From: Saku Laesvuori via Bug reports for GNU Guix <bug-guix@gnu.org>
To: Nicolas Graves <ngraves@ngraves.fr>
Cc: "Ludovic Courtès" <ludo@gnu.org>,
73166@debbugs.gnu.org, "Andrew Tropin" <andrew@trop.in>
Subject: bug#73166: shell-autorized-directories
Date: Sun, 10 Nov 2024 11:58:24 +0200 [thread overview]
Message-ID: <g7otyh2dfhpfj4qpvrg4mxe3pj3ftk6veajuqsl333pi42mpwm@6ptyp5vttqa2> (raw)
In-Reply-To: <874j4gpkbn.fsf@ngraves.fr>
[-- Attachment #1: Type: text/plain, Size: 2920 bytes --]
On Sat, Nov 09, 2024 at 03:12:44PM +0100, Nicolas Graves wrote:
> On 2024-09-11 16:11, Nicolas Graves wrote:
>
> >> That option would add a line to ‘shell-autorized-directories’?
> >
> > Yes. Actually I would like to develop a little more after thinking about
> > that.
> >
> > Let's say you git pull code from a guix-shell-authorized repo and the
> > pull includes some potentially harmful / dangerous code.
> >
> > The assumption of direnv is that the user has to allow the code to run
> > again in this case, putting more emphasis on security. This is not the
> > case in Guix, IIRC. I think it should be done in Guix too.
> >
> > Implementing that kind of additional security will indeed need such an
> > option, for this will need to actually include the hash of the file of
> > something like that.
> >
> > It's actually quite simple in direnv, they take a sha256 hash of the
> > absolute filename + the content of the file.
> > (See
> > https://github.com/nicolas-graves/python-direnv/blob/f8f0967a9772f0775ffe75a68d868c75076f5af4/direnv.py#L36)
> > That hash makes a simple file-based database where a file is allowed based
> > not only on its location but on its location+content.
> >
> > We could have two options to interact with such a database :
> > --allow
> > --revoke
>
> Here's a working draft for some code for that. This is currently able
> to properly allow or deny my direnv-validated directories. With a
> proper direnv rename, we can almost already replace
> authorized-shell-directory? function.
>
> I feel like this is a far more secure and convenient way to manage
> autorized-directories for guix shell. WDYT ?
I do agree that it seems more convenient to run `guix shell --allow`
than copy a rather long line from the hint and run it to append a line
to shell-authorized-directories.
Authorizing files instead of directories does not seem that great of an
idea to me. I doubt it really improves security that much. For example,
all my projects have a .guix/modules/xxx-package.scm file that contains
the package definition and guix.scm just loads it from that file.
Malicious code could be added here without touching the guix.scm file at
all, so the file-based authorization would not notice it.
So this would only increase security when guix.scm does not refer to any
other files in the untrusted directory. Here it might get quite annoying
to re-authorize the directory every time every time someone changes the
version number.
Thus it seems that file-based authorization will only catch
false-positives. At least I would refactor my repository to a guix
channel and load the packaged from there with guix.scm to bypass this
security mechanism before adding any malicious code.
Hashing the entire untrusted directory could work, but I'm not sure
would that have acceptable performance in larger cases.
- Saku
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2024-11-10 9:59 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-10 11:31 bug#73166: shell-autorized-directories Nicolas Graves
2024-09-11 9:52 ` Ludovic Courtès
2024-09-11 14:11 ` Nicolas Graves
2024-11-09 14:12 ` Nicolas Graves
2024-11-10 9:58 ` Saku Laesvuori via Bug reports for GNU Guix [this message]
2024-11-10 11:26 ` Nicolas Graves
2024-11-11 7:54 ` Saku Laesvuori via Bug reports for GNU Guix
2024-11-11 10:40 ` Nicolas Graves
2024-11-12 1:46 ` Suhail Singh
2024-11-12 7:52 ` Nicolas Graves
2024-11-12 14:50 ` Suhail Singh
2024-11-12 16:49 ` Nicolas Graves
2024-11-12 17:08 ` Suhail Singh
2024-11-14 11:07 ` Saku Laesvuori via Bug reports for GNU Guix
2024-11-09 21:33 ` bug#73166: [PATCH] shell: Rewrite authorized directories management Nicolas Graves
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=g7otyh2dfhpfj4qpvrg4mxe3pj3ftk6veajuqsl333pi42mpwm@6ptyp5vttqa2 \
--to=bug-guix@gnu.org \
--cc=73166@debbugs.gnu.org \
--cc=andrew@trop.in \
--cc=ludo@gnu.org \
--cc=ngraves@ngraves.fr \
--cc=saku@laesvuori.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).