From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id qIqtJOjdX2IIYAEAbAwnHQ (envelope-from ) for ; Wed, 20 Apr 2022 12:18:16 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id EHqmJOjdX2J1UwEAauVa8A (envelope-from ) for ; Wed, 20 Apr 2022 12:18:16 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E3DC010EF4 for ; Wed, 20 Apr 2022 12:18:15 +0200 (CEST) Received: from localhost ([::1]:51058 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nh7PW-0001sz-Bg for larch@yhetil.org; Wed, 20 Apr 2022 06:18:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56348) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nh7PO-0001sO-Oq for guix-patches@gnu.org; Wed, 20 Apr 2022 06:18:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:51240) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nh7PO-0004Lt-FZ for guix-patches@gnu.org; Wed, 20 Apr 2022 06:18:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nh7PO-0008F5-98 for guix-patches@gnu.org; Wed, 20 Apr 2022 06:18:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#55034] [PATCH 0/1] Let openssh trust /gnu/store Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 20 Apr 2022 10:18:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 55034 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: levenson@mmer.org, 55034@debbugs.gnu.org X-Debbugs-Original-To: Alexey Abramov , Alexey Abramov via Guix-patches via , 55034@debbugs.gnu.org Received: via spool by submit@debbugs.gnu.org id=B.165044985731651 (code B ref -1); Wed, 20 Apr 2022 10:18:02 +0000 Received: (at submit) by debbugs.gnu.org; 20 Apr 2022 10:17:37 +0000 Received: from localhost ([127.0.0.1]:45137 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nh7Oz-0008EO-Bz for submit@debbugs.gnu.org; Wed, 20 Apr 2022 06:17:37 -0400 Received: from lists.gnu.org ([209.51.188.17]:59342) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nh7Ox-0008EG-Ag for submit@debbugs.gnu.org; Wed, 20 Apr 2022 06:17:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56196) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nh7On-0001UD-S0 for guix-patches@gnu.org; Wed, 20 Apr 2022 06:17:30 -0400 Received: from tobias.gr ([2a02:c205:2020:6054::1]:51282) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nh7Om-0004H2-0N for guix-patches@gnu.org; Wed, 20 Apr 2022 06:17:25 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=2018; bh=M31barJHjZbrc im29YNncpd5I7syf30Rtg+/PIJOau0=; h=references:in-reply-to:subject:to: from:date; d=tobias.gr; b=mGZQJXpp5VJ1VX4MZ6y/CsHa0dzXxVwXyVFESxHGFvC6 pOsdx8Saa5L7IbL2Hq3yHF0JMEFcu83FwgpTMC8kWZi3wxEBCjakiW+gijBk8D0KelGlu4 u/ISrxa9lKQM8LbyizUsxrLsmiLKLbo4JxIywnqhjIbN8T40wLjG6RCgZSzyjaGTuVoWwx hbWQPnjLUwSbz+UUxdz2s5yGRsUy1mOH+cXbyTKusPGPgm5uvwOw67qIhR0jL/QyQpGS1g VK/MbsPN6Tr2oZ5zgcBYDcoc7FmGgGsvFW4zUXJxy9gab8WBzyNh6O69TRjwdyUUJcWAbA fP7WJoDYnYxfY1FyRQ== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id a7958d3f (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Wed, 20 Apr 2022 10:17:13 +0000 (UTC) Date: Wed, 20 Apr 2022 10:17:16 +0000 In-Reply-To: <20220420084724.3514-1-levenson@mmer.org> References: <20220420084724.3514-1-levenson@mmer.org> Message-ID: <7684D647-31F8-4509-A18A-283DE789F0B3@tobias.gr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@tobias.gr; helo=tobias.gr X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" Reply-to: