From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id EAibKf0hDmAyDwAA0tVLHw (envelope-from ) for ; Mon, 25 Jan 2021 01:42:21 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id mDZwJf0hDmCIXQAAB5/wlQ (envelope-from ) for ; Mon, 25 Jan 2021 01:42:21 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id B17C59402B5 for ; Mon, 25 Jan 2021 01:42:20 +0000 (UTC) Received: from localhost ([::1]:55688 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l3qtX-0006Sy-Fx for larch@yhetil.org; Sun, 24 Jan 2021 20:42:19 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:55392) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l3qt7-0006Sq-RY for guix-devel@gnu.org; Sun, 24 Jan 2021 20:41:53 -0500 Received: from 102b.relay.hey.com ([204.62.115.200]:59849) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l3qt5-0008Qz-H0 for guix-devel@gnu.org; Sun, 24 Jan 2021 20:41:53 -0500 Received: from hey.com (bigip-vip-new.rw-ash-int.37signals.com [10.20.0.24]) by 102.relay.hey.com (Postfix) with ESMTP id 54A7B81DBA; Mon, 25 Jan 2021 01:41:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hey.com; s=heymail; t=1611538910; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to; bh=lzYjdKIUMtM04om5FF39zmuNUX+8MCerhI0GpmQjsgI=; b=AFBcSoTVCMsfRw7Zr9aVgcpkTqFts+pksNuFRS2prt5EFOA1e7aVmpb7iv9akAWnu/GzX0 oe8lKpW/7BiqWRkjbkfABsaAqlpVCVQoa0JgUx2XDJr3BMA11IbApP0GnxdIqAKzTI8oJT aWmcLbv+Gutf2NzWSFjJrj0mTw7e9zWn/75RqLj3IMg0tZF73JqOt07Yg3c6VoO/5yFMIZ U55RB8Cnu4SKTX9vx7anWWGctC8FJkxD16M9B/jr7DeYWarGGAbx9fNjjZzOkyfehZ0mJt K72pTl0Di8NjPYY5iFQmF0QH4HtTuBgWbeTnWa/GIKE8ta1vbxdbKQYtGHcZXA== Date: Mon, 25 Jan 2021 01:41:49 +0000 From: Ryan Prior To: Development of GNU Guix and the GNU System distribution , Pjotr Prins Message-ID: <9aa892b1c2ec59b15417a5871f1b83d481ab3419@hey.com> In-Reply-To: <20210124220544.kmsf3atiouj6zci7@thebird.nl> Subject: Re: Login to a guix container Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="--==_mimepart_600e21de485db_1b8d302062339"; charset=UTF-8 Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=204.62.115.200; envelope-from=ryanprior@hey.com; helo=102b.relay.hey.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -2.55 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=hey.com header.s=heymail header.b=AFBcSoTV; dmarc=pass (policy=quarantine) header.from=hey.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: B17C59402B5 X-Spam-Score: -2.55 X-Migadu-Scanner: scn1.migadu.com X-TUID: oVB4n39hgd49 ----==_mimepart_600e21de485db_1b8d302062339 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On January 24, 2021, Pjotr Prins wrote: > I was just thinking that it should be possible to login with ssh into > a GNU Guix shell running in a container that gets fired up by the > sshd. I am thinking about a safe shell for fetching files. If this > works no chroot setup is required. > > Or is this a really dumb idea :) I haven't seen any serious audit investigating security properties of Guix containers. I do not think it's dumb to try this as an experiment, but I do think it would be malpractice to trust user data with this system before appropriately thorough evaluation. ----==_mimepart_600e21de485db_1b8d302062339 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On January 24, 2021, Pjotr Prins <pjotr.public12@thebird.nl>= wrote:
I was just thinking that it should be possible t= o login with ssh into
a GNU Guix shell running in a container that get= s fired up by the
sshd. I am thinking about a safe shell for fetching = files. If this
works no chroot setup is required.

Or is this a = really dumb idea :)

I haven't seen any serious audit= investigating security properties of Guix containers. I do not think it'= s dumb to try this as an experiment, but I do think it would be malpracti= ce to trust user data with this system before appropriately thorough eval= uation.
----==_mimepart_600e21de485db_1b8d302062339--