unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / Atom feed
* Secure GNU Guix offloading
@ 2021-03-23 13:46 Léo Le Bouter
  2021-03-30  8:26 ` Ludovic Courtès
  0 siblings, 1 reply; 3+ messages in thread
From: Léo Le Bouter @ 2021-03-23 13:46 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1614 bytes --]

Hello!

I have powerful machines at hand and I would like to share them through
the GNU Guix offloading facility so that they are easy to use.

The problem is that setting up offloading requires my machine to trust
each and every client's store public key which means they can spoof
results of derivations with malware.

I am not entirely sure of how it works internally but I was thinking
that instead of copying results of derivations over there could be a
"Secure offloading" mode where instead of copying store items it would
copy the derivation and ask to rebuild them on the offload machine
instead. It will be less efficient but at least it will be safe to
share a single powerful machine with multiple GNU Guix hackers.

I don't want to give more access than what SSH non-root access would
give, and I think it would be possible to do something helpful in GNU
Guix offloading so it can work even without the offload machine
trusting the client's store public signing key.

Another thing is that it would be nice to have greater granularity on
what you trust some store signing keys for, as in, you would want to
use the offload machine for some development work but you wouldnt want
to allow the offload machine to add malware to your own store. I am
thinking the GNU Guix VM machinery can be used to create a copy-on-
write store (through virtio-fs I think?) whose every modification gets
destroyed on VM shutdown or destroy (which looks great security-wise),
and this already works AFAICT, but it's not widely known how it can be
used and why.

What do you think?

Léo

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Secure GNU Guix offloading
  2021-03-23 13:46 Secure GNU Guix offloading Léo Le Bouter
@ 2021-03-30  8:26 ` Ludovic Courtès
  2021-04-03 23:12   ` Léo Le Bouter
  0 siblings, 1 reply; 3+ messages in thread
From: Ludovic Courtès @ 2021-03-30  8:26 UTC (permalink / raw)
  To: Léo Le Bouter; +Cc: guix-devel

Hi!

Léo Le Bouter <lle-bout@zaclys.net> skribis:

> I don't want to give more access than what SSH non-root access would
> give, and I think it would be possible to do something helpful in GNU
> Guix offloading so it can work even without the offload machine
> trusting the client's store public signing key.

One possibility would be to give SSH access and nothing more.  That
would allow hackers to run:

  GUIX_DAEMON_SOCKET=ssh://leo.example.org guix build whatever

Users would still be able to retrieve build results from your machine
via ‘guix copy’ or an instance of ‘guix publish’ running on the machine.

HTH!

Ludo’.


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Secure GNU Guix offloading
  2021-03-30  8:26 ` Ludovic Courtès
@ 2021-04-03 23:12   ` Léo Le Bouter
  0 siblings, 0 replies; 3+ messages in thread
From: Léo Le Bouter @ 2021-04-03 23:12 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 848 bytes --]

On Tue, 2021-03-30 at 10:26 +0200, Ludovic Courtès wrote:
> Hi!
> 
> Léo Le Bouter <lle-bout@zaclys.net> skribis:
> 
> > I don't want to give more access than what SSH non-root access
> > would
> > give, and I think it would be possible to do something helpful in
> > GNU
> > Guix offloading so it can work even without the offload machine
> > trusting the client's store public signing key.
> 
> One possibility would be to give SSH access and nothing more.  That
> would allow hackers to run:
> 
>   GUIX_DAEMON_SOCKET=ssh://leo.example.org guix build whatever
> 
> Users would still be able to retrieve build results from your machine
> via ‘guix copy’ or an instance of ‘guix publish’ running on the
> machine.
> 
> HTH!
> 
> Ludo’.

Thank you! I did not know setting daemon address over SSH was possible!

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-04-03 23:12 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-23 13:46 Secure GNU Guix offloading Léo Le Bouter
2021-03-30  8:26 ` Ludovic Courtès
2021-04-03 23:12   ` Léo Le Bouter

unofficial mirror of guix-devel@gnu.org 

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://yhetil.org/guix-devel/0 guix-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 guix-devel guix-devel/ https://yhetil.org/guix-devel \
		guix-devel@gnu.org
	public-inbox-index guix-devel

Example config snippet for mirrors.
Newsgroups are available over NNTP:
	nntp://news.yhetil.org/yhetil.gnu.guix.devel
	nntp://news.gmane.io/gmane.comp.gnu.guix.devel


AGPL code for this site: git clone http://ou63pmih66umazou.onion/public-inbox.git