From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id oNQ7CdqeZ2LuQAEAbAwnHQ (envelope-from ) for ; Tue, 26 Apr 2022 09:27:22 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id WHAkCdqeZ2I2IQAAauVa8A (envelope-from ) for ; Tue, 26 Apr 2022 09:27:22 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 7B421F724 for ; Tue, 26 Apr 2022 09:27:21 +0200 (CEST) Received: from localhost ([::1]:39090 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1njFbU-00048s-At for larch@yhetil.org; Tue, 26 Apr 2022 03:27:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47734) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1njFbD-00047j-0j for guix-patches@gnu.org; Tue, 26 Apr 2022 03:27:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:42854) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1njFbC-00036J-KW for guix-patches@gnu.org; Tue, 26 Apr 2022 03:27:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1njFbC-0007Xl-HG for guix-patches@gnu.org; Tue, 26 Apr 2022 03:27:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#55034] [PATCH v2] gnu: openssh: Trust Guix store directory References: <20220420084724.3514-1-levenson@mmer.org> In-Reply-To: <20220420084724.3514-1-levenson@mmer.org> Resent-From: Alexey Abramov Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 26 Apr 2022 07:27:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 55034 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 55034@debbugs.gnu.org. Received: via spool by 55034-submit@debbugs.gnu.org id=B55034.165095797228933 (code B ref 55034); Tue, 26 Apr 2022 07:27:02 +0000 Received: (at 55034) by debbugs.gnu.org; 26 Apr 2022 07:26:12 +0000 Received: from localhost ([127.0.0.1]:36751 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1njFaO-0007Wb-Ap for submit@debbugs.gnu.org; Tue, 26 Apr 2022 03:26:12 -0400 Received: from mail.mmer.org ([178.22.65.174]:40118) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1njFaL-0007WL-2s for 55034@debbugs.gnu.org; Tue, 26 Apr 2022 03:26:11 -0400 Received: from mail.mmer.org (localhost [127.0.0.1]) by mail.mmer.org (OpenSMTPD) with ESMTP id 8f8a941c for <55034@debbugs.gnu.org>; Tue, 26 Apr 2022 07:26:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=mmer.org; h=from:to :subject:date:message-id:mime-version:content-transfer-encoding; s=dkim; bh=L6QUshs4UlP4npAjby3FqaTbZT7/5XSZEbECj6Z9p6I=; b=B/zh n26luMd8Q/kA5KNZEOH/ZiUjzH6hWv0MUJFoJ4XiIxy3qAdrbMuftpbyY8nYlx5U OwUinYFv1gWEdrCZBr9qtZ2nzgwpCs36DY9JkaBpSCIvZgTUyS6bZ7pG6ZAMCQDi 21mmMjY6D89UkRNfjcY5AemEIHX6J16cMINupAI= Received: from delta (j74182.upc-j.chello.nl [24.132.74.182]) by mail.mmer.org (OpenSMTPD) with ESMTPSA id eb8aa124 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) for <55034@debbugs.gnu.org>; Tue, 26 Apr 2022 07:26:00 +0000 (UTC) Date: Tue, 26 Apr 2022 09:25:50 +0200 Message-Id: <20220426072550.3504-1-levenson@mmer.org> X-Mailer: git-send-email 2.34.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" Reply-to: Alexey Abramov X-ACL-Warn: , Alexey Abramov via Guix-patches From: Alexey Abramov via Guix-patches via X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1650958041; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=iH1dbgDVNDGkuIGrvy8fBi01ECy4JJD2Ic3p6lfDF7M=; b=qniqhZefUb66XpktDyq+FKQ3dG22ij6cAgOHC5KFbFJuyBA86U+h0cd53AU/eitqFZhBPn 0Js3xgyrdyaz9kt7l4nAtfBmTRSh0vdleAayDZcWxyHXufwDHRcnhooOMJxcOFRBH8L0BT +DWHVBEI8RKIJka3kyNnTH5LBr8ItUANIkChbPHCleEUnD//BxLnAhPV8YtgzOiqtkSNsh IEGXTg8my+va9xXZgJ03Fp/m37uYRmYPuxdVN9FvtEwEk1ZIR6stg8RuzED7h8/gTah62f RMO7kkK/3gOZFX8m0x/IieFH1wutEDPRIwGrN2ru6YZ0C7AUshsZ61HAt4gBGg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1650958041; a=rsa-sha256; cv=none; b=FXzWVBH7sk2IuoErUveGo4ZVq3RctJrFOtlXQJwh8dxIh0PDhwa6MkuxdnEkUH38Y5KXUL r9r5kU1x+rqq4l8mc78qxf58jE1ivLwwCmzVCuBPu0UnZ1n72iX20/u9GhtZTMkUl1ciBu 9KZPxRHjqpMuUyFcxMvY141zOiX9byAhe1Al2z1cm9/hl5WRy2z2jiww0eKjcHPsDeAGu5 