From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53579)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1e8tsL-00008Y-J0
	for guix-patches@gnu.org; Sun, 29 Oct 2017 16:08:07 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1e8tsI-0005iK-9T
	for guix-patches@gnu.org; Sun, 29 Oct 2017 16:08:05 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:60484)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1e8tsI-0005hp-3V
	for guix-patches@gnu.org; Sun, 29 Oct 2017 16:08:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1e8tsH-0005GF-RJ
	for guix-patches@gnu.org; Sun, 29 Oct 2017 16:08:01 -0400
Subject: [bug#29035] [PATCH 1/2] skel: Test for interactive shell instead of
	$SSH_CLIENT in .bashrc.
Resent-Message-ID: <handler.29035.B29035.150930766720202@debbugs.gnu.org>
From: Marius Bakke <mbakke@fastmail.com>
In-Reply-To: <877eve3uc3.fsf@gnu.org>
References: <87mv4cxi9n.fsf@fastmail.com>
	<20171027235357.28600-1-mbakke@fastmail.com> <87lgjv7lhu.fsf@gnu.org>
	<8760ay5kd5.fsf@fastmail.com> <877eve3uc3.fsf@gnu.org>
Date: Sun, 29 Oct 2017 21:07:40 +0100
Message-ID: <87y3nt4t0z.fsf@fastmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: 29035@debbugs.gnu.org

--==-=-=
Content-Type: multipart/mixed; boundary="=-=-="

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Ludovic Court=C3=A8s <ludo@gnu.org> writes:

> Hi Marius!
>
> Marius Bakke <mbakke@fastmail.com> skribis:
>
>> Ludovic Court=C3=A8s <ludo@gnu.org> writes:
>>
>>> Heya,
>>>
>>> Marius Bakke <mbakke@fastmail.com> skribis:
>>>
>>>> * gnu/system/shadow.scm (default-skeletons): Instead of testing for
>>>> $SSH_CLIENT, check whether '$-' includes the letter 'i'.
>>>
>>> That=E2=80=99s an improvement indeed, LGTM!
>>
>> I realized this will source /etc/profile twice when bash is invoked as
>> 'bash -l -c foo', which isn't great.  It also assumes /etc/profile
>> exists at all, which might not hold true e.g. in a container.
>
> OK.  (Though GuixSD containers do have /etc/profile, don=E2=80=99t they?)

I only checked `guix environment -C` (no further arguments!).

>> The main motivation for this commit is to make things like
>> 'git-receive-pack', 'rsync' etc work out-of-the-box when installed in
>> a user profile.  The test for `cat` was ineffective on OpenSSH since it
>> has a default PATH set to "/run/current-system/profile/bin".
>>
>> I've tested adding ~/.guix-profile/bin to the compiled-in default
>> OpenSSH PATH instead, and it works.  WDYT of this series?
>
> OK.
>
> I think it would make sense to add a test to (gnu tests ssh) for this,
> because it=E2=80=99s one of these things that annoy everyone.

Good idea.  I came up with this:


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline;
 filename=0001-tests-ssh-Make-sure-we-can-run-commands-from-PATH.patch
Content-Transfer-Encoding: quoted-printable

diff --git a/gnu/tests/ssh.scm b/gnu/tests/ssh.scm
index 41be36035..6d367dc75 100644
=2D-- a/gnu/tests/ssh.scm
+++ b/gnu/tests/ssh.scm
@@ -169,6 +170,33 @@ root with an empty password."
                  (call-with-remote-input-file sftp-session witness
                                               read)))))
=20
+          ;; Connect to the guest over SSH.  Make sure we can run commands
+          ;; from the system profile.
+          (test-equal "run executables from system profile"
+            #t
+            (call-with-connected-session/auth
+             (lambda (session)
+               (let ((channel (make-channel session)))
+                 (channel-open-session channel)
+                 (channel-request-exec
+                  channel
+                  (string-append
+                   "mkdir -p /root/.guix-profile/bin && "
+                   "touch /root/.guix-profile/bin/witness && "
+                   "chmod 755 /root/.guix-profile/bin/witness"))
+                 (zero? (channel-get-exit-status channel))))))
+
+          ;; Connect to the guest over SSH.  Make sure we can run commands
+          ;; that only exist in the user profile.
+          (test-equal "run executable from user profile"
+            #t
+            (call-with-connected-session/auth
+             (lambda (session)
+               (let ((channel (make-channel session)))
+                 (channel-open-session channel)
+                 (channel-request-exec channel "witness")
+                 (zero? (channel-get-exit-status channel))))))
+
           (test-end)
           (exit (=3D (test-runner-fail-count (test-runner-current)) 0)))))
=20

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable


It works as expected with both approaches (changing .bashrc, and
changing "--with-default-path").  WDYT?

