* How to put a file in /gnu/store and set its permissions
@ 2021-12-04 22:47 Nathan Dehnel
2021-12-05 5:12 ` Leo Famulari
0 siblings, 1 reply; 7+ messages in thread
From: Nathan Dehnel @ 2021-12-04 22:47 UTC (permalink / raw)
To: help-guix
https://guix.gnu.org/manual/en/html_node/G_002dExpressions.html
This says to set #:recursive? #t and guix will preserve its
permissions in the store. I have done this:
(define guixrig_host_rsa_key
(local-file "ssh/guixrig_host_rsa_key" #:recursive? #t))
The file this expression puts in the store has permissions of 444,
despite the original being 400. How do I prevent guix from changing
permissions, or manually override them?
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: How to put a file in /gnu/store and set its permissions
2021-12-04 22:47 How to put a file in /gnu/store and set its permissions Nathan Dehnel
@ 2021-12-05 5:12 ` Leo Famulari
2021-12-05 21:18 ` Nathan Dehnel
0 siblings, 1 reply; 7+ messages in thread
From: Leo Famulari @ 2021-12-05 5:12 UTC (permalink / raw)
To: Nathan Dehnel; +Cc: help-guix
On Sat, Dec 04, 2021 at 04:47:12PM -0600, Nathan Dehnel wrote:
> https://guix.gnu.org/manual/en/html_node/G_002dExpressions.html
> This says to set #:recursive? #t and guix will preserve its
> permissions in the store. I have done this:
>
> (define guixrig_host_rsa_key
> (local-file "ssh/guixrig_host_rsa_key" #:recursive? #t))
>
> The file this expression puts in the store has permissions of 444,
> despite the original being 400. How do I prevent guix from changing
> permissions, or manually override them?
In general, the store cannot be used to store secrets. By design,
everything in the store is made world-readable despite what permissions
are set, for example in a package definition. I'm not sure if that's
documented in the manual; I don't see it in the manual section The Store
[1].
I'm not sure exactly what code ensures that everything in the store is
readable, but it's probably somewhere in the daemon [0], which is what
writes to the store [1].
The question of how to handle secrets in Guix has been discussed many
times over the years and there are some solutions in various services;
maybe there is a canonical solution now. But basically the idea is to
store the secret outside of the store, like in /etc, as defined in a
service configuration in config.scm.
Hopefully some other people can join the conversation with more specific
advice.
[0]
https://git.savannah.gnu.org/cgit/guix.git/tree/nix?h=v1.3.0
[1] I'd guess that canonicaliseTimestampAndPermissions is always called:
https://guix.gnu.org/manual/en/html_node/The-Store.html
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: How to put a file in /gnu/store and set its permissions
2021-12-05 5:12 ` Leo Famulari
@ 2021-12-05 21:18 ` Nathan Dehnel
2021-12-06 2:30 ` Gary Johnson
0 siblings, 1 reply; 7+ messages in thread
From: Nathan Dehnel @ 2021-12-05 21:18 UTC (permalink / raw)
To: Leo Famulari; +Cc: help-guix
Thanks. I guess then I need to know how to put a file in /etc/ssh
without putting it in the store.
On Sat, Dec 4, 2021 at 11:13 PM Leo Famulari <leo@famulari.name> wrote:
>
> On Sat, Dec 04, 2021 at 04:47:12PM -0600, Nathan Dehnel wrote:
> > https://guix.gnu.org/manual/en/html_node/G_002dExpressions.html
> > This says to set #:recursive? #t and guix will preserve its
> > permissions in the store. I have done this:
> >
> > (define guixrig_host_rsa_key
> > (local-file "ssh/guixrig_host_rsa_key" #:recursive? #t))
> >
> > The file this expression puts in the store has permissions of 444,
> > despite the original being 400. How do I prevent guix from changing
> > permissions, or manually override them?
>
> In general, the store cannot be used to store secrets. By design,
> everything in the store is made world-readable despite what permissions
> are set, for example in a package definition. I'm not sure if that's
> documented in the manual; I don't see it in the manual section The Store
> [1].
>
> I'm not sure exactly what code ensures that everything in the store is
> readable, but it's probably somewhere in the daemon [0], which is what
> writes to the store [1].
