From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id mM3KOGLJX2LxMQAAbAwnHQ (envelope-from ) for ; Wed, 20 Apr 2022 10:50:42 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id 4DfhOGLJX2LpTAEA9RJhRA (envelope-from ) for ; Wed, 20 Apr 2022 10:50:42 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 67C7E21D6F for ; Wed, 20 Apr 2022 10:50:42 +0200 (CEST) Received: from localhost ([::1]:45118 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nh62n-0002rk-7M for larch@yhetil.org; Wed, 20 Apr 2022 04:50:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40556) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nh62D-0002pv-U4 for guix-patches@gnu.org; Wed, 20 Apr 2022 04:50:01 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:51167) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nh62D-0007ef-Jm for guix-patches@gnu.org; Wed, 20 Apr 2022 04:50:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nh62D-0005rV-I1 for guix-patches@gnu.org; Wed, 20 Apr 2022 04:50:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#55034] [PATCH 1/1] gnu: openssh: Trust /gnu/store directory References: <20220420084724.3514-1-levenson@mmer.org> In-Reply-To: <20220420084724.3514-1-levenson@mmer.org> Resent-From: Alexey Abramov Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 20 Apr 2022 08:50:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 55034 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 55034@debbugs.gnu.org. Received: via spool by 55034-submit@debbugs.gnu.org id=B55034.165044457722497 (code B ref 55034); Wed, 20 Apr 2022 08:50:01 +0000 Received: (at 55034) by debbugs.gnu.org; 20 Apr 2022 08:49:37 +0000 Received: from localhost ([127.0.0.1]:45064 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nh61p-0005qn-8b for submit@debbugs.gnu.org; Wed, 20 Apr 2022 04:49:37 -0400 Received: from mail.mmer.org ([178.22.65.174]:42636) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nh61n-0005qW-48 for 55034@debbugs.gnu.org; Wed, 20 Apr 2022 04:49:36 -0400 Received: from mail.mmer.org (localhost [127.0.0.1]) by mail.mmer.org (OpenSMTPD) with ESMTP id 006a2452 for <55034@debbugs.gnu.org>; Wed, 20 Apr 2022 08:49:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=mmer.org; h=from:to :subject:date:message-id:mime-version:content-transfer-encoding; s=dkim; bh=LtNwpHJknbw5KJ5sdKJeMhmSIv+rtfLJ193/hPVKO0E=; b=n+79 XnRqqmgHTVL8HBl57ZxflpyPfcS0NsZN8c8z/CFcUjUZgzaAEzm0Waa4rW/NsbUr NSPo3Oh68B8d/0mxskp9oxLMFc2twWgJbhbF7H/dsnCT/C83b2ewQxAt6IN8Gs3G SB7eOnQsVUWc1xk4q6ZolVaeIIiZ0/s1zii72jg= Received: from delta (j74182.upc-j.chello.nl [24.132.74.182]) by mail.mmer.org (OpenSMTPD) with ESMTPSA id 109659b1 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) for <55034@debbugs.gnu.org>; Wed, 20 Apr 2022 08:49:25 +0000 (UTC) Date: Wed, 20 Apr 2022 10:49:13 +0200 Message-Id: <20220420084913.4113-1-levenson@mmer.org> X-Mailer: git-send-email 2.34.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" Reply-to: Alexey Abramov X-ACL-Warn: , Alexey Abramov via Guix-patches From: Alexey Abramov via Guix-patches via X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1650444642; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=ZYXEE5qj8a8y8e/NKV7k9Pnj7PSRxmh4QQCeAJV2SuM=; b=qLEwlmtT2x/6QQCUkXsyFsGxMNnn00IPuis9USbYRRJMrou4Tix5JjlTAtIybZipgmjLP/ BHyv4xZCM5RaI4+RctXDtSkhSnRtuiE7s3MG9l+Odebkbpk61RA6RwQEY/q7n6KzwYqWu5 Nb3HqBf2HFGxuR44GhW5spXHbSn8lAvcz+kXzzoCW36kC/bmDQmWrZ3tpOSJcooiE1wLoJ k10TSaAbtE+FJXinORFp9aM7uylnhk6d3SgAVz1xy0fCItd9TTtnaXt5Kqu1ruaUaD8U9V /QDfRogsKpo4gPkFlZGI4D+xnPUDDmMKPFwSwj0v2ujamIRumhzf3MGKOCwdEA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1650444642; a=rsa-sha256; cv=none; b=ppwNPUN4quHdRC8AvRbOdDxuz8IrW8wmTw6shwiKUPmKxGpJ1LlCyaVfkJ16HKXtpMJdwK 6obcGoCjZE/Oryleb/Wv0cM4goejdWccWBLJ7UlT2v01C0cGYq6sVU6mD0zawhksZSDAQD N1fl5yhrz5RSktusAgxeYAT9XnJGre4cOo4j7Lh3ic2uVuunt4tWxWf9c2EzJo7NKZtVh9 6jMhkH4HKoSCbFwS10iC45pPhbB1jCi6w+afgLU9PhLoZBtOa5F9OmGu7zQnirBSYjDuSS yRw1nVJdU0lQw8xt2qrs3sB6LEc54vvAQXtGk9C3RcddqXc/wsQNjwlkfTREyw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=mmer.org header.s=dkim header.b="n+79 XnR"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -3.04 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=mmer.org header.s=dkim header.b="n+79 XnR"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 67C7E21D6F X-Spam-Score: -3.04 X-Migadu-Scanner: scn1.migadu.com X-TUID: 4qmZtgQX8DZD * gnu/local.mk (dist_patch_DATA): Add the patch * gnu/packages/patches/openssh-trust-gnu-store-directory.patch: Patch it * gnu/packages/ssh.scm (openssh[source]): Use it. --- gnu/local.mk | 1 + .../openssh-trust-gnu-store-directory.patch | 35 +++++++++++++++++++ gnu/packages/ssh.scm | 3 +- 3 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/openssh-trust-gnu-store-directory.patch diff --git a/gnu/local.mk b/gnu/local.mk index 0e721236d9..449a990846 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1569,6 +1569,7 @@ dist_patch_DATA = \ %D%/packages/patches/openjdk-15-xcursor-no-dynamic.patch \ %D%/packages/patches/openmpi-mtl-priorities.patch \ %D%/packages/patches/openssh-hurd.patch \ + %D%/packages/patches/openssh-trust-gnu-store-directory.patch \ %D%/packages/patches/openresolv-restartcmd-guix.patch \ %D%/packages/patches/openrgb-unbundle-hueplusplus.patch \ %D%/packages/patches/opensles-add-license-file.patch \ diff --git a/gnu/packages/patches/openssh-trust-gnu-store-directory.patch b/gnu/packages/patches/openssh-trust-gnu-store-directory.patch new file mode 100644 index 0000000000..b50dc8fd6a --- /dev/null +++ b/gnu/packages/patches/openssh-trust-gnu-store-directory.patch @@ -0,0 +1,35 @@ +From a840e4b10961fb2b1b6b0f93e5b2b367887ed691 Mon Sep 17 00:00:00 2001 +From: Alexey Abramov +Date: Sun, 21 Nov 2021 12:21:28 +0100 +Subject: [PATCH] Trust /gnu/store directory + +--- + misc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/misc.c b/misc.c +index 0134d69..01f1660 100644 +--- a/misc.c ++++ b/misc.c +@@ -2146,6 +2146,7 @@ int + safe_path(const char *name, struct stat *stp, const char *pw_dir, + uid_t uid, char *err, size_t errlen) + { ++ static const char gnu_store[] = "/gnu/store"; + char buf[PATH_MAX], homedir[PATH_MAX]; + char *cp; + int comparehome = 0; +@@ -2178,6 +2179,10 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, + } + strlcpy(buf, cp, sizeof(buf)); + ++ /* If are past the Guix /gnu/store then we can stop */ ++ if (strcmp(gnu_store, buf) == 0) ++ break; ++ + if (stat(buf, &st) == -1 || + (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) || + (st.st_mode & 022) != 0) { +-- +2.33.1 + diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index 8a61b6e97a..8dd7f1727a 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -189,7 +189,8 @@ (define-public openssh (method url-fetch) (uri (string-append "mirror://openbsd/OpenSSH/portable/" "openssh-" version ".tar.gz")) - (patches (search-patches "openssh-hurd.patch")) + (patches (search-patches "openssh-hurd.patch" + "openssh-trust-gnu-store-directory.patch")) (sha256 (base32 "1ry5prcax0134v6srkgznpl9ch5snkgq7yvjqvd8c5mbnxa7cjgx")))) -- 2.34.0