fm/dz7Lv5+I7QuqbiSxEKd6xI7v3WIl6kMtZuIu/CwtR3x/rWv4eiXyCIUXH5TLsQu69Sq h5ump3S7PptSyxanjDAgpyYKfchCrdeIFup/mKUpzpBveeiy5uuDM6r12WcBRg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=mmer.org header.s=dkim header.b="B/zh n26"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -3.01 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=mmer.org header.s=dkim header.b="B/zh n26"; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 7B421F724 X-Spam-Score: -3.01 X-Migadu-Scanner: scn1.migadu.com X-TUID: gd1YnCIIDW8U * gnu/local.mk (dist_patch_DATA): Add the patch * gnu/packages/patches/openssh-trust-guix-store-directory.patch: Patch it * gnu/packages/ssh.scm (openssh[source]): Use it. --- gnu/local.mk | 1 + .../openssh-trust-guix-store-directory.patch | 40 +++++++++++++++++++ gnu/packages/ssh.scm | 8 +++- 3 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/openssh-trust-guix-store-directory.patch diff --git a/gnu/local.mk b/gnu/local.mk index 9bad87710c..1d8e39138e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1567,6 +1567,7 @@ dist_patch_DATA = \ %D%/packages/patches/openjdk-15-xcursor-no-dynamic.patch \ %D%/packages/patches/openmpi-mtl-priorities.patch \ %D%/packages/patches/openssh-hurd.patch \ + %D%/packages/patches/openssh-trust-guix-store-directory.patch \ %D%/packages/patches/openresolv-restartcmd-guix.patch \ %D%/packages/patches/openrgb-unbundle-hueplusplus.patch \ %D%/packages/patches/opensles-add-license-file.patch \ diff --git a/gnu/packages/patches/openssh-trust-guix-store-directory.patch b/gnu/packages/patches/openssh-trust-guix-store-directory.patch new file mode 100644 index 0000000000..b3a9c1bdfc --- /dev/null +++ b/gnu/packages/patches/openssh-trust-guix-store-directory.patch @@ -0,0 +1,40 @@ +From 0d85bbd42ddcd442864a9ba4719aca8b70d68048 Mon Sep 17 00:00:00 2001 +From: Alexey Abramov +Date: Fri, 22 Apr 2022 11:32:15 +0200 +Subject: [PATCH] Trust guix store directory + +To be able to execute binaries defined in OpenSSH configuration, we +need to tell OpenSSH that we can trust Guix store objects. safe_path +procedure takes a canonical path and for each component, walking +upwards, checks ownership and permissions constrains which are: must +be owned by root, not writable by group or others. +--- + misc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/misc.c b/misc.c +index 0134d69..7131d5e 100644 +--- a/misc.c ++++ b/misc.c +@@ -2146,6 +2146,7 @@ int + safe_path(const char *name, struct stat *stp, const char *pw_dir, + uid_t uid, char *err, size_t errlen) + { ++ static const char guix_store[] = @STORE_DIRECTORY@; + char buf[PATH_MAX], homedir[PATH_MAX]; + char *cp; + int comparehome = 0; +@@ -2178,6 +2179,10 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, + } + strlcpy(buf, cp, sizeof(buf)); + ++ /* If we are past the Guix store then we can stop */ ++ if (strcmp(guix_store, buf) == 0) ++ break; ++ + if (stat(buf, &st) == -1 || + (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) || + (st.st_mode & 022) != 0) { +-- +2.34.0 + diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index 8a61b6e97a..7f3b02013e 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -189,7 +189,8 @@ (define-public openssh (method url-fetch) (uri (string-append "mirror://openbsd/OpenSSH/portable/" "openssh-" version ".tar.gz")) - (patches (search-patches "openssh-hurd.patch")) + (patches (search-patches "openssh-hurd.patch" + "openssh-trust-guix-store-directory.patch")) (sha256 (base32 "1ry5prcax0134v6srkgznpl9ch5snkgq7yvjqvd8c5mbnxa7cjgx")))) @@ -249,6 +250,11 @@ (define-public openssh (substitute* "Makefile" (("PRIVSEP_PATH=/var/empty") (string-append "PRIVSEP_PATH=" out "/var/empty")))))) + (add-after 'configure 'set-store-location + (lambda* _ + (substitute* "misc.c" + (("@STORE_DIRECTORY@") + (string-append "\"" (%store-directory) "\""))))) (add-before 'check 'patch-tests (lambda _ (substitute* "regress/test-exec.sh" -- 2.34.0