>
> The question of how to handle secrets in Guix has been discussed many
> times over the years and there are some solutions in various services;
> maybe there is a canonical solution now. But basically the idea is to
> store the secret outside of the store, like in /etc, as defined in a
> service configuration in config.scm.
>
> Hopefully some other people can join the conversation with more specific
> advice.
>
> [0]
> https://git.savannah.gnu.org/cgit/guix.git/tree/nix?h=v1.3.0
>
> [1] I'd guess that canonicaliseTimestampAndPermissions is always called:
> https://guix.gnu.org/manual/en/html_node/The-Store.html
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: How to put a file in /gnu/store and set its permissions
2021-12-05 21:18 ` Nathan Dehnel
@ 2021-12-06 2:30 ` Gary Johnson
2021-12-08 0:59 ` Nathan Dehnel
0 siblings, 1 reply; 7+ messages in thread
From: Gary Johnson @ 2021-12-06 2:30 UTC (permalink / raw)
To: Nathan Dehnel; +Cc: Leo Famulari, help-guix
Nathan Dehnel <ncdehnel@gmail.com> writes:
> Thanks. I guess then I need to know how to put a file in /etc/ssh
> without putting it in the store.
To programmatically add a file to /etc, you can extend the
etc-service-type in your operating-system's services field like so:
```
(use-modules
((gnu services) #:select (simple-service etc-service-type))
((gnu services desktop) #:select (%desktop-services))
((gnu system) #:select (operating-system))
((guix gexp) #:select (local-file)))
(define guixrig_host_rsa_key
(local-file "ssh/guixrig_host_rsa_key" #:recursive? #t))
(operating-system
...
(services (cons* (simple-service 'my-secret-service etc-service-type
`(("ssh/guixrig_host_rsa_key" ,guixrig_host_rsa_key)))
%desktop-services)))
```
Have fun and happy hacking!
~Gary
--
GPG Key ID: 7BC158ED
Use `gpg --search-keys lambdatronic' to find me
Protect yourself from surveillance: https://emailselfdefense.fsf.org
=======================================================================
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
Why is HTML email a security nightmare? See https://useplaintext.email/
Please avoid sending me MS-Office attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: How to put a file in /gnu/store and set its permissions
2021-12-06 2:30 ` Gary Johnson
@ 2021-12-08 0:59 ` Nathan Dehnel
2021-12-08 6:02 ` Arun Isaac
2021-12-08 16:26 ` Gary Johnson
0 siblings, 2 replies; 7+ messages in thread
From: Nathan Dehnel @ 2021-12-08 0:59 UTC (permalink / raw)
To: Gary Johnson; +Cc: help-guix
Thanks. Though that code causes "guix system: error: symlink: File
exists: "/etc/ssh"" when I use it, and by the looks of it, would still
be putting the key in the store, which is insecure.
On Sun, Dec 5, 2021 at 8:44 PM Gary Johnson <lambdatronic@disroot.org> wrote:
>
> Nathan Dehnel <ncdehnel@gmail.com> writes:
>
> > Thanks. I guess then I need to know how to put a file in /etc/ssh
> > without putting it in the store.
>
> To programmatically add a file to /etc, you can extend the
> etc-service-type in your operating-system's services field like so:
>
> ```
> (use-modules
> ((gnu services) #:select (simple-service etc-service-type))
> ((gnu services desktop) #:select (%desktop-services))
> ((gnu system) #:select (operating-system))
> ((guix gexp) #:select (local-file)))
>
> (define guixrig_host_rsa_key
> (local-file "ssh/guixrig_host_rsa_key" #:recursive? #t))
>
> (operating-system
> ...
> (services (cons* (simple-service 'my-secret-service etc-service-type
> `(("ssh/guixrig_host_rsa_key" ,guixrig_host_rsa_key)))
> %desktop-services)))
> ```
>
> Have fun and happy hacking!
