From patchwork Wed Apr 20 08:47:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Abramov X-Patchwork-Id: 146 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id DB58727BBEA; Wed, 20 Apr 2022 09:53:28 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 8CD6427BBE9 for ; Wed, 20 Apr 2022 09:53:28 +0100 (BST) Received: from localhost ([::1]:47650 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nh65X-0004sp-OT for patchwork@mira.cbaines.net; Wed, 20 Apr 2022 04:53:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40360) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nh60I-0001qX-WF for guix-patches@gnu.org; Wed, 20 Apr 2022 04:48:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:51160) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nh60I-0007Wt-JO for guix-patches@gnu.org; Wed, 20 Apr 2022 04:48:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nh60I-0005nG-HY for guix-patches@gnu.org; Wed, 20 Apr 2022 04:48:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#55034] [PATCH 0/1] Let openssh trust /gnu/store Resent-From: Alexey Abramov Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 20 Apr 2022 08:48:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 55034 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 55034@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.165044447222209 (code B ref -1); Wed, 20 Apr 2022 08:48:02 +0000 Received: (at submit) by debbugs.gnu.org; 20 Apr 2022 08:47:52 +0000 Received: from localhost ([127.0.0.1]:45057 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nh607-0005m8-Tg for submit@debbugs.gnu.org; Wed, 20 Apr 2022 04:47:52 -0400 Received: from lists.gnu.org ([209.51.188.17]:52780) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nh606-0005lr-8o for submit@debbugs.gnu.org; Wed, 20 Apr 2022 04:47:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:40338) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nh605-0001h6-By for guix-patches@gnu.org; Wed, 20 Apr 2022 04:47:50 -0400 Received: from mail.mmer.org ([178.22.65.174]:52780) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nh603-0007Vw-Km for guix-patches@gnu.org; Wed, 20 Apr 2022 04:47:49 -0400 Received: from mail.mmer.org (localhost [127.0.0.1]) by mail.mmer.org (OpenSMTPD) with ESMTP id d8d6f213 for ; Wed, 20 Apr 2022 08:47:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=mmer.org; h=from:to :subject:date:message-id:mime-version:content-transfer-encoding; s=dkim; bh=D9VpVYE1EOK25K6DB2BwHzIZdfhjs6ir4IA3OOEny4s=; b=E5VC ogvt+xatZyBY22pI6RLgssXpXIMG6UCVTmQSJDMOR7ZsVZe6XEBv/PKRGvIIlsq6 bZXKUvCK2j225nAQf2mnX97kbsaChOiBGrSy0qjfZZLKFPKcDbyY8Sk8mxSWVT4u oVyF/clyigQW4kHFvFP7/A6g4YqTE4J2Hs3nvzE= Received: from delta (j74182.upc-j.chello.nl [24.132.74.182]) by mail.mmer.org (OpenSMTPD) with ESMTPSA id 015476de (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) for ; Wed, 20 Apr 2022 08:47:39 +0000 (UTC) Date: Wed, 20 Apr 2022 10:47:24 +0200 Message-Id: <20220420084724.3514-1-levenson@mmer.org> X-Mailer: git-send-email 2.34.0 MIME-Version: 1.0 Received-SPF: pass client-ip=178.22.65.174; envelope-from=levenson@mmer.org; helo=mail.mmer.org X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" Reply-to: Alexey Abramov X-ACL-Warn: , Alexey Abramov via Guix-patches X-Patchwork-Original-From: Alexey Abramov via Guix-patches via From: Alexey Abramov X-getmail-retrieved-from-mailbox: Patches This patch allows users to use /gnu/store objects for AuthorizedKeysCommand and similar options. According to the sshd_config(5): > The program must be owned by root, not writable by group or others, and > specified by an absolute path. However, this is not the case for Guix, even though it is RO. OpenSSH doesn't check if the location mounted or ended up on the RO mount point. I think implementing a check for RO location is much harder here, rather than to trust /gnu/store path. The same way OpenSSH does with users' home directory. Let me know what you think. Alexey Abramov (1): gnu: openssh: Trust /gnu/store directory gnu/local.mk | 1 + .../openssh-trust-gnu-store-directory.patch | 35 +++++++++++++++++++ gnu/packages/ssh.scm | 3 +- 3 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/openssh-trust-gnu-store-directory.patch