How to put a file in /gnu/store and set its permissions

How to put a file in /gnu/store and set its permissions

[Nathan Dehnel]

https://guix.gnu.org/manual/en/html_node/G_002dExpressions.html
This says to set #:recursive? #t and guix will preserve its
permissions in the store. I have done this:

(define guixrig_host_rsa_key
    (local-file "ssh/guixrig_host_rsa_key" #:recursive? #t))

The file this expression puts in the store has permissions of 444,
despite the original being 400. How do I prevent guix from changing
permissions, or manually override them?

Re: How to put a file in /gnu/store and set its permissions

[Leo Famulari]

On Sat, Dec 04, 2021 at 04:47:12PM -0600, Nathan Dehnel wrote:
> https://guix.gnu.org/manual/en/html_node/G_002dExpressions.html
> This says to set #:recursive? #t and guix will preserve its
> permissions in the store. I have done this:
> 
> (define guixrig_host_rsa_key
>     (local-file "ssh/guixrig_host_rsa_key" #:recursive? #t))
> 
> The file this expression puts in the store has permissions of 444,
> despite the original being 400. How do I prevent guix from changing
> permissions, or manually override them?

In general, the store cannot be used to store secrets.  By design,
everything in the store is made world-readable despite what permissions
are set, for example in a package definition. I'm not sure if that's
documented in the manual; I don't see it in the manual section The Store
[1].

I'm not sure exactly what code ensures that everything in the store is
readable, but it's probably somewhere in the daemon [0], which is what
writes to the store [1].

The question of how to handle secrets in Guix has been discussed many
times over the years and there are some solutions in various services;
maybe there is a canonical solution now. But basically the idea is to
store the secret outside of the store, like in /etc, as defined in a
service configuration in config.scm.

Hopefully some other people can join the conversation with more specific
advice.

[0]
https://git.savannah.gnu.org/cgit/guix.git/tree/nix?h=v1.3.0

[1] I'd guess that canonicaliseTimestampAndPermissions is always called:
https://guix.gnu.org/manual/en/html_node/The-Store.html

Re: How to put a file in /gnu/store and set its permissions

[Nathan Dehnel]

Thanks. I guess then I need to know how to put a file in /etc/ssh
without putting it in the store.

On Sat, Dec 4, 2021 at 11:13 PM Leo Famulari <leo@famulari.name> wrote:
>
> On Sat, Dec 04, 2021 at 04:47:12PM -0600, Nathan Dehnel wrote:
> > https://guix.gnu.org/manual/en/html_node/G_002dExpressions.html
> > This says to set #:recursive? #t and guix will preserve its
> > permissions in the store. I have done this:
> >
> > (define guixrig_host_rsa_key
> >     (local-file "ssh/guixrig_host_rsa_key" #:recursive? #t))
> >
> > The file this expression puts in the store has permissions of 444,
> > despite the original being 400. How do I prevent guix from changing
> > permissions, or manually override them?
>
> In general, the store cannot be used to store secrets.  By design,
> everything in the store is made world-readable despite what permissions
> are set, for example in a package definition. I'm not sure if that's
> documented in the manual; I don't see it in the manual section The Store
> [1].
>
> I'm not sure exactly what code ensures that everything in the store is
> readable, but it's probably somewhere in the daemon [0], which is what
> writes to the store [1].
>
> The question of how to handle secrets in Guix has been discussed many
> times over the years and there are some solutions in various services;
> maybe there is a canonical solution now. But basically the idea is to
> store the secret outside of the store, like in /etc, as defined in a
> service configuration in config.scm.
>
> Hopefully some other people can join the conversation with more specific
> advice.
>
> [0]
> https://git.savannah.gnu.org/cgit/guix.git/tree/nix?h=v1.3.0
>
> [1] I'd guess that canonicaliseTimestampAndPermissions is always called:
> https://guix.gnu.org/manual/en/html_node/The-Store.html

Re: How to put a file in /gnu/store and set its permissions

[Gary Johnson]

Nathan Dehnel <ncdehnel@gmail.com> writes:

> Thanks. I guess then I need to know how to put a file in /etc/ssh
> without putting it in the store.

To programmatically add a file to /etc, you can extend the
etc-service-type in your operating-system's services field like so:

```
(use-modules
 ((gnu services)         #:select (simple-service etc-service-type))
 ((gnu services desktop) #:select (%desktop-services))
 ((gnu system)           #:select (operating-system))
 ((guix gexp)            #:select (local-file)))

(define guixrig_host_rsa_key
  (local-file "ssh/guixrig_host_rsa_key" #:recursive? #t))

(operating-system
 ...
 (services (cons* (simple-service 'my-secret-service etc-service-type
                                  `(("ssh/guixrig_host_rsa_key" ,guixrig_host_rsa_key)))
                  %desktop-services)))
```

Have fun and happy hacking!
  ~Gary

-- 
GPG Key ID: 7BC158ED
Use `gpg --search-keys lambdatronic' to find me
Protect yourself from surveillance: https://emailselfdefense.fsf.org
=======================================================================
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

Why is HTML email a security nightmare? See https://useplaintext.email/

Please avoid sending me MS-Office attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

Re: How to put a file in /gnu/store and set its permissions

[Nathan Dehnel]

Thanks. Though that code causes "guix system: error: symlink: File
exists: "/etc/ssh"" when I use it, and by the looks of it, would still
be putting the key in the store, which is insecure.

