From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id uH6bHkJPYmIkQAEAbAwnHQ (envelope-from ) for ; Fri, 22 Apr 2022 08:46:26 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id eAWwHUJPYmJGgAEAG6o9tA (envelope-from ) for ; Fri, 22 Apr 2022 08:46:26 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C9E5222111 for ; Fri, 22 Apr 2022 08:46:25 +0200 (CEST) Received: from localhost ([::1]:57416 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nhn3g-0005E7-FD for larch@yhetil.org; Fri, 22 Apr 2022 02:46:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49946) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nhn3K-0005C8-4B for guix-patches@gnu.org; Fri, 22 Apr 2022 02:46:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:57420) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nhn3J-0006Iz-Pk for guix-patches@gnu.org; Fri, 22 Apr 2022 02:46:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nhn3J-0004ko-Mf for guix-patches@gnu.org; Fri, 22 Apr 2022 02:46:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#55034] [PATCH 0/1] Let openssh trust /gnu/store Resent-From: Alexey Abramov Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 22 Apr 2022 06:46:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 55034 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 55034@debbugs.gnu.org Received: via spool by 55034-submit@debbugs.gnu.org id=B55034.165060993118226 (code B ref 55034); Fri, 22 Apr 2022 06:46:01 +0000 Received: (at 55034) by debbugs.gnu.org; 22 Apr 2022 06:45:31 +0000 Received: from localhost ([127.0.0.1]:51317 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nhn2p-0004ju-E7 for submit@debbugs.gnu.org; Fri, 22 Apr 2022 02:45:31 -0400 Received: from mail.mmer.org ([178.22.65.174]:42638) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nhn2o-0004jd-15 for 55034@debbugs.gnu.org; Fri, 22 Apr 2022 02:45:30 -0400 Received: from mail.mmer.org (localhost [127.0.0.1]) by mail.mmer.org (OpenSMTPD) with ESMTP id 863666db; Fri, 22 Apr 2022 06:45:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=mmer.org; h=from:to:cc :subject:references:date:in-reply-to:message-id:mime-version :content-type:content-transfer-encoding; s=dkim; bh=VvAqE05To7ye uSJmODMTU9KKLkeXNGuIDapi38U1ni4=; b=4JNRbT089OGZ40jHH6x2O9cpUX35 N/gxeDaI4jA/sjLWjp38iJ1hJF0GTgghEalJ0CCuWAMAoiBnFIVRbBLCV5LGw9ai xJw1jJFGDbNqhxTUDFf4KryzApFG3zmORJ17KgcZvcx3TB0ZHM8X+2hX8jNzuLsB VVfeLjqF3Ob5KQk= Received: from delta.lan (j74182.upc-j.chello.nl [24.132.74.182]) by mail.mmer.org (OpenSMTPD) with ESMTPSA id 029b96c5 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Fri, 22 Apr 2022 06:45:20 +0000 (UTC) References: <20220420084724.3514-1-levenson@mmer.org> <87bkwwoz6m.fsf@gnu.org> Date: Fri, 22 Apr 2022 08:44:56 +0200 In-Reply-To: <87bkwwoz6m.fsf@gnu.org> ("Ludovic =?UTF-8?Q?Court=C3=A8s?="'s message of "Wed, 20 Apr 2022 11:56:49 +0200") Message-ID: <87y1zxiplj.fsf@delta.lan> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" Reply-to: Alexey Abramov X-ACL-Warn: , Alexey Abramov via Guix-patches From: Alexey Abramov via Guix-patches via X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1650609986; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=+cgmqBsMvL4Tf2BQPlh8j4fQFTI1j1wxnMzeOAudLRU=; b=ArMf8OQzeLmGq8uK/gf6KN/rE8alafXyL46pKSz/IJEwEOtueL+BKUNrcPT0V2QzRARxlD IRyt3meAhH7/Y3jshHmUkuCYmd2Ycng9UgZVeCkhYU9uY/eMWk6tdiozboTuVDaiTmbYec bk0yNrgwZZydt9cI9iMiqAro8BdgEmhuMFmxNMklXuNOU4NerMQK66+ZeCXV0vp52haWMh JvUpvlgKOV/nQ2T3wqv/hTVulRaB26SW01mxR9XFpPZ30NwD+L4THloJMkPn476hMrh31h B4BC1EcCRxKvLUnzHmWdPFgk9O6CcN67RADZbTHSG6eTj9sbTVuis3j4I/7s9A== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1650609986; a=rsa-sha256; cv=none; b=QsDkKaFxmY9ACqjAFiwj8pUja3Tf9EcbYnmGE8vZtw/fgrcoVW/eit+FT8JLAhbgjD6R8z ezrdptg5D4hl2LkSdEZrz+VrFlsS1hHDr/U2oBKhCq06/+APsy9oPJYrRKZuT0I1eBAH4q AsG+lFYbGT1NetqsuMmQt9gY4ZrwHw2Ijo1k6YEkXlnru6pQO9ImBYQEbUU+t9kFXIIbsh 1SZlH6Jc1jAJqC6N014JA7aYcAyGETWKY9qDyNKgqaPiTmGPPGml7TGa/d4HdzTAz4onRx Yr4tBzuNDM8kzPYu350vED7sfTuG+9Sl/7k174wpkzLR1hiyuy0l7FyuXYpJcg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=mmer.org header.s=dkim header.b=4JNRbT08; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -3.53 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=mmer.org header.s=dkim header.b=4JNRbT08; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: C9E5222111 X-Spam-Score: -3.53 X-Migadu-Scanner: scn1.migadu.com X-TUID: 5D4+H6RK1ikg Hi Ludo, Ludovic Court=C3=A8s writes: > Hi, > > Alexey Abramov skribis: > >> This patch allows users to use /gnu/store objects for AuthorizedKeysComm= and >> and similar options. According to the sshd_config(5): >> >>> The program must be owned by root, not writable by group or others, and >>> specified by an absolute path. > > That=E2=80=99s the case with programs in /gnu/store. Why isn=E2=80=99t i= t working? The reason is that safe_path in openssh takes a full path of the file and checks every directory one by one. The constrain fails on /gnu/store directory due to write permissions for group. openssh reports the following message: Unsafe AuthorizedKeysCommand "/gnu/store/xxxx-echo-sshkey.sh": bad ownership or modes for directory /gnu/store. >> However, this is not the case for Guix, even though it is RO. OpenSSH do= esn't >> check if the location mounted or ended up on the RO mount point. >> >> I think implementing a check for RO location is much harder here, rather >> than to trust /gnu/store path. The same way OpenSSH does with users' home >> directory. > > (RO =3D read-only, right?) Yes.=20 > I=E2=80=99m not sure why checking whether a file is read-only is much har= der. > Am I overlooking something? As I mentioned before, the check not just checking the file path itself, but also follows down to the root and check every single directory for the constrain. Me dunno, was thinking about an extra check against mount locations, and in case it has read-only mount options along the way, I could trust the executable. It also implies cross-compilation... May be I overthink the thing? Maybe it is me who overlooking something? --=20 Alexey