bug#53752: guix home symlink permissions

[Zacchaeus Scheffer <zaccysc@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 2885 bytes --]

>
> > I finally migrated my home configuration to guix home.  However, it
> > seems guix home creates all symlinks with 777 permissions.  This causes
> > problems with openssh as it will not recognize my
> > ~/.ssh/authorized_keys.  It seems the directories have reasonable
> > permissions (maybe because they already existed?), but it seems like
> > someone could in theory edit the symlinks in-place (though I wasn't
> > able to figure that out).
> Instead of using symllinks for ~/.ssh/authorized_keys, you could try to
> write a home-activation-service, which
>
> 1. creates ~/.ssh with chmod 700
> 1a. if it already existed, enforces chmod 700 anyways
> 2. creates authorized_keys with chmod 600 if it doesn't exist
> 3. writes the authorized keys.
>

I'll try that soon (next 1-3 days), and hopefully then we can close this
issue.

I would strongly advise against that however.  While user homes are by
> default 700 in Guix, the store is world readable and so are your
> authorized keys if you put them there.  A malicious user can't
> necessarily change them, but they can spy on you.
>

For context, I keep such info in my password store, but am ok with certain
things from it not being "secret".  It is already standard for public keys
to be kept in the store; see:
 - operating-system -> services -> openssh -> authorized-keys
and as a more extreme example, encrypted user passwords are often kept in
the store; see:
 - operating-system -> users -> user -> password
It's not ideal that someone can snoop my public keys, but that is worth
enabling me to have private keys that can reproducibly connect to my user.
If one is worried about it, they could avoid usage of those specific
private keys as much as possible, so I think it's ok...


> Guix currently has no way of securely storing your data in the store
> (in a cryptographic sense).  This is exacerbated by the fact that such
> files aren't well-encrypted by default -- user read-only is "good
> enough" in many cases, e.g. gnome-keyring does encrypt passwords, but
> stores metadata in plain.  Emacs plstores and Recfiles likewise support
> partial encryption based on GPG.
>
> This issue has been known since June 2020 [1].  While there would in
> theory exist solutions that can work for (guix home) but not (guix
> system), I can not yet make any statements regarding their quality.
> Indeed, storing secrets with Guix is an open issue, that will likely be
> given some attention during the upcoming Guix Days.
>

At the end of the day, there will be setup that should NOT happen
automatically (should require gpg passphrase input).  Currently, I do this
for private keys by automatically pulling from my password store
(requiring password input) using fancy emacs org tangling.  I'll look
into managing even this with guix home, but that is probably a discussion
for guix-devel.

Thanks all,
Zacchaeus Scheffer

[-- Attachment #2: Type: text/html, Size: 3726 bytes --]