JqrZm5F8Sz3xXF; Fri, 4 Feb 2022 10:58:24 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at; s=mailrelay; t=1643968704; bh=wz69JUPEYxpu85oSBexeAmwSckEeo+WEqeavgggxYDI=; h=Subject:From:To:Date:In-Reply-To:References; b=a5lxSKNLsrckwDFon61F9leiZrIQtthtsIcBhQqahjELUozJco/U6dVt5brvxxJ29 d4GCTve1ZFomqKmPOjTcHIdeannsv9RwRnTx90iPQz8TJiHxg/gF9Y/9ebNrSMcYtF B9rUT06Sq0qK2Mpz49IIOXC7BX/7O1RnmLQIH4Fo= Message-ID: From: Liliana Marie Prikler Date: Fri, 04 Feb 2022 10:58:22 +0100 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TUG-Backscatter-control: waObeELIUl4ypBWmcn/8wQ X-Scanned-By: MIMEDefang 2.74 on 129.27.10.117 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1643969353; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=wz69JUPEYxpu85oSBexeAmwSckEeo+WEqeavgggxYDI=; b=nCYuazGv9nmwnesyYJpkoj+Tq9ASIV4qvvEdpmB1V5XdBZWAgZZ6TbaN9hPZpkiePu+Q98 E+Rt5OvS7b4O4Mc3twNs0xZuJhzjBtNMZqA1o8S3xsV5A1lNWjAhPChKxVamWgkAB1o6qF kDYewFulGHZQw7SMvI7a1pWP7EWlMnme6hnKN0KdAJcCyV8Z/C49ohKtgQr9HIebv/YoM2 VvpIJ/R6p3Alu5eKGkCNoq///6F4C0ErJtqhgky/oEg5EhGaW8rGUinlT7tsFdMztm53jb nld+EGDZKbahMGW9i8buaXPDahvVekpS8tH4SdADo5kVQiz4AHLt/55gE3kVfw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1643969353; a=rsa-sha256; cv=none; b=jWmWlwEtbs7f+sl3FUFIEHpYfqi8iTn/A4EUlJLxm0K3UMHIBMppkWhIipqLrwmRoUDjek RwVZkqRKha7sHkY7wIDLtSQJu69oweYB2iEhsIoyWR4WA0o6TkJ1lOUyiFFcRvaXicoxhr VRNvApvin1+5N2fP/IqPZSsvAdpzX25wTr9UTRv5LBwKISt2NWxgAXSm38f/VSxBgo7Yqc mA1ChoBpmbmht1rW8MqERAUt9EEWTsVzHQ0RBKmvblMDAPhSJTNHu2E7mv+UeM9NUzNMA/ kDbC6Hy+a36ynHdf1GIk0nb8GsnAHKZTUR2rcadfKO0HwFY6fiDp1teQVfxmzQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tugraz.at header.s=mailrelay header.b=a5lxSKNL; dmarc=fail reason="SPF not aligned (relaxed)" header.from=tugraz.at (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -3.33 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tugraz.at header.s=mailrelay header.b=a5lxSKNL; dmarc=fail reason="SPF not aligned (relaxed)" header.from=tugraz.at (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 77FDE17C9F X-Spam-Score: -3.33 X-Migadu-Scanner: scn0.migadu.com X-TUID: B8J63A62MNZU Am Donnerstag, dem 03.02.2022 um 13:08 -0500 schrieb Zacchaeus Scheffer: > I finally migrated my home configuration to guix home.  However, it > seems guix home creates all symlinks with 777 permissions.  This causes > problems with openssh as it will not recognize my > ~/.ssh/authorized_keys.  It seems the directories have reasonable > permissions (maybe because they already existed?), but it seems like > someone could in theory edit the symlinks in-place (though I wasn't > able to figure that out). Instead of using symllinks for ~/.ssh/authorized_keys, you could try to write a home-activation-service, which 1. creates ~/.ssh with chmod 700 1a. if it already existed, enforces chmod 700 anyways 2. creates authorized_keys with chmod 600 if it doesn't exist 3. writes the authorized keys. I would strongly advise against that however. While user homes are by default 700 in Guix, the store is world readable and so are your authorized keys if you put them there. A malicious user can't necessarily change them, but they can spy on you. Guix currently has no way of securely storing your data in the store (in a cryptographic sense). This is exacerbated by the fact that such files aren't well-encrypted by default -- user read-only is "good enough" in many cases, e.g. gnome-keyring does encrypt passwords, but stores metadata in plain. Emacs plstores and Recfiles likewise support partial encryption based on GPG. This issue has been known since June 2020 [1]. While there would in theory exist solutions that can work for (guix home) but not (guix system), I can not yet make any statements regarding their quality. Indeed, storing secrets with Guix is an open issue, that will likely be given some attention during the upcoming Guix Days. Cheers [1] https://lists.gnu.org/archive/html/guix-devel/2020-06/msg00091.html