Tobias Geerinckx-Rice X-ACL-Warn: , Tobias Geerinckx-Rice via Guix-patches From: Tobias Geerinckx-Rice via Guix-patches via X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1650449896; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=M31barJHjZbrcim29YNncpd5I7syf30Rtg+/PIJOau0=; b=U1sefnNYMGdCmXSsAIaX+JGGUExMo8rK0rZ/Ol0gz0B38wm1m+2zqu/ACa02OEqwIfA5el R8mUxLicWppAAgKRV/3MF4P91jX7koExJi1qh4/kuMsOFjgLvoJCSfGza+7oi8bymZFHvy piRIKC79bbdXT9Zc/LyKZwSqAmJOG9r6z7WU8tQHnHI3D0b6VbcMSCCT7xlJurFrRDt71W NkP1sgcj+MALXDGUcqF42LT/kd4d9kqidpi2g6OA80pF5vA3jDGLv2c46NVJBmX5jEosas X8OrBtv83ahihkxxFVPqZHuc+zQACLsyaXhc1D1UKgLtBtGJ7R2YheSNKm2WFg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1650449896; a=rsa-sha256; cv=none; b=MLT1ng1puRhPDs/zIEwmajmK8IeYMKU5BLbsUi+HoyQ5CxDtNsx4JIwDlpq/GisLJG7Ajd UJIfixzaqlys1wO1OTAdLTsOzrDBskJkITBnbF+Z0meTtYHc/05IWVBDn/qmm00SU8EvgW csfTxurI88n/yhXxI1nhEGTyHeExJwMrWZK5EZkDsNeh9K8H92/LX1OXbVS2LjCzKdAGlO 6zSr138lALV4RtDcPBEYxWXn6ZS/Yys5ygch7PYkKdTyg+/CMwJwHUAoKfG++EFqP/yh3S ucslvGEd8Y/u/I76IjPPO6uy1odKhioU8BvkBgSTdWDFGmR1ufUa5OB6cilxdw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tobias.gr header.s=2018 header.b=mGZQJXpp; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -3.74 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tobias.gr header.s=2018 header.b=mGZQJXpp; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: E3DC010EF4 X-Spam-Score: -3.74 X-Migadu-Scanner: scn1.migadu.com X-TUID: 1xTFqkmwxFua On 20 April 2022 08:47:24 UTC, Alexey Abramov via Guix-patches via wrote: >This patch allows users to use /gnu/store objects for AuthorizedKeysComma= nd >and similar options=2E According to the sshd_config(5): > >> The program must be owned by root, not writable by group or others, and >> specified by an absolute path=2E > >However, this is not the case for Guix, even though it is RO=2E OpenSSH d= oesn't >check if the location mounted or ended up on the RO mount point=2E The RO bind mount is not a hard guarantee, and a footgun protector against= accidental writes, not primarily a security feature (IMO)=2E By design, *anyone* can write *anything* to the store by talking to the da= emon=2E They just can't choose the file name=2E A much weaker guarantee t= han OpenSSH assumes, at the very least=2E With that in mind, could this highly intrusive patch be used to compromise= a system? It seems so very likely=2E If it is, Guix will be rightly deri= ded for what amounts to ifdeffing out the securities, even if OpenBSD's can= be frustratingly theatrical at times=2E >I think implementing a check for RO location is much harder here Why is 'RO location' relevant here? If the snippet you quote above is complete, which requirement does the un-= bind-mounted store not meet? I can't think of one off the top o' me head? > , rather >than to trust /gnu/store path=2E That's a lot of trust=2E Tens of gigabytes on average=2E We explicitly rejected that idea in IceCat for example, instead whitelisti= ng only specific store subdirectories=2E Why is OpenSSH different? > The same way OpenSSH does with users' home >directory=2E > >Let me know what you think=2E The rationale and its assumptions (also) belong in the patch itself, not j= ust a separate mail=2E Hi Alexey, Thanks for the patch suggestion! Kind regards, T G-R Sent on the go=2E Excuse or enjoy my brevity=2E