From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id iFi1FM27WmGcJQEAgWs5BA (envelope-from ) for ; Mon, 04 Oct 2021 10:31:09 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id QHViEM27WmF3QgAA1q6Kng (envelope-from ) for ; Mon, 04 Oct 2021 08:31:09 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id CE1522B525 for ; Mon, 4 Oct 2021 10:31:08 +0200 (CEST) Received: from localhost ([::1]:43964 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mXJNL-0000U3-Tn for larch@yhetil.org; Mon, 04 Oct 2021 04:31:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48596) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mXJ10-0000Yv-0Y for guix-patches@gnu.org; Mon, 04 Oct 2021 04:08:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:52246) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mXJ0z-0005oR-PM for guix-patches@gnu.org; Mon, 04 Oct 2021 04:08:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mXJ0z-0007J8-KZ for guix-patches@gnu.org; Mon, 04 Oct 2021 04:08:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#50960] [PATCH 04/10] DRAFT shell: By default load the local 'guix.scm' or 'manifest.scm' file. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 04 Oct 2021 08:08:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 50960 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Maxime Devos Cc: 50960@debbugs.gnu.org Received: via spool by 50960-submit@debbugs.gnu.org id=B50960.163333487928082 (code B ref 50960); Mon, 04 Oct 2021 08:08:01 +0000 Received: (at 50960) by debbugs.gnu.org; 4 Oct 2021 08:07:59 +0000 Received: from localhost ([127.0.0.1]:35559 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mXJ0w-0007Is-PG for submit@debbugs.gnu.org; Mon, 04 Oct 2021 04:07:59 -0400 Received: from eggs.gnu.org ([209.51.188.92]:43438) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mXJ0v-0007If-7s for 50960@debbugs.gnu.org; Mon, 04 Oct 2021 04:07:57 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:43816) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mXJ0o-0005fe-QX; Mon, 04 Oct 2021 04:07:50 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=60520 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mXJ0o-0002La-Hl; Mon, 04 Oct 2021 04:07:50 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <20211002102240.27815-1-ludo@gnu.org> <20211002102240.27815-4-ludo@gnu.org> <80360a349abc0eb00a8645fe3e7b5f8008f33ec8.camel@telenet.be> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 13 =?UTF-8?Q?Vend=C3=A9miaire?= an 230 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 04 Oct 2021 10:07:48 +0200 In-Reply-To: <80360a349abc0eb00a8645fe3e7b5f8008f33ec8.camel@telenet.be> (Maxime Devos's message of "Sat, 02 Oct 2021 16:15:21 +0200") Message-ID: <87bl45tdpn.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1633336269; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=wEEdjSUquftnIApLCPcyTt7Mm89dPFyvHcNuTIL/VB0=; b=fD5j/5Zames/Vh59uRWwK5EKruXpviFpHQxEf5uoLY56XllO58tOYFuH1K8dy4gsVy6VeU PCwQoONt3w+mq1U88V+ffeMXbI3WsN82QgiJMXS7WQjqmrIvot/94aoQDkw0klH4Q1JPb1 2F9iP/6qkAKhmLiQDTXtx+Zj7A+PQL1Jyu78/ue9sfjp3zzUxX+HeUiRqSGnTepaYJZade yH8bzvB2g4qubEx4ioWe4Of2rEOP9Mi3snUf+JAdtbUSNwQGgzE7cRSg+vP3si7jOSXASW t+mZi2cuOQjHulBErzGkozYBzqTpjYZBDte2McTEMWJaMfa7dP4HaURxYazsTw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1633336269; a=rsa-sha256; cv=none; b=rNCRTuMA7y22TVWxksyEYf/HYKlXOV1hsxnjecLLl5x3367E4LdVADK8RRwXgbPS7ASjyU +5/I/AouOjNlsS66K5nY07NaLMnWPtBEJus0Fc5kC+YD8yNxO4A8f9nCjEoOyeK0G7ojut HwirMZTks6XqwmzTPPf/wH9an8j3dUs+HP274qsscbpe6DM8IXawB/dBPisXtus0SzN9Yw p+jDGf1jyYON52xaMPqzT5QK1L+SKsIQKN8QVQG960JN/2aJ/RSCvktKetx9X7eM0tAlmX 48Ja+xPj/9OMr0hYQDePl1ykzseRHkLlt3lD38CtJVBzsfWJMeyUjkdNp0idBg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -3.71 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: CE1522B525 X-Spam-Score: -3.71 X-Migadu-Scanner: scn1.migadu.com X-TUID: b/RYUDNBGOTB Hi Maxime, Maxime Devos skribis: > Ludovic Court=C3=A8s schreef op za 02-10-2021 om 12:22 [+0200]: >> +(define (find-file-in-parent-directories candidates) >> + "Find one of CANDIDATES in the current directory or one of its ancest= ors." >> + (let loop ((directory (getcwd))) >> + (and (=3D (stat:uid (stat directory)) (getuid)) >> + (or (any (lambda (candidate) >> + (let ((candidate (string-append directory "/" candi= date))) >> + (and (file-exists? candidate) candidate))) >> + candidates) >> + (loop (string-append directory "/..")))))) ;Unix ".." reso= lution > > I do not recommend this. What would happen if someone creates a temporar= y directory > "/tmp/stuff" do things in to throw away later (setting permissions approp= riately), > tries to create a guix.scm in that directory but misspells it as, say, gu= ix.sm, and runs > "guix shell" from within /tmp/stuff? Then find-file-in-parent-directorie= s would > load /tmp/guix.scm (possibly created by a local attacker, assuming a mult= i-user system), > -- if it weren't for the (=3D (stat:uid (stat directory)) (getuid)). > > Because of the (=3D (stat:uid ...) (getuid)), this attack method is not p= ossible. Right. :-) In libgit2, =E2=80=98find_repo=E2=80=99 (called by =E2=80=98git_repository_= discover=E2=80=99) stops at device boundaries, which is wise. But it doesn=E2=80=99t stop when the par= ent has a different owner (!). Unlike the code above, it does lexical =E2=80=9C..=E2=80=9D resolution afte= r first calling realpath(3) on the directory name; not sure what to think about this. (The code of Git itself is harder to read for me.) > However, it causes other issues. Now it isn't possible for two users (th= at trust > each other), to set up a directory writable by both (e.g. with ACLs, or b= y making > the directory group-writable and placing the two users in the same group)= , for > working together, with a guix.scm usable by both. > > These can be two users on the same machine, or remotely via something lik= e NFS, > or a single person having multiple user accounts used for different purpo= ses. Well, sure, but that=E2=80=99s a very uncommon scenario, isn=E2=80=99t it? I was actually hesitant about this find-in-parent behavior. I find it convenient that =E2=80=98git=E2=80=99 does that, for instance, so I thought= it might be nice as well. Thoughts? Ludo=E2=80=99.