[bug#77201] guix: substitute-key-authorization: Fix case when acl symlink is broken
| Message ID | f56c393fa6872cb0142564061ee17e5e7f8131cc.1742723299.git.rutherther@ditigal.xyz |
|---|---|
| State | New |
| Headers |
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 8F24627BBEA; Sun, 23 Mar 2025 09:49:33 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FROM_SUSPICIOUS_NTLD,MAILING_LIST_MULTI,PDS_OTHER_BAD_TLD, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL, RCVD_IN_VALIDITY_SAFE,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 9018A27BBE9 for <patchwork@mira.cbaines.net>; Sun, 23 Mar 2025 09:49:32 +0000 (GMT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from <guix-patches-bounces@gnu.org>) id 1twHx3-0004PA-0x; Sun, 23 Mar 2025 05:49:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1twHx0-0004Op-Oe for guix-patches@gnu.org; Sun, 23 Mar 2025 05:49:02 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1twHx0-00061w-1o for guix-patches@gnu.org; Sun, 23 Mar 2025 05:49:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:Subject; bh=nbAxbgfBQ6yEOa8y58pUilcT7UjKZLZ5WQYSm7tocsU=; b=R2+uOxUfLPO1B0EZKWFoK287T24ZjYCSRDIxRGOCPCAKR2+sI1cU4sLEc1Lr1TUXhyWu7vTFfJ5oFiRzTSaumJASIYiUJmkBit6p61dNnLtPqc/ubKEKbPsQlMpdMzgKcGyiVJk2Nxsy52YXUNyWU/boTsVPZ9TzYr332ENaDHWapjh7hFq7LWB18r4zxTkqrD30mnXSmHtNII4H6iV8CgTUFRLYVkuJM6iLK7d8raNXGzGqxgfl+g9LGSvd1iwIAjmY924vEGGXb1YwxapYQ54du7e8766bv0qrJNTCIN8T2pJv+Ys5F1bt1032JjDvR74rbPRNwEthh1+ImYzw/w==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1twHwz-0000f3-Te for guix-patches@gnu.org; Sun, 23 Mar 2025 05:49:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77201] [PATCH] guix: substitute-key-authorization: Fix case when acl symlink is broken Resent-From: Rutherther <rutherther@ditigal.xyz> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 23 Mar 2025 09:49:01 +0000 Resent-Message-ID: <handler.77201.B.17427233302470@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 77201 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77201@debbugs.gnu.org Cc: Rutherther <rutherther@ditigal.xyz> X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.17427233302470 (code B ref -1); Sun, 23 Mar 2025 09:49:01 +0000 Received: (at submit) by debbugs.gnu.org; 23 Mar 2025 09:48:50 +0000 Received: from localhost ([127.0.0.1]:47703 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>) id 1twHwn-0000dj-I0 for submit@debbugs.gnu.org; Sun, 23 Mar 2025 05:48:50 -0400 Received: from lists.gnu.org ([2001:470:142::17]:52716) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <rutherther@ditigal.xyz>) id 1twHwk-0000ck-6L for submit@debbugs.gnu.org; Sun, 23 Mar 2025 05:48:47 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <rutherther@ditigal.xyz>) id 1twHwd-0004Nb-O6 for guix-patches@gnu.org; Sun, 23 Mar 2025 05:48:39 -0400 Received: from ditigal.xyz ([2a01:4f8:1c1b:6a1c::] helo=mail.ditigal.xyz) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from <rutherther@ditigal.xyz>) id 1twHwb-00060R-Qx for guix-patches@gnu.org; Sun, 23 Mar 2025 05:48:39 -0400 Received: by cerebrum (OpenSMTPD) with ESMTPSA id 028405d7 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Sun, 23 Mar 2025 09:48:35 +0000 (UTC) Date: Sun, 23 Mar 2025 10:48:28 +0100 Message-ID: <f56c393fa6872cb0142564061ee17e5e7f8131cc.1742723299.git.rutherther@ditigal.xyz> X-Mailer: git-send-email 2.48.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ditigal.xyz; i=@ditigal.xyz; q=dns/txt; s=20240917; t=1742723315; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding : from; bh=SnfH/9YlJIz/7LFQOM+sSgPS5cEE/0qCd8lCiESVlQg=; b=skWeXuNLGd3AGLqFzxZMwiF/C5qKJ4cuRO5ljF4falg369g+J2XtdU3MtPVJ+l1cEVwmU 4cVcgdlv+VBz32+DL+bn067Cfbzxs/CqBB36ZORnxuRbPbYLiv6kF9r3pVTZGTua1DWTKVT QFwkwKanM1B5w1cfyh8dZFmYDMOp+x0= Received-SPF: pass client-ip=2a01:4f8:1c1b:6a1c::; envelope-from=rutherther@ditigal.xyz; helo=mail.ditigal.xyz X-Spam_score_int: 19 X-Spam_score: 1.9 X-Spam_bar: + X-Spam_report: (1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_SUSPICIOUS_NTLD=0.499, FROM_SUSPICIOUS_NTLD_FP=2, PDS_OTHER_BAD_TLD=1.474, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: <guix-patches.gnu.org> List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=unsubscribe> List-Archive: <https://lists.gnu.org/archive/html/guix-patches> List-Post: <mailto:guix-patches@gnu.org> List-Help: <mailto:guix-patches-request@gnu.org?subject=help> List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=subscribe> Reply-to: Rutherther <rutherther@ditigal.xyz> X-ACL-Warn: , Rutherther via Guix-patches <guix-patches@gnu.org> From: Rutherther via Guix-patches via <guix-patches@gnu.org> Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches |
| Series |
[bug#77201] guix: substitute-key-authorization: Fix case when acl symlink is broken
|
|
Commit Message
Rutherther
March 23, 2025, 9:48 a.m. UTC
One possible solution for an issue when /etc/guix/acl file exists, but points to a non-existent location. This can for example happen if one is reinitializing the system, and remove only /gnu/store and /var/guix, keep the rest okay. This is a major advantage of guix as compared to other distros that usually need you to reinitialize the whole root partition. But this will leave the user with acl file pointing to non-existent location. The file-exists? procedure will return #f for broken symbolic links. I think that another reason one would get this issue is, if one was booted in a live iso, chrooted, fixing their system. They would switch generations to one with different acl file, delete other generations gc rooting the original acl file and then gc. One could do this approach for example when recovering from file corruptions in the store, to get rid of the unsubstitutable paths that can't be repaired with guix gc --verify. I don't know if there is a better way as I am not that proficient in guile, but I definitely think this should be fixed and it should be checked if anything exists in that place, not that the link points to a known location. Does Guile have a procedure for that that I am missing? If not, shouldn't we create one in Guix? I can imagine this being a common mistake, where we want to check if something exists at place 'x', without caring if it's actually an accessible file. I was looking online and someone made themselves a function 'file-exists??' that checked basically this what I did here - that it's either a valid file on the disk, or a broken symlink. During debugging this issue I also noticed similar issue can occur in special files and /run/current-system with the .new files that are created with symlink procedure without checking for their existence. While it's not likely (especially because the symlink is moved the second it's created) the user would have /run/current-system.new nor /bin/sh.new etc., I still think it would be worth fixing to make sure the system can boot even in cases where something goes horribly wrong. * gnu/services/base.scm (substitute-key-authorization): Check if acl file is a (broken) symbolic link Change-Id: I2f8170606b2f4afeea48f04acfd738b04cafc7cf --- gnu/services/base.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) base-commit: fbfd2b93831978aadbb96f32cafdab997b04c6c6 prerequisite-patch-id: cf473eb15513404ca1d287f5b7eca109c848203c prerequisite-patch-id: a46e75bdd193acb5e276e0aa31c77197a3254699 prerequisite-patch-id: a2b4aa0a33d89ee3f6c483aeb71a783cb0e63aa9
diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 0d2bb31190..e419d043ae 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1845,7 +1845,7 @@ (define (substitute-key-authorization keys guix) ;; If the ACL already exists, move it out of the way. Create a backup ;; if it's a regular file: it's likely that the user manually updated ;; it with 'guix archive --authorize'. - (if (file-exists? acl-file) + (if (or (file-exists? acl-file) (symbolic-link? acl-file)) (if (and (symbolic-link? acl-file) (store-file-name? (readlink acl-file))) (delete-file acl-file)