unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
From: Saku Laesvuori via Bug reports for GNU Guix <bug-guix@gnu.org>
To: Nicolas Graves <ngraves@ngraves.fr>
Cc: 73166@debbugs.gnu.org, ludo@gnu.org, suhailsingh247@gmail.com,
	andrew@trop.in
Subject: bug#73166: shell-autorized-directories
Date: Thu, 14 Nov 2024 13:07:36 +0200	[thread overview]
Message-ID: <sfd644m6yzghr7skqa6c56b3ixvc6hnljvcx6fdmfuaibkit5a@fnlnzhtrzjpi> (raw)
In-Reply-To: <87o72k4cty.fsf@ngraves.fr>

[-- Attachment #1: Type: text/plain, Size: 3114 bytes --]

On Tue, Nov 12, 2024 at 05:49:13PM +0100, Nicolas Graves wrote:
> On 2024-11-12 09:50, Suhail Singh wrote:
> 
> > I was under the impression that the build phase in guix is always
> > containerized and without network access.  Could you please elaborate on
> > this?
> 
> Building a package yes, but you can have external commands in a
> manifest.scm or guix.scm.  Saku provided an example in an earlier email
> of a valid but dangerous manifest:
> 
> ```scheme
> (system* "rm -rf $HOME")
> (specifications->manifest (list "hello"))
> ```
> 
> We could also have one that downloads malicious code, or uploads private
> info, the POC is left as an an exercice for the reader ;) 
> 
> What I was saying is that we could restrain recording `guix shell --allow`
> only if the manifest builds properly containerized and without network
> access (outside package building I mean), and otherwise refuse to allow
> (failing manifest, possibly because it tries to access the network or
> files outside the repo) with a warning message, providing the ability to
> restrain "automatic loading" to certain "safer" conditions only.
> 
> This would in turn mean that (given the same guix revision) we can
> always run a `guix shell --allow`-ed using `guix shell --container`
> which actually makes a lot of sense in my use-case.  I don't really know
> about other use-cases, but I guess it's the same, even a scheme
> developper would probably want a manifest that doesn't depend on files
> outside of his repo or the network.  Saku, do you have an opinion on
> this?

There are likely some cases where someone would want to define a
manifest that depends on external factors, but I do agree they seem
rare. Probably not in a public project repo but maybe someone would want
to have (for example) different environments in different directories
and some common values in ~/.config that all of them refer to.

> The downside is that we would have to basically run `guix shell
> --container` (and build all there is to build) before being able to run
> `guix shell --allow`.

In the repository manifest use-case this seems to not be a downside (the
user is to build the environment anyway if they authorized it). In other
use-cases this might prevent people from using guix shell --allow even
though their case might be much more secure (like the environments in
different directories sharing common data).

> WDYT?

The only benefit seems to be in situations where the user would want the
shell to be in a container, so maybe in that case the default behaviour
should be to also evaluate the manifest in the container. I don't know
would that be a good choice. It increases security for those who use a
container and don't know that loading an environment is equivalent to
executing the file, but if it leads people assume that loading an
environment is safer than executing a file in general, they have less
security in non-container environments.

We should keep in mind that implicit manifests for guix shell are not
only useful in public repositories.

- Saku

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

  parent reply	other threads:[~2024-11-14 11:08 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-09-10 11:31 bug#73166: shell-autorized-directories Nicolas Graves
2024-09-11  9:52 ` Ludovic Courtès
2024-09-11 14:11   ` Nicolas Graves
2024-11-09 14:12     ` Nicolas Graves
2024-11-10  9:58       ` Saku Laesvuori via Bug reports for GNU Guix
2024-11-10 11:26         ` Nicolas Graves
2024-11-11  7:54           ` Saku Laesvuori via Bug reports for GNU Guix
2024-11-11 10:40             ` Nicolas Graves
2024-11-12  1:46             ` Suhail Singh
2024-11-12  7:52               ` Nicolas Graves
2024-11-12 14:50                 ` Suhail Singh
2024-11-12 16:49                   ` Nicolas Graves
2024-11-12 17:08                     ` Suhail Singh
2024-11-14 11:07                     ` Saku Laesvuori via Bug reports for GNU Guix [this message]
2024-11-09 21:33 ` bug#73166: [PATCH] shell: Rewrite authorized directories management Nicolas Graves

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=sfd644m6yzghr7skqa6c56b3ixvc6hnljvcx6fdmfuaibkit5a@fnlnzhtrzjpi \
    --to=bug-guix@gnu.org \
    --cc=73166@debbugs.gnu.org \
    --cc=andrew@trop.in \
    --cc=ludo@gnu.org \
    --cc=ngraves@ngraves.fr \
    --cc=saku@laesvuori.fi \
    --cc=suhailsingh247@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).