bug#57217: home-openssh-service-type creates .ssh/config with wrong permissions

bug#57217: home-openssh-service-type creates .ssh/config with wrong permissions

[Elias Kueny]

Hello,

I'm trying to use home-openssh-service-type. I'm testing the configuration by running
  guix home container home-configuration.scm

The files are created with too open permissions, so ssh refuses to run:

  $ ssh xxx
  Bad owner or permissions on ~/.ssh/config

  $ ls -l .ssh
  lrwxrwxrwx 1 user users 59 Aug 14 18:17 authorized_keys -> /gnu/store/y8g2d9kmlrhfna23r26cfgp5mr1sxl72-authorized_keys
  lrwxrwxrwx 1 user users  52 Aug 14 18:17 config -> /gnu/store/dnnzwrz4hp1z6wnr76a6j57v95vyrbf3-ssh.conf

And the file system being read-only, a manual chmod is not possible.


  $ guix describe
  guix 9e46320
    repository URL: https://git.savannah.gnu.org/git/guix.git
    branch: master
    commit: 9e4632081ff31bf0d1715edd66f514614c6dc4bb

Best,
Elias

bug#57217: home-openssh-service-type creates .ssh/config with wrong permissions

[Ludovic Courtès]

Hi Elias,

Elias Kueny <elias.kueny@posteo.net> skribis:

> The files are created with too open permissions, so ssh refuses to run:
>
>  $ ssh xxx
>  Bad owner or permissions on ~/.ssh/config
>
>  $ ls -l .ssh
>  lrwxrwxrwx 1 user users 59 Aug 14 18:17 authorized_keys -> /gnu/store/y8g2d9kmlrhfna23r26cfgp5mr1sxl72-authorized_keys
>  lrwxrwxrwx 1 user users  52 Aug 14 18:17 config -> /gnu/store/dnnzwrz4hp1z6wnr76a6j57v95vyrbf3-ssh.conf

Here’s what I see in a container:

--8<---------------cut here---------------start------------->8---
$ ls -ld .ssh
drwx------ 2 ludo users 80 Sep 23 06:39 .ssh/
$ ls -l .ssh/config
lrwxrwxrwx 1 ludo users 52 Sep 23 06:39 .ssh/config -> /gnu/store/5lksmnx3mlyinlja2lhd84p0jkp06bg5-ssh.conf
$ ls -l $(readlink .ssh/config)
-r--r--r-- 1 65534 overflow 6219 Jan  1  1970 /gnu/store/5lksmnx3mlyinlja2lhd84p0jkp06bg5-ssh.conf
--8<---------------cut here---------------end--------------->8---

The relevant check in OpenSSH is this:

--8<---------------cut here---------------start------------->8---
      if (fstat(fileno(f), &sb) == -1)
              fatal("fstat %s: %s", filename, strerror(errno));
      if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
          (sb.st_mode & 022) != 0))
              fatal("Bad owner or permissions on %s", filename);
--8<---------------cut here---------------end--------------->8---

That is, if ~/.ssh/config is owned by root, it’s fine; and this is
exactly what happens outside the container:

--8<---------------cut here---------------start------------->8---
$ ls -l $(readlink ~/.ssh/config)
-r--r--r-- 1 root root 6219 Jan  1  1970 /gnu/store/5lksmnx3mlyinlja2lhd84p0jkp06bg5-ssh.conf
--8<---------------cut here---------------end--------------->8---

So ‘ssh’ works fine outside the container, but not inside.

To address the issue at hand, we would need to map UID 0 of the host as
UID 0 of the guest, but I’m not sure this can be done.

To be continued…

Ludo’.

bug#57217: home-openssh-service-type creates .ssh/config with wrong permissions

[Ludovic Courtès]

Ludovic Courtès <ludo@gnu.org> skribis:

> To address the issue at hand, we would need to map UID 0 of the host as
> UID 0 of the guest, but I’m not sure this can be done.

I believe it cannot be done: we can only map a single UID (at least
unless/until we use subordinate UIDs.)

Back to the original problem: it only affects ‘guix home container’; so
while this is annoying, it’s not a showstopper.  WDYT?

Ludo’.