From: Saku Laesvuori via Bug reports for GNU Guix <bug-guix@gnu.org>
To: Nicolas Graves <ngraves@ngraves.fr>
Cc: 73166@debbugs.gnu.org, ludo@gnu.org, suhailsingh247@gmail.com,
andrew@trop.in
Subject: bug#73166: shell-autorized-directories
Date: Thu, 14 Nov 2024 13:07:36 +0200 [thread overview]
Message-ID: <sfd644m6yzghr7skqa6c56b3ixvc6hnljvcx6fdmfuaibkit5a@fnlnzhtrzjpi> (raw)
In-Reply-To: <87o72k4cty.fsf@ngraves.fr>
[-- Attachment #1: Type: text/plain, Size: 3114 bytes --]
On Tue, Nov 12, 2024 at 05:49:13PM +0100, Nicolas Graves wrote:
> On 2024-11-12 09:50, Suhail Singh wrote:
>
> > I was under the impression that the build phase in guix is always
> > containerized and without network access. Could you please elaborate on
> > this?
>
> Building a package yes, but you can have external commands in a
> manifest.scm or guix.scm. Saku provided an example in an earlier email
> of a valid but dangerous manifest:
>
> ```scheme
> (system* "rm -rf $HOME")
> (specifications->manifest (list "hello"))
> ```
>
> We could also have one that downloads malicious code, or uploads private
> info, the POC is left as an an exercice for the reader ;)
>
> What I was saying is that we could restrain recording `guix shell --allow`
> only if the manifest builds properly containerized and without network
> access (outside package building I mean), and otherwise refuse to allow
> (failing manifest, possibly because it tries to access the network or
> files outside the repo) with a warning message, providing the ability to
> restrain "automatic loading" to certain "safer" conditions only.
>
> This would in turn mean that (given the same guix revision) we can
> always run a `guix shell --allow`-ed using `guix shell --container`
> which actually makes a lot of sense in my use-case. I don't really know
> about other use-cases, but I guess it's the same, even a scheme
> developper would probably want a manifest that doesn't depend on files
> outside of his repo or the network. Saku, do you have an opinion on
> this?
There are likely some cases where someone would want to define a
manifest that depends on external factors, but I do agree they seem
rare. Probably not in a public project repo but maybe someone would want
to have (for example) different environments in different directories
and some common values in ~/.config that all of them refer to.
> The downside is that we would have to basically run `guix shell
> --container` (and build all there is to build) before being able to run
> `guix shell --allow`.
In the repository manifest use-case this seems to not be a downside (the
user is to build the environment anyway if they authorized it). In other
use-cases this might prevent people from using guix shell --allow even
though their case might be much more secure (like the environments in
different directories sharing common data).
> WDYT?
The only benefit seems to be in situations where the user would want the
shell to be in a container, so maybe in that case the default behaviour
should be to also evaluate the manifest in the container. I don't know
would that be a good choice. It increases security for those who use a
container and don't know that loading an environment is equivalent to
executing the file, but if it leads people assume that loading an
environment is safer than executing a file in general, they have less
security in non-container environments.
We should keep in mind that implicit manifests for guix shell are not
only useful in public repositories.
- Saku
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2024-11-14 11:08 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-10 11:31 bug#73166: shell-autorized-directories Nicolas Graves
2024-09-11 9:52 ` Ludovic Courtès
2024-09-11 14:11 ` Nicolas Graves
2024-11-09 14:12 ` Nicolas Graves
2024-11-10 9:58 ` Saku Laesvuori via Bug reports for GNU Guix
2024-11-10 11:26 ` Nicolas Graves
2024-11-11 7:54 ` Saku Laesvuori via Bug reports for GNU Guix
2024-11-11 10:40 ` Nicolas Graves
2024-11-12 1:46 ` Suhail Singh
2024-11-12 7:52 ` Nicolas Graves
2024-11-12 14:50 ` Suhail Singh
2024-11-12 16:49 ` Nicolas Graves
2024-11-12 17:08 ` Suhail Singh
2024-11-14 11:07 ` Saku Laesvuori via Bug reports for GNU Guix [this message]
2024-11-09 21:33 ` bug#73166: [PATCH] shell: Rewrite authorized directories management Nicolas Graves
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=sfd644m6yzghr7skqa6c56b3ixvc6hnljvcx6fdmfuaibkit5a@fnlnzhtrzjpi \
--to=bug-guix@gnu.org \
--cc=73166@debbugs.gnu.org \
--cc=andrew@trop.in \
--cc=ludo@gnu.org \
--cc=ngraves@ngraves.fr \
--cc=saku@laesvuori.fi \
--cc=suhailsingh247@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).