From patchwork Mon Apr 28 08:07:53 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rutherther X-Patchwork-Id: 42095 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id A831A27BC4A; Mon, 28 Apr 2025 09:09:50 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FROM_SUSPICIOUS_NTLD,MAILING_LIST_MULTI,PDS_OTHER_BAD_TLD, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL, RCVD_IN_VALIDITY_SAFE,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id BB3A427BC49 for ; Mon, 28 Apr 2025 09:09:47 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u9JY6-000337-79; Mon, 28 Apr 2025 04:09:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u9JY4-00032y-BY for guix-patches@gnu.org; Mon, 28 Apr 2025 04:09:08 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1u9JY3-00065p-OW for guix-patches@gnu.org; Mon, 28 Apr 2025 04:09:08 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:In-Reply-To:References:Subject; bh=PlIi75FJLbmYFGj2o8Z9RnsO1z9MHP/bDtq3J+kJz3o=; b=igTdVjextxywL6CKzPku2rq/RopA/Ht0J+6vsXexXM6Ki8XdiZX7ggjAjQLfJ/6ya9Le6REaW6JzGqi1vaVBQpNlToTwPlMIr0OwPwirccWHaFY/WF+78rdvWITQvH/pr1F+FH4N27V2+h+iI1nMqLuc9taEbtalFaNDsqWU+ZM7zTDTCne2dA1UgiXjObsdRvjJJxwR7DFPIfZrJRcFHVqkixcTgrgL2yH42Tf5iW6xjLHe2Z+RWVwARzInGJi+4jENs2oakE6wXWUp6lr0Bibg64HLqVV/ezrvgXeRk1XteicONcdCesU7d5Yc45wWUuuXNAcCEpE6ltXVhJjmqA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1u9JY1-00069x-3w; Mon, 28 Apr 2025 04:09:05 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77201] [PATCH v2] guix: substitute-key-authorization: Fix case when acl symlink is broken References: In-Reply-To: Resent-From: Rutherther Original-Sender: "Debbugs-submit" Resent-CC: rutherther@ditigal.xyz, ian@retrospec.tv, ludo@chbouib.org, guix-patches@gnu.org Resent-Date: Mon, 28 Apr 2025 08:09:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77201 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77201@debbugs.gnu.org Cc: Rutherther , Rutherther , Ian Eure , Ludovic =?utf-8?b?Q291cnTDg8Kocw==?= X-Debbugs-Original-Xcc: Rutherther , Ian Eure , Ludovic =?utf-8?b?Q291cnTDg8Kocw==?= Received: via spool by 77201-submit@debbugs.gnu.org id=B77201.174582769923306 (code B ref 77201); Mon, 28 Apr 2025 08:09:04 +0000 Received: (at 77201) by debbugs.gnu.org; 28 Apr 2025 08:08:19 +0000 Received: from localhost ([127.0.0.1]:52696 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u9JXH-00063o-47 for submit@debbugs.gnu.org; Mon, 28 Apr 2025 04:08:19 -0400 Received: from ditigal.xyz ([2a01:4f8:1c1b:6a1c::]:34208 helo=mail.ditigal.xyz) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u9JXB-00062U-Ur for 77201@debbugs.gnu.org; Mon, 28 Apr 2025 04:08:16 -0400 Received: by cerebrum (OpenSMTPD) with ESMTPSA id 9bea1cc5 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Mon, 28 Apr 2025 08:08:06 +0000 (UTC) Date: Mon, 28 Apr 2025 10:07:53 +0200 Message-ID: X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ditigal.xyz; i=@ditigal.xyz; q=dns/txt; s=20240917; t=1745827686; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding : from; bh=rmyaZ01ntaACyP8FI21JArTjVtDrmB71KhaZFFFrJKo=; b=Zvqq4YHrO50dTQfXHvv5DKJYtuQPU2ER5bF62X54mlQF/xUWE38XPVbmmRxeT09a4vh78 ah0CQpmJhUGCa/cHGMy1eJJzgCBn5eZf55e/lnZPagaCBOmkQuv3bTQ5bMzrR1ERcYwwwtY 7vMW/fA1SyolQHE5gkUczEwaNt8oAIU= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Rutherther X-ACL-Warn: , Rutherther via Guix-patches X-Patchwork-Original-From: Rutherther via Guix-patches via From: Rutherther Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches One possible solution for an issue when /etc/guix/acl file exists, but points to a non-existent location. This can for example happen if one is reinitializing the system, and remove only /gnu/store and /var/guix, keep the rest okay. This is a major advantage of guix as compared to other distros that usually need you to reinitialize the whole root partition. But this will leave the user with acl file pointing to non-existent location. The file-exists? procedure will return #f for broken symbolic links. I think that another reason one would get this issue is, if one was booted in a live iso, chrooted, fixing their system. They would switch generations to one with different acl file, delete other generations gc rooting the original acl file and then gc. One could do this approach for example when recovering from file corruptions in the store, to get rid of the unsubstitutable paths that can't be repaired with guix gc --verify. This fixes the issue by looking for type of a file through lstat, instead of relying on file-exists?. If the symlink is a broken symlink, it is removed. Other than that the old behavior is kept: - If regular file, back it up - If symlink pointing to the store, remove it - If symlink not pointing to the store, back it up * gnu/services/base.scm (substitute-key-authorization): Check if acl file is a (broken) symbolic link Change-Id: I2f8170606b2f4afeea48f04acfd738b04cafc7cf --- gnu/services/base.scm | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) base-commit: 56999614a45449c4b93c8614540210b609c2b356 diff --git a/gnu/services/base.scm b/gnu/services/base.scm index 8c6563c99d..02b4274e9d 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -1841,17 +1841,22 @@ (define (substitute-key-authorization keys guix) (with-imported-modules '((guix build utils)) #~(begin - (use-modules (guix build utils)) + (use-modules (guix build utils) + (ice-9 match)) (define acl-file #$%acl-file) ;; If the ACL already exists, move it out of the way. Create a backup ;; if it's a regular file: it's likely that the user manually updated ;; it with 'guix archive --authorize'. - (if (file-exists? acl-file) - (if (and (symbolic-link? acl-file) - (store-file-name? (readlink acl-file))) - (delete-file acl-file) - (rename-file acl-file (string-append acl-file ".bak"))) - (mkdir-p (dirname acl-file))) + (match (and=> (false-if-exception (lstat acl-file)) stat:type) + (#f #f) ;file doesn't exist + ('symlink ;delete symlink pointing to store; backup otherwise. + (if (or (store-file-name? (readlink acl-file)) ;store symlink + (not (file-exists? acl-file))) ;broken symlink + (delete-file acl-file) + (rename-file acl-file (string-append acl-file ".bak")))) + (_ ;backup + (rename-file acl-file (string-append acl-file ".bak")))) + (mkdir-p (dirname acl-file)) ;; Installed the declared ACL. (symlink #+default-acl acl-file))))