| Message ID | 95ccaa3fb35cdfbbd4097df3425f4bece79c71e8.1712080385.git.Rostislav.Svoboda@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [bug#70151] doc: Correct the "guix shell --container" example. | expand |
Am Dienstag, dem 02.04.2024 um 19:53 +0200 schrieb Rostislav Svoboda: > * doc/guix.texi (Invoking @command{guix shell}): Add missing > parameters > --preserve='^XAUTHORITY$' --expose=$XAUTHORITY and adjust > corresponding > textual description > > Change-Id: Ib99c81c107ff9784708ae807ec9b3ab93ad75603 > --- > doc/guix.texi | 12 +++++++++--- > 1 file changed, 9 insertions(+), 3 deletions(-) > > diff --git a/doc/guix.texi b/doc/guix.texi > index 69a904473c..14856027ca 100644 > --- a/doc/guix.texi > +++ b/doc/guix.texi > @@ -6268,12 +6268,18 @@ Invoking guix shell > This @option{--container} option can also prove useful if you wish > to > run a security-sensitive application, such as a web browser, in an > isolated environment. For example, the command below launches > -Ungoogled-Chromium in an isolated environment, this time sharing > network > -access with the host and preserving its @code{DISPLAY} environment > -variable, but without even sharing the current directory: > +Ungoogled-Chromium in an isolated environment, which: > +@itemize > +@item shares network access with the host > +@item inherits host's environment variables @code{DISPLAY} and > @code{XAUTHORITY} > +@item has access to host's authentication records from the > @code{XAUTHORITY} > +file > +@item has no information about host's current directory > +@end itemize > > @example > guix shell --container --network --no-cwd ungoogled-chromium \ > + --preserve='^XAUTHORITY$' --expose=$XAUTHORITY \ Shell injection says "/run/user/$USER/gdm/Xauthority -- oops that shouldn't happen". Cheers
> Shell injection says "/run/user/$USER/gdm/Xauthority -- oops that > shouldn't happen". ??? Shell injection? Which, what, where? What do you mean? Without the `--preserve='^XAUTHORITY$' --expose=$XAUTHORITY` (both needed) the Chromium doesn't start, i.e. the example doesn't work: $ guix shell --container --network --no-cwd ungoogled-chromium --preserve='^DISPLAY$' -- chromium [1:12:0405/094428.353734:ERROR:bus.cc(399)] Failed to connect to the bus: Failed to connect to socket /var/run/dbus/system_bus_socket: No such file or directory Authorization required, but no authorization protocol specified [1:1:0405/094428.361802:ERROR:ozone_platform_x11.cc(239)] Missing X server or $DISPLAY [1:1:0405/094428.361812:ERROR:env.cc(255)] The platform failed to initialize. Exiting. Cheers
Am Freitag, dem 05.04.2024 um 11:47 +0200 schrieb Rostislav Svoboda: > > Shell injection says "/run/user/$USER/gdm/Xauthority -- oops that > > shouldn't happen". > > ??? Shell injection? Which, what, where? What do you mean? > > Without the `--preserve='^XAUTHORITY$' --expose=$XAUTHORITY` (both > needed) the Chromium doesn't start, i.e. the example doesn't work: You need to properly quote "${XAUTHORITY}", otherwise bad things can happen. Cheers
diff --git a/doc/guix.texi b/doc/guix.texi index 69a904473c..14856027ca 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -6268,12 +6268,18 @@ Invoking guix shell This @option{--container} option can also prove useful if you wish to run a security-sensitive application, such as a web browser, in an isolated environment. For example, the command below launches -Ungoogled-Chromium in an isolated environment, this time sharing network -access with the host and preserving its @code{DISPLAY} environment -variable, but without even sharing the current directory: +Ungoogled-Chromium in an isolated environment, which: +@itemize +@item shares network access with the host +@item inherits host's environment variables @code{DISPLAY} and @code{XAUTHORITY} +@item has access to host's authentication records from the @code{XAUTHORITY} +file +@item has no information about host's current directory +@end itemize @example guix shell --container --network --no-cwd ungoogled-chromium \ + --preserve='^XAUTHORITY$' --expose=$XAUTHORITY \ --preserve='^DISPLAY$' -- chromium @end example
* doc/guix.texi (Invoking @command{guix shell}): Add missing parameters --preserve='^XAUTHORITY$' --expose=$XAUTHORITY and adjust corresponding textual description Change-Id: Ib99c81c107ff9784708ae807ec9b3ab93ad75603 --- doc/guix.texi | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) base-commit: 7af70efd7633b0d70091762cf43ce01a86176e8e