From patchwork Tue Apr 26 07:25:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Abramov X-Patchwork-Id: 38900 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id BB4A327BBEA; Tue, 26 Apr 2022 08:27:20 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 3B6EF27BBE9 for ; Tue, 26 Apr 2022 08:27:20 +0100 (BST) Received: from localhost ([::1]:39090 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1njFbT-00048s-BL for patchwork@mira.cbaines.net; Tue, 26 Apr 2022 03:27:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47734) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1njFbD-00047j-0j for guix-patches@gnu.org; Tue, 26 Apr 2022 03:27:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:42854) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1njFbC-00036J-KW for guix-patches@gnu.org; Tue, 26 Apr 2022 03:27:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1njFbC-0007Xl-HG for guix-patches@gnu.org; Tue, 26 Apr 2022 03:27:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#55034] [PATCH v2] gnu: openssh: Trust Guix store directory References: <20220420084724.3514-1-levenson@mmer.org> In-Reply-To: <20220420084724.3514-1-levenson@mmer.org> Resent-From: Alexey Abramov Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 26 Apr 2022 07:27:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 55034 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 55034@debbugs.gnu.org Received: via spool by 55034-submit@debbugs.gnu.org id=B55034.165095797228933 (code B ref 55034); Tue, 26 Apr 2022 07:27:02 +0000 Received: (at 55034) by debbugs.gnu.org; 26 Apr 2022 07:26:12 +0000 Received: from localhost ([127.0.0.1]:36751 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1njFaO-0007Wb-Ap for submit@debbugs.gnu.org; Tue, 26 Apr 2022 03:26:12 -0400 Received: from mail.mmer.org ([178.22.65.174]:40118) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1njFaL-0007WL-2s for 55034@debbugs.gnu.org; Tue, 26 Apr 2022 03:26:11 -0400 Received: from mail.mmer.org (localhost [127.0.0.1]) by mail.mmer.org (OpenSMTPD) with ESMTP id 8f8a941c for <55034@debbugs.gnu.org>; Tue, 26 Apr 2022 07:26:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=mmer.org; h=from:to :subject:date:message-id:mime-version:content-transfer-encoding; s=dkim; bh=L6QUshs4UlP4npAjby3FqaTbZT7/5XSZEbECj6Z9p6I=; b=B/zh n26luMd8Q/kA5KNZEOH/ZiUjzH6hWv0MUJFoJ4XiIxy3qAdrbMuftpbyY8nYlx5U OwUinYFv1gWEdrCZBr9qtZ2nzgwpCs36DY9JkaBpSCIvZgTUyS6bZ7pG6ZAMCQDi 21mmMjY6D89UkRNfjcY5AemEIHX6J16cMINupAI= Received: from delta (j74182.upc-j.chello.nl [24.132.74.182]) by mail.mmer.org (OpenSMTPD) with ESMTPSA id eb8aa124 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) for <55034@debbugs.gnu.org>; Tue, 26 Apr 2022 07:26:00 +0000 (UTC) Date: Tue, 26 Apr 2022 09:25:50 +0200 Message-Id: <20220426072550.3504-1-levenson@mmer.org> X-Mailer: git-send-email 2.34.0 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" Reply-to: Alexey Abramov X-ACL-Warn: , Alexey Abramov via Guix-patches X-Patchwork-Original-From: Alexey Abramov via Guix-patches via From: Alexey Abramov X-getmail-retrieved-from-mailbox: Patches * gnu/local.mk (dist_patch_DATA): Add the patch * gnu/packages/patches/openssh-trust-guix-store-directory.patch: Patch it * gnu/packages/ssh.scm (openssh[source]): Use it. --- gnu/local.mk | 1 + .../openssh-trust-guix-store-directory.patch | 40 +++++++++++++++++++ gnu/packages/ssh.scm | 8 +++- 3 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/openssh-trust-guix-store-directory.patch diff --git a/gnu/local.mk b/gnu/local.mk index 9bad87710c..1d8e39138e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1567,6 +1567,7 @@ dist_patch_DATA = \ %D%/packages/patches/openjdk-15-xcursor-no-dynamic.patch \ %D%/packages/patches/openmpi-mtl-priorities.patch \ %D%/packages/patches/openssh-hurd.patch \ + %D%/packages/patches/openssh-trust-guix-store-directory.patch \ %D%/packages/patches/openresolv-restartcmd-guix.patch \ %D%/packages/patches/openrgb-unbundle-hueplusplus.patch \ %D%/packages/patches/opensles-add-license-file.patch \ diff --git a/gnu/packages/patches/openssh-trust-guix-store-directory.patch b/gnu/packages/patches/openssh-trust-guix-store-directory.patch new file mode 100644 index 0000000000..b3a9c1bdfc --- /dev/null +++ b/gnu/packages/patches/openssh-trust-guix-store-directory.patch @@ -0,0 +1,40 @@ +From 0d85bbd42ddcd442864a9ba4719aca8b70d68048 Mon Sep 17 00:00:00 2001 +From: Alexey Abramov +Date: Fri, 22 Apr 2022 11:32:15 +0200 +Subject: [PATCH] Trust guix store directory + +To be able to execute binaries defined in OpenSSH configuration, we +need to tell OpenSSH that we can trust Guix store objects. safe_path +procedure takes a canonical path and for each component, walking +upwards, checks ownership and permissions constrains which are: must +be owned by root, not writable by group or others. +--- + misc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/misc.c b/misc.c +index 0134d69..7131d5e 100644 +--- a/misc.c ++++ b/misc.c +@@ -2146,6 +2146,7 @@ int + safe_path(const char *name, struct stat *stp, const char *pw_dir, + uid_t uid, char *err, size_t errlen) + { ++ static const char guix_store[] = @STORE_DIRECTORY@; + char buf[PATH_MAX], homedir[PATH_MAX]; + char *cp; + int comparehome = 0; +@@ -2178,6 +2179,10 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir, + } + strlcpy(buf, cp, sizeof(buf)); + ++ /* If we are past the Guix store then we can stop */ ++ if (strcmp(guix_store, buf) == 0) ++ break; ++ + if (stat(buf, &st) == -1 || + (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) || + (st.st_mode & 022) != 0) { +-- +2.34.0 + diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index 8a61b6e97a..7f3b02013e 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -189,7 +189,8 @@ (define-public openssh (method url-fetch) (uri (string-append "mirror://openbsd/OpenSSH/portable/" "openssh-" version ".tar.gz")) - (patches (search-patches "openssh-hurd.patch")) + (patches (search-patches "openssh-hurd.patch" + "openssh-trust-guix-store-directory.patch")) (sha256 (base32 "1ry5prcax0134v6srkgznpl9ch5snkgq7yvjqvd8c5mbnxa7cjgx")))) @@ -249,6 +250,11 @@ (define-public openssh (substitute* "Makefile" (("PRIVSEP_PATH=/var/empty") (string-append "PRIVSEP_PATH=" out "/var/empty")))))) + (add-after 'configure 'set-store-location + (lambda* _ + (substitute* "misc.c" + (("@STORE_DIRECTORY@") + (string-append "\"" (%store-directory) "\""))))) (add-before 'check 'patch-tests (lambda _ (substitute* "regress/test-exec.sh"