From: Alexey Abramov via Guix-patches via <guix-patches@gnu.org>
To: Tobias Geerinckx-Rice <me@tobias.gr>
Cc: 55034@debbugs.gnu.org
Subject: [bug#55034] [PATCH 0/1] Let openssh trust /gnu/store
Date: Fri, 22 Apr 2022 09:33:45 +0200 [thread overview]
Message-ID: <87mtgdinc6.fsf@delta.lan> (raw)
In-Reply-To: <7684D647-31F8-4509-A18A-283DE789F0B3@tobias.gr> (Tobias Geerinckx-Rice's message of "Wed, 20 Apr 2022 10:17:16 +0000")
Hi Tobias,
Thanks for the review.
Tobias Geerinckx-Rice <me@tobias.gr> writes:
[...]
> The RO bind mount is not a hard guarantee, and a footgun protector
> against accidental writes, not primarily a security feature (IMO).
>
> By design, *anyone* can write *anything* to the store by talking to
> the daemon. They just can't choose the file name. A much weaker
> guarantee than OpenSSH assumes, at the very least.
Even though I knew how the daemon works, I find your explanation very
nice and clear. Thank you.
[...]
>
> Why is 'RO location' relevant here?
>
> If the snippet you quote above is complete, which requirement does the
> un-bind-mounted store not meet? I can't think of one off the top o'
> me head?
Here is a comment from safe_path function
--8<---------------cut here---------------start------------->8---
/*
* Check a given path for security. This is defined as all components of
* the path to the file must be owned by either the owner of of the file
* or root and no directories must be group or world writable.
*
* XXX Should any specific check be done for sym links ?
*
* Takes a file name, its stat information (preferably from fstat() to
* avoid races), the uid of the expected owner, their home directory and
* an error buffer plus max size as arguments.
*
* Returns 0 on success and -1 on failure /
--8<---------------cut here---------------end--------------->8---
I probably had to post it first, to avoid
misunderstanding. sshd_config(5) is not that clear unfortunately. Due to
group write permissions on the /gnu/store directory, safe_path doesn't
allow openssh execute it.
Couple of months ago I posted this problem on IRC, and you mentioned the
read-only mount thingy. So I was trying to take advantage of that.
What other options do I have?
> That's a lot of trust. Tens of gigabytes on average.
=)
> We explicitly rejected that idea in IceCat for example, instead
> whitelisting only specific store subdirectories. Why is OpenSSH
> different?
I didn't know that. I don't treat OpenSSH any different than other
software either. Whitelist some specific directory is a really good
option here, even though It introduces some secret knowledge.
> The rationale and its assumptions (also) belong in the patch itself,
> not just a separate mail.
True. Let me put some more context on what I am trying to do. We have
LDAP server which also holds users' ssh keys. I package a simple wrapper
for LDAP search which returns them. I would like to use it with OpenSSH,
however due to the way it checks executable in the configuration, I
don't see the way to use it.
I assume it is possible to copy that store object somewhere, but it
doesn't look right to me.
--
Alexey
next prev parent reply other threads:[~2022-04-22 7:34 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-20 8:47 [bug#55034] [PATCH 0/1] Let openssh trust /gnu/store Alexey Abramov via Guix-patches via
2022-04-20 8:49 ` [bug#55034] [PATCH 1/1] gnu: openssh: Trust /gnu/store directory Alexey Abramov via Guix-patches via
2022-04-20 10:02 ` [bug#55034] [PATCH 0/1] Let openssh trust /gnu/store Ludovic Courtès
2022-04-22 7:02 ` Alexey Abramov via Guix-patches via
2022-04-20 9:56 ` Ludovic Courtès
2022-04-22 6:44 ` Alexey Abramov via Guix-patches via
2022-04-27 21:54 ` Ludovic Courtès
2022-04-20 10:17 ` Tobias Geerinckx-Rice via Guix-patches via
2022-04-20 10:20 ` Tobias Geerinckx-Rice via Guix-patches via
2022-04-22 7:33 ` Alexey Abramov via Guix-patches via [this message]
2022-04-26 7:25 ` [bug#55034] [PATCH v2] gnu: openssh: Trust Guix store directory Alexey Abramov via Guix-patches via
2022-04-28 22:07 ` bug#55034: [PATCH 0/1] Let openssh trust /gnu/store Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87mtgdinc6.fsf@delta.lan \
--to=guix-patches@gnu.org \
--cc=55034@debbugs.gnu.org \
--cc=levenson@mmer.org \
--cc=me@tobias.gr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.