From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46764) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d4wry-0001TR-LO for guix-patches@gnu.org; Sun, 30 Apr 2017 17:59:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d4wru-0003Oq-PV for guix-patches@gnu.org; Sun, 30 Apr 2017 17:59:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:49977) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1d4wru-0003Om-LA for guix-patches@gnu.org; Sun, 30 Apr 2017 17:59:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1d4wru-0004NE-96 for guix-patches@gnu.org; Sun, 30 Apr 2017 17:59:02 -0400 Subject: bug#26717: [PATCH] gnu: gitolite: Avoid references to the store in authorized_keys. Resent-Message-ID: References: <87wpa1q2po.fsf@lassieur.org> <20170430163244.2830-1-clement@lassieur.org> <20170430193117.setdri6ykdbbmza3@abyayala> From: =?UTF-8?Q?Cl=C3=A9ment?= Lassieur In-reply-to: <20170430193117.setdri6ykdbbmza3@abyayala> Date: Sun, 30 Apr 2017 23:57:58 +0200 Message-ID: <87lgqhd0d5.fsf@lassieur.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: ng0 Cc: 26717@debbugs.gnu.org ng0 writes: > Clément Lassieur transcribed 1.3K bytes: >> * gnu/packages/version-control.scm (gitolite)[arguments]: Substitute >> '$glshell' with 'gitolite-shell' in ssh-authkeys. >> --- >> gnu/packages/version-control.scm | 8 +++++++- >> 1 file changed, 7 insertions(+), 1 deletion(-) >> >> diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm >> index e0770dc58..1cad0f285 100644 >> --- a/gnu/packages/version-control.scm >> +++ b/gnu/packages/version-control.scm >> @@ -628,7 +628,13 @@ also walk each side of a merge and test those changes individually.") >> ;; invokes Perl. >> (substitute* (find-files "." ".*") >> ((" perl -") >> - (string-append " " perl " -")))))) >> + (string-append " " perl " -"))) >> + >> + ;; Avoid references to the store in authorized_keys. >> + ;; This works because gitolite-shell is in the PATH. >> + (substitute* "src/triggers/post-compile/ssh-authkeys" >> + (("\\$glshell \\$user") >> + "gitolite-shell $user"))))) >> (replace 'install >> (lambda* (#:key outputs #:allow-other-keys) >> (let* ((output (assoc-ref outputs "out")) >> -- >> 2.12.2 >> >> >> >> > > This looks good. I have yet to test it. Do you think we could fix the hook files of gitolite like this too? Well, I don't think so because the mechanism used in hooks is different: the reference to the store is in the shebang and shebangs need absolute paths, they don't look at PATH. We could use 'env' though, as suggested by Marius here: http://lists.gnu.org/archive/html/guix-patches/2017-03/msg00339.html. As in: #!/run/current-system/profile/bin/env perl Assuming /run/current-system/profile/bin/env exists on all possible setups. WDYT?