[bug#55034] [PATCH 0/1] Let openssh trust /gnu/store

[Alexey Abramov via Guix-patches via <guix-patches@gnu.org>]

Hi Tobias,

Thanks for the review.

Tobias Geerinckx-Rice <me@tobias.gr> writes:

[...]

> The RO bind mount is not a hard guarantee, and a footgun protector
> against accidental writes, not primarily a security feature (IMO).
>
> By design, *anyone* can write *anything* to the store by talking to
> the daemon.  They just can't choose the file name.  A much weaker
> guarantee than OpenSSH assumes, at the very least.

Even though I knew how the daemon works, I find your explanation very
nice and clear. Thank you.


[...]

>
> Why is 'RO location' relevant here?
>
> If the snippet you quote above is complete, which requirement does the
> un-bind-mounted store not meet?  I can't think of one off the top o'
> me head?

Here is a comment from safe_path function

--8<---------------cut here---------------start------------->8---
/*
 * Check a given path for security. This is defined as all components of
 * the path to the file must be owned by either the owner of of the file
 * or root and no directories must be group or world writable.
 *
 * XXX Should any specific check be done for sym links ?
 *
 * Takes a file name, its stat information (preferably from fstat() to
 * avoid races), the uid of the expected owner, their home directory and
 * an error buffer plus max size as arguments.
 *
 * Returns 0 on success and -1 on failure /
--8<---------------cut here---------------end--------------->8---

I probably had to post it first, to avoid
misunderstanding. sshd_config(5) is not that clear unfortunately. Due to
group write permissions on the /gnu/store directory, safe_path doesn't
allow openssh execute it. 

Couple of months ago I posted this problem on IRC, and you mentioned the
read-only mount thingy. So I was trying to take advantage of that.

What other options do I have?

> That's a lot of trust.  Tens of gigabytes on average.

=)

> We explicitly rejected that idea in IceCat for example, instead
> whitelisting only specific store subdirectories.  Why is OpenSSH
> different?

I didn't know that. I don't treat OpenSSH any different than other
software either. Whitelist some specific directory is a really good
option here, even though It introduces some secret knowledge.

> The rationale and its assumptions (also) belong in the patch itself,
> not just a separate mail.

True. Let me put some more context on what I am trying to do. We have
LDAP server which also holds users' ssh keys. I package a simple wrapper
for LDAP search which returns them. I would like to use it with OpenSSH,
however due to the way it checks executable in the configuration, I
don't see the way to use it.

I assume it is possible to copy that store object somewhere, but it
doesn't look right to me.

-- 
Alexey