From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id oOycDQrKX2ILLQAAbAwnHQ (envelope-from ) for ; Wed, 20 Apr 2022 10:53:30 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id SEezDQrKX2LDbQEA9RJhRA (envelope-from ) for ; Wed, 20 Apr 2022 10:53:30 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id CA69765EF for ; Wed, 20 Apr 2022 10:53:29 +0200 (CEST) Received: from localhost ([::1]:47650 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nh65Z-0004sp-0M for larch@yhetil.org; Wed, 20 Apr 2022 04:53:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40360) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nh60I-0001qX-WF for guix-patches@gnu.org; Wed, 20 Apr 2022 04:48:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:51160) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nh60I-0007Wt-JO for guix-patches@gnu.org; Wed, 20 Apr 2022 04:48:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nh60I-0005nG-HY for guix-patches@gnu.org; Wed, 20 Apr 2022 04:48:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#55034] [PATCH 0/1] Let openssh trust /gnu/store Resent-From: Alexey Abramov Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 20 Apr 2022 08:48:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 55034 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 55034@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.165044447222209 (code B ref -1); Wed, 20 Apr 2022 08:48:02 +0000 Received: (at submit) by debbugs.gnu.org; 20 Apr 2022 08:47:52 +0000 Received: from localhost ([127.0.0.1]:45057 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nh607-0005m8-Tg for submit@debbugs.gnu.org; Wed, 20 Apr 2022 04:47:52 -0400 Received: from lists.gnu.org ([209.51.188.17]:52780) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nh606-0005lr-8o for submit@debbugs.gnu.org; Wed, 20 Apr 2022 04:47:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40338) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nh605-0001h6-By for guix-patches@gnu.org; Wed, 20 Apr 2022 04:47:50 -0400 Received: from mail.mmer.org ([178.22.65.174]:52780) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nh603-0007Vw-Km for guix-patches@gnu.org; Wed, 20 Apr 2022 04:47:49 -0400 Received: from mail.mmer.org (localhost [127.0.0.1]) by mail.mmer.org (OpenSMTPD) with ESMTP id d8d6f213 for ; Wed, 20 Apr 2022 08:47:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=mmer.org; h=from:to :subject:date:message-id:mime-version:content-transfer-encoding; s=dkim; bh=D9VpVYE1EOK25K6DB2BwHzIZdfhjs6ir4IA3OOEny4s=; b=E5VC ogvt+xatZyBY22pI6RLgssXpXIMG6UCVTmQSJDMOR7ZsVZe6XEBv/PKRGvIIlsq6 bZXKUvCK2j225nAQf2mnX97kbsaChOiBGrSy0qjfZZLKFPKcDbyY8Sk8mxSWVT4u oVyF/clyigQW4kHFvFP7/A6g4YqTE4J2Hs3nvzE= Received: from delta (j74182.upc-j.chello.nl [24.132.74.182]) by mail.mmer.org (OpenSMTPD) with ESMTPSA id 015476de (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) for ; Wed, 20 Apr 2022 08:47:39 +0000 (UTC) Date: Wed, 20 Apr 2022 10:47:24 +0200 Message-Id: <20220420084724.3514-1-levenson@mmer.org> X-Mailer: git-send-email 2.34.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=178.22.65.174; envelope-from=levenson@mmer.org; helo=mail.mmer.org X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" Reply-to: Alexey Abramov X-ACL-Warn: , Alexey Abramov via Guix-patches From: Alexey Abramov via Guix-patches via X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1650444809; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=1sqqRv0QcdR10jOt4Hoy7DIW1mkzLnQ8+zImoppBxpQ=; b=nc3lLL/VWtQ96ngKNBZBwcqTTQuK7+H5wEfxxQjQ4xKU5ndSaX5nJyfRIKm7A47OcvKqWs LNcSr9L8QElKK1DndqNAM+9K6L35a2Nj+ZTN7RCf4W80C3p3ze+4laAEzDqkj9eNQG8UZ7 c4gVADLKr/c/oxyvrqVdwHQS84rJ44aOCtWnv19IKvZM1epzcfYI7S3S3SGwAEe1uEDOBA AUzl+gYjmZ3aG+TFWV8V2m7bSLgNH2W0nUP78blEIhG7tX0QWadQZLgIlKjw17Jt1wiyFX yRQa1GQT2+kSx4DpFjCRmoqa+c7FTCWBfapvKbEizG5mFueJ0Pmr4Y1eNcBIOw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1650444809; a=rsa-sha256; cv=none; b=QTGQHSSmlL0jPUXIb3xVx74oVGOFHUsTSgXlKh8OnpY0ANQZvGS6hhHBnqnSWs4a8nGGPL obU3540F83WtdJTFj7dei+TZwtWpXbROnP/CFBBOXXkB4CTvvpF/9/sjihmbphO0XV2eR8 O671h9CvMelfJS9FuWsee83lRO/fdHKcuD1n5vnhkyC75Oo/x8dh9cRaX7HFQYSZPbVbGn xfHotKv9zsuK71rQ4ZWeM75tGsqjd51kk6qNy1du7Uap0/znzBBdUVcTxXGVWcvkPsn7th iBeFrLb7MTIFb2Gg+6lHBQ+JiIE6qfTubvdBQupOURbS+g8I+8JkNBD0OcDxMw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=mmer.org header.s=dkim header.b="E5VC ogv"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -2.74 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=mmer.org header.s=dkim header.b="E5VC ogv"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: CA69765EF X-Spam-Score: -2.74 X-Migadu-Scanner: scn1.migadu.com X-TUID: E7Z1Zkj2KgZp This patch allows users to use /gnu/store objects for AuthorizedKeysCommand and similar options. According to the sshd_config(5): > The program must be owned by root, not writable by group or others, and > specified by an absolute path. However, this is not the case for Guix, even though it is RO. OpenSSH doesn't check if the location mounted or ended up on the RO mount point. I think implementing a check for RO location is much harder here, rather than to trust /gnu/store path. The same way OpenSSH does with users' home directory. Let me know what you think. Alexey Abramov (1): gnu: openssh: Trust /gnu/store directory gnu/local.mk | 1 + .../openssh-trust-gnu-store-directory.patch | 35 +++++++++++++++++++ gnu/packages/ssh.scm | 3 +- 3 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/openssh-trust-gnu-store-directory.patch -- 2.34.0