From: "Ludovic Courtès" <ludo@gnu.org>
To: Alexey Abramov <levenson@mmer.org>
Cc: 55034@debbugs.gnu.org
Subject: [bug#55034] [PATCH 0/1] Let openssh trust /gnu/store
Date: Wed, 27 Apr 2022 23:54:09 +0200 [thread overview]
Message-ID: <87fslygpku.fsf@gnu.org> (raw)
In-Reply-To: <87y1zxiplj.fsf@delta.lan> (Alexey Abramov's message of "Fri, 22 Apr 2022 08:44:56 +0200")
Hi,
Alexey Abramov <levenson@mmer.org> skribis:
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Hi,
>>
>> Alexey Abramov <levenson@mmer.org> skribis:
>>
>>> This patch allows users to use /gnu/store objects for AuthorizedKeysCommand
>>> and similar options. According to the sshd_config(5):
>>>
>>>> The program must be owned by root, not writable by group or others, and
>>>> specified by an absolute path.
>>
>> That’s the case with programs in /gnu/store. Why isn’t it working?
>
> The reason is that safe_path in openssh takes a full path of the file
> and checks every directory one by one. The constrain fails on /gnu/store
> directory due to write permissions for group.
Oh I see, makes sense.
[...]
>> Also note that the strcmp above is incorrect: it would accept
>> /gnu/storesomethinglese. You probably need to add a trailing slash to
>> be sure.
>
> Let me correct myself. In the previous email I wrote that the safe_path
> goes from top to bottom, but actually it walking upwards. This is an
> actual loop
[...]
> As you can see, buffer is holding the result of dirname already, hence
> I used "/gnu/store".
Sounds good then!
Thanks for explaining,
Ludo’.
next prev parent reply other threads:[~2022-04-27 21:55 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-20 8:47 [bug#55034] [PATCH 0/1] Let openssh trust /gnu/store Alexey Abramov via Guix-patches via
2022-04-20 8:49 ` [bug#55034] [PATCH 1/1] gnu: openssh: Trust /gnu/store directory Alexey Abramov via Guix-patches via
2022-04-20 10:02 ` [bug#55034] [PATCH 0/1] Let openssh trust /gnu/store Ludovic Courtès
2022-04-22 7:02 ` Alexey Abramov via Guix-patches via
2022-04-20 9:56 ` Ludovic Courtès
2022-04-22 6:44 ` Alexey Abramov via Guix-patches via
2022-04-27 21:54 ` Ludovic Courtès [this message]
2022-04-20 10:17 ` Tobias Geerinckx-Rice via Guix-patches via
2022-04-20 10:20 ` Tobias Geerinckx-Rice via Guix-patches via
2022-04-22 7:33 ` Alexey Abramov via Guix-patches via
2022-04-26 7:25 ` [bug#55034] [PATCH v2] gnu: openssh: Trust Guix store directory Alexey Abramov via Guix-patches via
2022-04-28 22:07 ` bug#55034: [PATCH 0/1] Let openssh trust /gnu/store Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87fslygpku.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=55034@debbugs.gnu.org \
--cc=levenson@mmer.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.