From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53579) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e8tsL-00008Y-J0 for guix-patches@gnu.org; Sun, 29 Oct 2017 16:08:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e8tsI-0005iK-9T for guix-patches@gnu.org; Sun, 29 Oct 2017 16:08:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:60484) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1e8tsI-0005hp-3V for guix-patches@gnu.org; Sun, 29 Oct 2017 16:08:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1e8tsH-0005GF-RJ for guix-patches@gnu.org; Sun, 29 Oct 2017 16:08:01 -0400 Subject: [bug#29035] [PATCH 1/2] skel: Test for interactive shell instead of $SSH_CLIENT in .bashrc. Resent-Message-ID: From: Marius Bakke In-Reply-To: <877eve3uc3.fsf@gnu.org> References: <87mv4cxi9n.fsf@fastmail.com> <20171027235357.28600-1-mbakke@fastmail.com> <87lgjv7lhu.fsf@gnu.org> <8760ay5kd5.fsf@fastmail.com> <877eve3uc3.fsf@gnu.org> Date: Sun, 29 Oct 2017 21:07:40 +0100 Message-ID: <87y3nt4t0z.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 29035@debbugs.gnu.org --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s writes: > Hi Marius! > > Marius Bakke skribis: > >> Ludovic Court=C3=A8s writes: >> >>> Heya, >>> >>> Marius Bakke skribis: >>> >>>> * gnu/system/shadow.scm (default-skeletons): Instead of testing for >>>> $SSH_CLIENT, check whether '$-' includes the letter 'i'. >>> >>> That=E2=80=99s an improvement indeed, LGTM! >> >> I realized this will source /etc/profile twice when bash is invoked as >> 'bash -l -c foo', which isn't great. It also assumes /etc/profile >> exists at all, which might not hold true e.g. in a container. > > OK. (Though GuixSD containers do have /etc/profile, don=E2=80=99t they?) I only checked `guix environment -C` (no further arguments!). >> The main motivation for this commit is to make things like >> 'git-receive-pack', 'rsync' etc work out-of-the-box when installed in >> a user profile. The test for `cat` was ineffective on OpenSSH since it >> has a default PATH set to "/run/current-system/profile/bin". >> >> I've tested adding ~/.guix-profile/bin to the compiled-in default >> OpenSSH PATH instead, and it works. WDYT of this series? > > OK. > > I think it would make sense to add a test to (gnu tests ssh) for this, > because it=E2=80=99s one of these things that annoy everyone. Good idea. I came up with this: --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-tests-ssh-Make-sure-we-can-run-commands-from-PATH.patch Content-Transfer-Encoding: quoted-printable diff --git a/gnu/tests/ssh.scm b/gnu/tests/ssh.scm index 41be36035..6d367dc75 100644 =2D-- a/gnu/tests/ssh.scm +++ b/gnu/tests/ssh.scm @@ -169,6 +170,33 @@ root with an empty password." (call-with-remote-input-file sftp-session witness read))))) =20 + ;; Connect to the guest over SSH. Make sure we can run commands + ;; from the system profile. + (test-equal "run executables from system profile" + #t + (call-with-connected-session/auth + (lambda (session) + (let ((channel (make-channel session))) + (channel-open-session channel) + (channel-request-exec + channel + (string-append + "mkdir -p /root/.guix-profile/bin && " + "touch /root/.guix-profile/bin/witness && " + "chmod 755 /root/.guix-profile/bin/witness")) + (zero? (channel-get-exit-status channel)))))) + + ;; Connect to the guest over SSH. Make sure we can run commands + ;; that only exist in the user profile. + (test-equal "run executable from user profile" + #t + (call-with-connected-session/auth + (lambda (session) + (let ((channel (make-channel session))) + (channel-open-session channel) + (channel-request-exec channel "witness") + (zero? (channel-get-exit-status channel)))))) + (test-end) (exit (=3D (test-runner-fail-count (test-runner-current)) 0))))) =20 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable It works as expected with both approaches (changing .bashrc, and changing "--with-default-path"). WDYT? >> From fc37dd6dfb6beab9cc4e52de7b7c98946125e7cc Mon Sep 17 00:00:00 2001 >> From: Marius Bakke >> Date: Sun, 29 Oct 2017 10:31:25 +0100 >> Subject: [PATCH 1/3] gnu: openssh: Add user profiles to the default PATH. >> >> * gnu/packages/ssh.scm (openssh)[arguments]<#:configure-flags>: Add >> '~/guix-profile/bin' to '--with-default-path' arguments. >> --- >> gnu/packages/ssh.scm | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm >> index 8317f29cd..2aeeeae1e 100644 >> --- a/gnu/packages/ssh.scm >> +++ b/gnu/packages/ssh.scm >> @@ -149,7 +149,9 @@ a server that supports the SSH-2 protocol.") >> #:configure-flags `("--sysconfdir=3D/etc/ssh" >>=20=20 >> ;; Default value of 'PATH' used by sshd. >> - "--with-default-path=3D/run/current-system/pr= ofile/bin" >> + ,(string-append "--with-default-path=3D" >> + "/run/current-system/profile= /bin:" >> + "~/.guix-profile/bin") > > If sshd performs tilde expansion, that=E2=80=99s fine with me. Unfortunately, I think the tilde is expanded by the shell, and this made me look up how POSIX handles tilde in PATH. It appears bash, when invoked with '--posix', does *not* perform tilde expansion if it appears as the first character in a PATH element: (note 16) So while it works with "bash" as the login shell, unexpected results may occur with others. It doesn't seem impossible to patch OpenSSH to perform this expansion, though: (_PATH_STDPATH is the --with-default-path) > Should we do something similar for lsh and Dropbear? Probably. Since we have a system test, it's easy to experiment with. For now I think this .bashrc workaround might be the easiest approach, which makes the above test pass for both OpenSSH and Dropbear: --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-system-Test-for-interactive-shell-instead-of-cat-in-.patch Content-Transfer-Encoding: quoted-printable From=206f4dfbea9cd92a3b03d7e1db89c75a88f4495ba5 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Sun, 29 Oct 2017 21:02:19 +0100 Subject: [PATCH] system: Test for interactive shell instead of `cat` in skeleton '.bashrc'. * gnu/system/shadow.scm (default-skeletons)[bashrc]: Wrap $SSH_CLIENT test = in a conditional testing for interactive shell. =2D-- gnu/system/shadow.scm | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/gnu/system/shadow.scm b/gnu/system/shadow.scm index 236807c70..58613e620 100644 =2D-- a/gnu/system/shadow.scm +++ b/gnu/system/shadow.scm @@ -157,13 +157,12 @@ if [ -f ~/.bashrc ]; then . ~/.bashrc; fi\n")) # honor it and otherwise use /bin/sh. export SHELL =20 =2Dif [ -n \"$SSH_CLIENT\" -a -z \"`type -P cat`\" ] +if [[ $- !=3D *i* ]] then =2D # We are being invoked from a non-interactive SSH session =2D # (as in \"ssh host command\") but 'cat' cannot be found =2D # in $PATH. Source /etc/profile so we get $PATH and other =2D # essential variables. =2D source /etc/profile + # We are being invoked from a non-interactive shell. If this + # is an SSH session (as in \"ssh host command\"), source + # /etc/profile so we get PATH and other essential variables. + [[ -n \"$SSH_CLIENT\" ]] && source /etc/profile fi =20 # Adjust the prompt depending on whether we're in 'guix environment'. =2D-=20 2.14.3 --=-=-= Content-Type: text/plain Thanks for the fast replies, and sorry for the round-trip! --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAln2NQwACgkQoqBt8qM6 VPpfnAgAgnfdQ3PTHHk9tyZvnIrRteVydWIWuArk2/0ywkGVH3osl3EmThlorkDU nI8hSTs8Xk/A37yfnaZ3yqn+uMybVqEnnYLaD4aW9008LHDO/hK5fWUxxmJQXCbW 1e4FQT1xfhJXfzZ82b0adwbgcguigGNM16wZav6KG6AN88WuMGRnvzRi53V/oj8X H6YdJnfDlo+8FbM5pLR9rDpY2eTFi1vKxX3nI0d8tmmAisI60KlrcxW9/uQKM4HH tdQT5yNg11ogGkjn8Dn3NlHoZHifU0FsMwVAx3+vsNqB6wXSc3cvi5HlMi6bHwxa 6ciUPemreevb4bG5Ca7g/yNlHhK1Og== =csAt -----END PGP SIGNATURE----- --==-=-=--