From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id GKChLQmEMGefkAAA62LTzQ:P1 (envelope-from ) for ; Sun, 10 Nov 2024 09:59:37 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id GKChLQmEMGefkAAA62LTzQ (envelope-from ) for ; Sun, 10 Nov 2024 10:59:37 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=YKoJbMxP; dkim=fail ("headers rsa verify failed") header.d=laesvuori.fi header.s=mail header.b=G9dfMkFD; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1731232777; a=rsa-sha256; cv=none; b=SY5v3Utzwb6ygu2TrdXdZ0LTaX3zO5+nssjs6rlrWOtK+WX8ZrQi+X8cp23UrKAkw5nPWR ZAS0M4g5OeIdazzGyJXBf2SsGQpAxZOiqji5/FE7OTFzBYaiNYUvcIMxDkIkw/15IfDMv7 ooYyy8XlIT51LXGwl00RlFxheX5OX1zaTzcYT2x0a1xU3vTdmjgxR1PcWPJjLFuelqeJJP cu2V+3QvbfU5UxYYj0nJJn8yq1kEGFDXT4mv+HbiJO4wZyQIp3AlJTsom5BnVBZOV+koZE ChxhNxh6PcvtUHRArtM/Q5mfOUwYGmHY1Hk8yx1I36+9qzB5c3B0//Q9q2MNsQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=YKoJbMxP; dkim=fail ("headers rsa verify failed") header.d=laesvuori.fi header.s=mail header.b=G9dfMkFD; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1731232777; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=Q254pi+7o0QDxADKiTVCwgI0xgI4Y3rLzfAnInnz0zc=; b=l/Ydf5E0NgZLhvLRETXWjOKrQMMlRjG2n2iKP+Jm5mF7kjk55pFhXvEqD/UoYs4imqPY4a 6/rkn0cAokIIBkVtVitJ9ZVqLT3DF+mTRyhBtmqCOX8JPLEj9IJ6Y7rMkzzBHJn4rmQVv8 bGlcstg6tJko1mgsLXiH9jJk61OvdADDUy3ChVjJc0S+iBJooWXh8mWe9UfAHqW+rMmNwe LqnSUa9MUbqV8CkKy6Shhh75fx/ed3lm2wAZfkpyBshQLeh/nHHI9SvfArgG03BvYqGB/S 5cUvhq0trMV+Abeh1AAb071q56t7mqvbAkI6rGGLX91mKS1umt1851SMPJSiCw== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 9F5D874F66 for ; Sun, 10 Nov 2024 10:59:36 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tA4iw-0001yq-AK; Sun, 10 Nov 2024 04:59:14 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tA4ik-0001yD-NR for bug-guix@gnu.org; Sun, 10 Nov 2024 04:59:02 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tA4ik-0003qg-Ea for bug-guix@gnu.org; Sun, 10 Nov 2024 04:59:02 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=In-Reply-To:MIME-Version:References:From:Date:To:Subject; bh=Q254pi+7o0QDxADKiTVCwgI0xgI4Y3rLzfAnInnz0zc=; b=YKoJbMxPG6CO3o7RSr5lKQc355qz7WqL5lj2IBXmBlI/KRVy9YNvUJ8UVLo+gdXclFh0nbJ4xldYudMKue9fvt4Z6tSFpgLINPy5cb/rwiBOP3siJOvW7hZZITwSPZssdXJ/PIC0qju9vCRBmb9E22SDiHy+eiJ9CyVWRlStNkvghuMBJf2PI0UAK1lTUUhBz9ZaJhJIL8+a+lq7S3805Xgx2cA8YbE2kU4oiDLD5236QTXh3SCyQAlm6M/QPxvk+qd1EfiRpwImvSKA0N7vIvjc/WXR/NuaB8LJkEFDJzy3YITVCYtyah4aIlHoRaXRx/xGbdSoe139ifBzRUit1g==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tA4ij-0000Yp-V4 for bug-guix@gnu.org; Sun, 10 Nov 2024 04:59:01 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#73166: shell-autorized-directories Resent-From: Saku Laesvuori Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sun, 10 Nov 2024 09:59:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 73166 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Nicolas Graves Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= , 73166@debbugs.gnu.org, Andrew Tropin Received: via spool by 73166-submit@debbugs.gnu.org id=B73166.17312327232128 (code B ref 73166); Sun, 10 Nov 2024 09:59:01 +0000 Received: (at 73166) by debbugs.gnu.org; 10 Nov 2024 09:58:43 +0000 Received: from localhost ([127.0.0.1]:55605 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tA4iR-0000YG-37 for submit@debbugs.gnu.org; Sun, 10 Nov 2024 04:58:43 -0500 Received: from vmi571514.contaboserver.net ([75.119.130.101]:52972 helo=mail.laesvuori.fi) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tA4iO-0000Y7-45 for 73166@debbugs.gnu.org; Sun, 10 Nov 2024 04:58:42 -0500 Received: from X-kone (82-203-160-153.bb.dnainternet.fi [82.203.160.153]) by mail.laesvuori.fi (Postfix) with ESMTPSA id 19C84340816; Sun, 10 Nov 2024 10:58:44 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=laesvuori.fi; s=mail; t=1731232724; bh=ysIR0k8SDlD4OtJlWhO2kddpi5IJV6wmijVqOp6sqjc=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=G9dfMkFD1IzYroEvUazt7oGhU6jd4+KilmQltVajPbf8FvR3LoZ2/f3RCSRXhJl/b d5ZOa+fPnefzJBX7QqRJfX93XwsE0WQ+yq0YODxESBVklujFQo4tIPCOycheJ6L+PW 2DjD6W7o//0RTuu13JVlJ1yq2oMuMwy/GduOMklA= Date: Sun, 10 Nov 2024 11:58:24 +0200 Message-ID: References: <877cbjwxs4.fsf@ngraves.fr> <87cyla7c0f.fsf@gnu.org> <87mske8emf.fsf@ngraves.fr> <874j4gpkbn.fsf@ngraves.fr> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="spfmpna2c2oihjdz" Content-Disposition: inline In-Reply-To: <874j4gpkbn.fsf@ngraves.fr> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Saku Laesvuori From: Saku Laesvuori via Bug reports for GNU Guix Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -4.96 X-Spam-Score: -4.96 X-Migadu-Queue-Id: 9F5D874F66 X-Migadu-Scanner: mx10.migadu.com X-TUID: UWSzftE1yF+w --spfmpna2c2oihjdz Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Nov 09, 2024 at 03:12:44PM +0100, Nicolas Graves wrote: > On 2024-09-11 16:11, Nicolas Graves wrote: >=20 > >> That option would add a line to =E2=80=98shell-autorized-directories= =E2=80=99? > > > > Yes. Actually I would like to develop a little more after thinking about > > that. > > > > Let's say you git pull code from a guix-shell-authorized repo and the= =20 > > pull includes some potentially harmful / dangerous code. > > > > The assumption of direnv is that the user has to allow the code to run > > again in this case, putting more emphasis on security. This is not the > > case in Guix, IIRC. I think it should be done in Guix too.=20 > > > > Implementing that kind of additional security will indeed need such an > > option, for this will need to actually include the hash of the file of > > something like that. > > > > It's actually quite simple in direnv, they take a sha256 hash of the > > absolute filename + the content of the file. > > (See > > https://github.com/nicolas-graves/python-direnv/blob/f8f0967a9772f0775f= fe75a68d868c75076f5af4/direnv.py#L36) > > That hash makes a simple file-based database where a file is allowed ba= sed > > not only on its location but on its location+content. > > > > We could have two options to interact with such a database : > > --allow > > --revoke >=20 > Here's a working draft for some code for that. This is currently able > to properly allow or deny my direnv-validated directories. With a > proper direnv rename, we can almost already replace > authorized-shell-directory? function. >=20 > I feel like this is a far more secure and convenient way to manage > autorized-directories for guix shell. WDYT ? I do agree that it seems more convenient to run `guix shell --allow` than copy a rather long line from the hint and run it to append a line to shell-authorized-directories. Authorizing files instead of directories does not seem that great of an idea to me. I doubt it really improves security that much. For example, all my projects have a .guix/modules/xxx-package.scm file that contains the package definition and guix.scm just loads it from that file. Malicious code could be added here without touching the guix.scm file at all, so the file-based authorization would not notice it. So this would only increase security when guix.scm does not refer to any other files in the untrusted directory. Here it might get quite annoying to re-authorize the directory every time every time someone changes the version number. Thus it seems that file-based authorization will only catch false-positives. At least I would refactor my repository to a guix channel and load the packaged from there with guix.scm to bypass this security mechanism before adding any malicious code. Hashing the entire untrusted directory could work, but I'm not sure would that have acceptable performance in larger cases. - Saku --spfmpna2c2oihjdz Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEoMkZR3NPB29fCOn/JX0oSiodOjIFAmcwg8AACgkQJX0oSiod OjIHzhAAwjrkBxDFPTEbaVngmetQP3bKzWS86U1va/IcYwYm6FlP2T47HjauwBxV rjyxOrRcjyrPr1QwTL/HLDKNFrxyfSaU4wRJ9JsCx9HwQsfpdiNxLjqdzx1ZUlbl ZdW87tHjxVxa5EVYDU6UG4jMCdsDvZC3aCYBVgPOEYRJJZxSVN2BP4cWWzmNueEh QAKjFsXi8scOCE/WxZHY/QI6SfQ77K8bPQRnNIDF4GBbKKCd8R2zEBF4EZ/9tOMg gVTuetfhS3d6BmMmAlnd39VTA2drcnKSxh1CSZe3J3mlJWFtJr1LeIwoXB9/KY5L ixoVQvVYIYFGZiGJuxyr6zS/8uxpUKYu8ohKR04bKWJNx0CmOxBdElhMWaSItK+z ULGETuSFpGNnhOcgSaqP98qJwds4Iqu4ndhvwRqopxEfZ7C3eLgnj80qwglitzq0 wEHGp6eYO3xuA8W1+NJ9lltYp/SlgLzcbsx1xpd2oMsfAs1EYJwtNCd3NvfTdVcE kDUhYN5hJPLcWEvpN6zKhLyV2kETcd4JRPNvxDNopMTscsLWwm4Dy6Px0739K/5+ jrtk06H81feXZFOMXBoubPdaCy0xLr76aP2dpXjNo13E/JC1oM5La5vTN8Ouc2P4 hrzBV+qjAXrWwZ8bSzm6RekMCMZkmydJt7zcZ/5cKy7p0oU6PBo= =ji1e -----END PGP SIGNATURE----- --spfmpna2c2oihjdz--