>> From fc37dd6dfb6beab9cc4e52de7b7c98946125e7cc Mon Sep 17 00:00:00 2001
>> From: Marius Bakke <mbakke@fastmail.com>
>> Date: Sun, 29 Oct 2017 10:31:25 +0100
>> Subject: [PATCH 1/3] gnu: openssh: Add user profiles to the default PATH.
>>
>> * gnu/packages/ssh.scm (openssh)[arguments]<#:configure-flags>: Add
>> '~/guix-profile/bin' to '--with-default-path' arguments.
>> ---
>>  gnu/packages/ssh.scm | 4 +++-
>>  1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
>> index 8317f29cd..2aeeeae1e 100644
>> --- a/gnu/packages/ssh.scm
>> +++ b/gnu/packages/ssh.scm
>> @@ -149,7 +149,9 @@ a server that supports the SSH-2 protocol.")
>>        #:configure-flags  `("--sysconfdir=3D/etc/ssh"
>>=20=20
>>                             ;; Default value of 'PATH' used by sshd.
>> -                          "--with-default-path=3D/run/current-system/pr=
ofile/bin"
>> +                           ,(string-append "--with-default-path=3D"
>> +                                           "/run/current-system/profile=
/bin:"
>> +                                           "~/.guix-profile/bin")
>
> If sshd performs tilde expansion, that=E2=80=99s fine with me.

Unfortunately, I think the tilde is expanded by the shell, and this made
me look up how POSIX handles tilde in PATH.  It appears bash, when
invoked with '--posix', does *not* perform tilde expansion if it appears
as the first character in a PATH element:

<https://www.gnu.org/software/bash/manual/html_node/Bash-POSIX-Mode.html>
(note 16)

So while it works with "bash" as the login shell, unexpected results may
occur with others.  It doesn't seem impossible to patch OpenSSH to
perform this expansion, though:

<https://github.com/openssh/openssh-portable/blob/b7548b12a6b2b4abf4d057192=
c353147e0abba08/session.c#L998>
(_PATH_STDPATH is the --with-default-path)

> Should we do something similar for lsh and Dropbear?

Probably.  Since we have a system test, it's easy to experiment with.
For now I think this .bashrc workaround might be the easiest approach,
which makes the above test pass for both OpenSSH and Dropbear:


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline;
 filename=0001-system-Test-for-interactive-shell-instead-of-cat-in-.patch
Content-Transfer-Encoding: quoted-printable

From=206f4dfbea9cd92a3b03d7e1db89c75a88f4495ba5 Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Sun, 29 Oct 2017 21:02:19 +0100
Subject: [PATCH] system: Test for interactive shell instead of `cat` in
 skeleton '.bashrc'.

* gnu/system/shadow.scm (default-skeletons)[bashrc]: Wrap $SSH_CLIENT test =
in
a conditional testing for interactive shell.
=2D--
 gnu/system/shadow.scm | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/gnu/system/shadow.scm b/gnu/system/shadow.scm
index 236807c70..58613e620 100644
=2D-- a/gnu/system/shadow.scm
+++ b/gnu/system/shadow.scm
@@ -157,13 +157,12 @@ if [ -f ~/.bashrc ]; then . ~/.bashrc; fi\n"))
 # honor it and otherwise use /bin/sh.
 export SHELL
=20
=2Dif [ -n \"$SSH_CLIENT\" -a -z \"`type -P cat`\" ]
+if [[ $- !=3D *i* ]]
 then
=2D    # We are being invoked from a non-interactive SSH session
=2D    # (as in \"ssh host command\") but 'cat' cannot be found
=2D    # in $PATH.  Source /etc/profile so we get $PATH and other
=2D    # essential variables.
=2D    source /etc/profile
+    # We are being invoked from a non-interactive shell.  If this
+    # is an SSH session (as in \"ssh host command\"), source
+    # /etc/profile so we get PATH and other essential variables.
+    [[ -n \"$SSH_CLIENT\" ]] && source /etc/profile
 fi
=20
 # Adjust the prompt depending on whether we're in 'guix environment'.
=2D-=20
2.14.3


--=-=-=
Content-Type: text/plain


Thanks for the fast replies, and sorry for the round-trip!

--=-=-=--

--==-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAln2NQwACgkQoqBt8qM6
VPpfnAgAgnfdQ3PTHHk9tyZvnIrRteVydWIWuArk2/0ywkGVH3osl3EmThlorkDU
nI8hSTs8Xk/A37yfnaZ3yqn+uMybVqEnnYLaD4aW9008LHDO/hK5fWUxxmJQXCbW
1e4FQT1xfhJXfzZ82b0adwbgcguigGNM16wZav6KG6AN88WuMGRnvzRi53V/oj8X
H6YdJnfDlo+8FbM5pLR9rDpY2eTFi1vKxX3nI0d8tmmAisI60KlrcxW9/uQKM4HH
tdQT5yNg11ogGkjn8Dn3NlHoZHifU0FsMwVAx3+vsNqB6wXSc3cvi5HlMi6bHwxa
6ciUPemreevb4bG5Ca7g/yNlHhK1Og==
=csAt
-----END PGP SIGNATURE-----
--==-=-=--