> ~Gary
>
> --
> GPG Key ID: 7BC158ED
> Use `gpg --search-keys lambdatronic' to find me
> Protect yourself from surveillance: https://emailselfdefense.fsf.org
> =======================================================================
> () ascii ribbon campaign - against html e-mail
> /\ www.asciiribbon.org - against proprietary attachments
>
> Why is HTML email a security nightmare? See https://useplaintext.email/
>
> Please avoid sending me MS-Office attachments.
> See http://www.gnu.org/philosophy/no-word-attachments.html
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: How to put a file in /gnu/store and set its permissions
2021-12-08 0:59 ` Nathan Dehnel
@ 2021-12-08 6:02 ` Arun Isaac
2021-12-08 16:26 ` Gary Johnson
1 sibling, 0 replies; 7+ messages in thread
From: Arun Isaac @ 2021-12-08 6:02 UTC (permalink / raw)
To: Nathan Dehnel, Gary Johnson; +Cc: help-guix
[-- Attachment #1: Type: text/plain, Size: 272 bytes --]
> by the looks of it, would still be putting the key in the store, which
> is insecure.
That's correct. I think you should look at how the ssh service or the
wireguard service manages its keys. IIRC, they do so by generating a new
key during /activation/ of the system.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 524 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: How to put a file in /gnu/store and set its permissions
2021-12-08 0:59 ` Nathan Dehnel
2021-12-08 6:02 ` Arun Isaac
@ 2021-12-08 16:26 ` Gary Johnson
1 sibling, 0 replies; 7+ messages in thread
From: Gary Johnson @ 2021-12-08 16:26 UTC (permalink / raw)
To: Nathan Dehnel; +Cc: Leo Famulari, help-guix
> Nathan Dehnel <ncdehnel@gmail.com> writes:
>
> Thanks. I guess then I need to know how to put a file in /etc/ssh
> without putting it in the store.
> On Sun, Dec 5, 2021 at 8:44 PM Gary Johnson <lambdatronic@disroot.org> wrote:
>
> To programmatically add a file to /etc, you can extend the
> etc-service-type in your operating-system's services field like so:
>
> ```
> (use-modules
> ((gnu services) #:select (simple-service etc-service-type))
> ((gnu services desktop) #:select (%desktop-services))
> ((gnu system) #:select (operating-system))
> ((guix gexp) #:select (local-file)))
>
> (define guixrig_host_rsa_key
> (local-file "ssh/guixrig_host_rsa_key" #:recursive? #t))
>
> (operating-system
> ...
> (services (cons* (simple-service 'my-secret-service etc-service-type
> `(("ssh/guixrig_host_rsa_key" ,guixrig_host_rsa_key)))
> %desktop-services)))
> ```
>
> Have fun and happy hacking!
> ~Gary
> Nathan Dehnel <ncdehnel@gmail.com> writes:
>
> Thanks. Though that code causes "guix system: error: symlink: File
> exists: "/etc/ssh"" when I use it, and by the looks of it, would still
> be putting the key in the store, which is insecure.
Bummer. It works as expected when I run that code on my system with:
```
sudo guix system reconfigure config.scm
```
Maybe you manually created /etc/ssh already, which could be causing the
error on your end? Either way, your file does end up in the store and is
owned by root:root with permissions 444.
I'm not aware of a way to add files to /etc or any other guix-managed
directory without placing a copy in the store. However, once your file
lands in /etc/ssh/guixrig_host_rsa_key, isn't it owned by root:root and
readable as well?
Perhaps one of the other Guix wizards on this mailing list would have
some ideas on how to control the permissions on these auto-generated
files.
Good luck,
Gary
--
GPG Key ID: 7BC158ED
Use `gpg --search-keys lambdatronic' to find me
Protect yourself from surveillance: https://emailselfdefense.fsf.org
=======================================================================
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
Why is HTML email a security nightmare? See https://useplaintext.email/
Please avoid sending me MS-Office attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-12-08 16:34 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-04 22:47 How to put a file in /gnu/store and set its permissions Nathan Dehnel
2021-12-05 5:12 ` Leo Famulari
2021-12-05 21:18 ` Nathan Dehnel
2021-12-06 2:30 ` Gary Johnson
2021-12-08 0:59 ` Nathan Dehnel
2021-12-08 6:02 ` Arun Isaac
2021-12-08 16:26 ` Gary Johnson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).