On Sun, Dec 5, 2021 at 8:44 PM Gary Johnson <lambdatronic@disroot.org> wrote:
>
> Nathan Dehnel <ncdehnel@gmail.com> writes:
>
> > Thanks. I guess then I need to know how to put a file in /etc/ssh
> > without putting it in the store.
>
> To programmatically add a file to /etc, you can extend the
> etc-service-type in your operating-system's services field like so:
>
> ```
> (use-modules
>  ((gnu services)         #:select (simple-service etc-service-type))
>  ((gnu services desktop) #:select (%desktop-services))
>  ((gnu system)           #:select (operating-system))
>  ((guix gexp)            #:select (local-file)))
>
> (define guixrig_host_rsa_key
>   (local-file "ssh/guixrig_host_rsa_key" #:recursive? #t))
>
> (operating-system
>  ...
>  (services (cons* (simple-service 'my-secret-service etc-service-type
>                                   `(("ssh/guixrig_host_rsa_key" ,guixrig_host_rsa_key)))
>                   %desktop-services)))
> ```
>
> Have fun and happy hacking!
>   ~Gary
>
> --
> GPG Key ID: 7BC158ED
> Use `gpg --search-keys lambdatronic' to find me
> Protect yourself from surveillance: https://emailselfdefense.fsf.org
> =======================================================================
> ()  ascii ribbon campaign - against html e-mail
> /\  www.asciiribbon.org   - against proprietary attachments
>
> Why is HTML email a security nightmare? See https://useplaintext.email/
>
> Please avoid sending me MS-Office attachments.
> See http://www.gnu.org/philosophy/no-word-attachments.html

Re: How to put a file in /gnu/store and set its permissions

[Arun Isaac]

[-- Attachment #1: Type: text/plain, Size: 272 bytes --]


> by the looks of it, would still be putting the key in the store, which
> is insecure.

That's correct. I think you should look at how the ssh service or the
wireguard service manages its keys. IIRC, they do so by generating a new
key during /activation/ of the system.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 524 bytes --]

Re: How to put a file in /gnu/store and set its permissions

[Gary Johnson]

> Nathan Dehnel <ncdehnel@gmail.com> writes:
>
> Thanks. I guess then I need to know how to put a file in /etc/ssh
> without putting it in the store.

> On Sun, Dec 5, 2021 at 8:44 PM Gary Johnson <lambdatronic@disroot.org> wrote:
>
> To programmatically add a file to /etc, you can extend the
> etc-service-type in your operating-system's services field like so:
>
> ```
> (use-modules
>  ((gnu services)         #:select (simple-service etc-service-type))
>  ((gnu services desktop) #:select (%desktop-services))
>  ((gnu system)           #:select (operating-system))
>  ((guix gexp)            #:select (local-file)))
>
> (define guixrig_host_rsa_key
>   (local-file "ssh/guixrig_host_rsa_key" #:recursive? #t))
>
> (operating-system
>  ...
>  (services (cons* (simple-service 'my-secret-service etc-service-type
>                                   `(("ssh/guixrig_host_rsa_key" ,guixrig_host_rsa_key)))
>                   %desktop-services)))
> ```
>
> Have fun and happy hacking!
>   ~Gary

> Nathan Dehnel <ncdehnel@gmail.com> writes:
>
> Thanks. Though that code causes "guix system: error: symlink: File
> exists: "/etc/ssh"" when I use it, and by the looks of it, would still
> be putting the key in the store, which is insecure.

Bummer. It works as expected when I run that code on my system with:

```
sudo guix system reconfigure config.scm
```

Maybe you manually created /etc/ssh already, which could be causing the
error on your end? Either way, your file does end up in the store and is
owned by root:root with permissions 444.

I'm not aware of a way to add files to /etc or any other guix-managed
directory without placing a copy in the store. However, once your file
lands in /etc/ssh/guixrig_host_rsa_key, isn't it owned by root:root and
readable as well?

Perhaps one of the other Guix wizards on this mailing list would have
some ideas on how to control the permissions on these auto-generated
files.

Good luck,
  Gary

-- 
GPG Key ID: 7BC158ED
Use `gpg --search-keys lambdatronic' to find me
Protect yourself from surveillance: https://emailselfdefense.fsf.org
=======================================================================
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

Why is HTML email a security nightmare? See https://useplaintext.email/

Please avoid sending me MS-Office attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html