bug#26717: Avoid references to the store in authorized_keys

bug#26717: Avoid references to the store in authorized_keys

[Clément Lassieur]

Note that if gitolite is already installed, one has to remove the
references from authorized_keys manually first, because otherwise the
old (bugged) gitolite will be used instead of the one in the PATH, and
authorized_keys will never be updated.

bug#26717: [PATCH] gnu: gitolite: Avoid references to the store in authorized_keys.

[Clément Lassieur]

* gnu/packages/version-control.scm (gitolite)[arguments]: Substitute
'$glshell' with 'gitolite-shell' in ssh-authkeys.
---
 gnu/packages/version-control.scm | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index e0770dc58..1cad0f285 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -628,7 +628,13 @@ also walk each side of a merge and test those changes individually.")
                         ;; invokes Perl.
                         (substitute* (find-files "." ".*")
                           ((" perl -")
-                           (string-append " " perl " -"))))))
+                           (string-append " " perl " -")))
+
+                        ;; Avoid references to the store in authorized_keys.
+                        ;; This works because gitolite-shell is in the PATH.
+                        (substitute* "src/triggers/post-compile/ssh-authkeys"
+                          (("\\$glshell \\$user")
+                           "gitolite-shell $user")))))
                   (replace 'install
                     (lambda* (#:key outputs #:allow-other-keys)
                       (let* ((output (assoc-ref outputs "out"))
-- 
2.12.2

bug#26717: [PATCH] gnu: gitolite: Avoid references to the store in authorized_keys.

[ng0]

Clément Lassieur transcribed 1.3K bytes:
> * gnu/packages/version-control.scm (gitolite)[arguments]: Substitute
> '$glshell' with 'gitolite-shell' in ssh-authkeys.
> ---
>  gnu/packages/version-control.scm | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
> index e0770dc58..1cad0f285 100644
> --- a/gnu/packages/version-control.scm
> +++ b/gnu/packages/version-control.scm
> @@ -628,7 +628,13 @@ also walk each side of a merge and test those changes individually.")
>                          ;; invokes Perl.
>                          (substitute* (find-files "." ".*")
>                            ((" perl -")
> -                           (string-append " " perl " -"))))))
> +                           (string-append " " perl " -")))
> +
> +                        ;; Avoid references to the store in authorized_keys.
> +                        ;; This works because gitolite-shell is in the PATH.
> +                        (substitute* "src/triggers/post-compile/ssh-authkeys"
> +                          (("\\$glshell \\$user")
> +                           "gitolite-shell $user")))))
>                    (replace 'install
>                      (lambda* (#:key outputs #:allow-other-keys)
>                        (let* ((output (assoc-ref outputs "out"))
> -- 
> 2.12.2
> 
> 
> 
> 

This looks good. I have yet to test it. Do you think we could fix the hook files of gitolite like this too?
-- 
https://pragmatique.xyz
PGP: https://people.pragmatique.xyz/ng0/

bug#26717: [PATCH] gnu: gitolite: Avoid references to the store in authorized_keys.

[Clément Lassieur]

ng0 <contact.ng0@cryptolab.net> writes:

> Clément Lassieur transcribed 1.3K bytes:
>> * gnu/packages/version-control.scm (gitolite)[arguments]: Substitute
>> '$glshell' with 'gitolite-shell' in ssh-authkeys.
>> ---
>>  gnu/packages/version-control.scm | 8 +++++++-
>>  1 file changed, 7 insertions(+), 1 deletion(-)
>> 
>> diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
>> index e0770dc58..1cad0f285 100644
>> --- a/gnu/packages/version-control.scm
>> +++ b/gnu/packages/version-control.scm
>> @@ -628,7 +628,13 @@ also walk each side of a merge and test those changes individually.")
>>                          ;; invokes Perl.
>>                          (substitute* (find-files "." ".*")
>>                            ((" perl -")
>> -                           (string-append " " perl " -"))))))
>> +                           (string-append " " perl " -")))
>> +
>> +                        ;; Avoid references to the store in authorized_keys.
>> +                        ;; This works because gitolite-shell is in the PATH.
>> +                        (substitute* "src/triggers/post-compile/ssh-authkeys"
>> +                          (("\\$glshell \\$user")
>> +                           "gitolite-shell $user")))))
>>                    (replace 'install
>>                      (lambda* (#:key outputs #:allow-other-keys)
>>                        (let* ((output (assoc-ref outputs "out"))
>> -- 
>> 2.12.2
>> 
>> 
>> 
>> 
>
> This looks good. I have yet to test it. Do you think we could fix the hook files of gitolite like this too?

Well, I don't think so because the mechanism used in hooks is different:
the reference to the store is in the shebang and shebangs need absolute
paths, they don't look at PATH.  We could use 'env' though, as suggested
by Marius here:
http://lists.gnu.org/archive/html/guix-patches/2017-03/msg00339.html.
As in:

    #!/run/current-system/profile/bin/env perl

Assuming /run/current-system/profile/bin/env exists on all possible
setups.  WDYT?

bug#26717: [PATCH] gnu: gitolite: Avoid references to the store in authorized_keys.

[Clément Lassieur]

Clément Lassieur <clement@lassieur.org> writes:

> ng0 <contact.ng0@cryptolab.net> writes:
>> This looks good. I have yet to test it. Do you think we could fix the hook files of gitolite like this too?
>
> Well, I don't think so because the mechanism used in hooks is different:
> the reference to the store is in the shebang and shebangs need absolute
> paths, they don't look at PATH.  We could use 'env' though, as suggested
> by Marius here:
> http://lists.gnu.org/archive/html/guix-patches/2017-03/msg00339.html.
> As in:
>
>     #!/run/current-system/profile/bin/env perl
>
> Assuming /run/current-system/profile/bin/env exists on all possible
> setups.  WDYT?

This won't work on a non-GuixSD OS.  I can't find a simple solution.

bug#26717: [PATCH] gnu: gitolite: Avoid references to the store in authorized_keys.

[Clément Lassieur]

ng0 <contact.ng0@cryptolab.net> writes:

> Clément Lassieur transcribed 1.3K bytes:
>> * gnu/packages/version-control.scm (gitolite)[arguments]: Substitute
>> '$glshell' with 'gitolite-shell' in ssh-authkeys.
>> ---
>>  gnu/packages/version-control.scm | 8 +++++++-
>>  1 file changed, 7 insertions(+), 1 deletion(-)
>> 
>> diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
>> index e0770dc58..1cad0f285 100644
>> --- a/gnu/packages/version-control.scm
>> +++ b/gnu/packages/version-control.scm
>> @@ -628,7 +628,13 @@ also walk each side of a merge and test those changes individually.")
>>                          ;; invokes Perl.
>>                          (substitute* (find-files "." ".*")
>>                            ((" perl -")
>> -                           (string-append " " perl " -"))))))
>> +                           (string-append " " perl " -")))
>> +
>> +                        ;; Avoid references to the store in authorized_keys.
>> +                        ;; This works because gitolite-shell is in the PATH.
>> +                        (substitute* "src/triggers/post-compile/ssh-authkeys"
>> +                          (("\\$glshell \\$user")
>> +                           "gitolite-shell $user")))))
>>                    (replace 'install
>>                      (lambda* (#:key outputs #:allow-other-keys)
>>                        (let* ((output (assoc-ref outputs "out"))
>> -- 
>> 2.12.2
>> 
>> 
>> 
>> 
>
> This looks good. I have yet to test it. Do you think we could fix the hook files of gitolite like this too?

Thank you :)  I pushed it.