GNU bug report logs - #53752
guix home cannot configure authorized_keys

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Zacchaeus Scheffer <zaccysc@HIDDEN>; dated Thu, 3 Feb 2022 18:09:02 UTC; Maintainer for guix is bug-guix@HIDDEN.

Message received at 53752 <at> debbugs.gnu.org:


Received: (at 53752) by debbugs.gnu.org; 8 Feb 2022 07:01:39 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Feb 08 02:01:39 2022
Received: from localhost ([127.0.0.1]:45002 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nHKVP-0007cW-BG
	for submit <at> debbugs.gnu.org; Tue, 08 Feb 2022 02:01:39 -0500
Received: from mailrelay.tugraz.at ([129.27.2.202]:50121)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <liliana.prikler@HIDDEN>) id 1nHKVL-0007YL-VB
 for 53752 <at> debbugs.gnu.org; Tue, 08 Feb 2022 02:01:38 -0500
Received: from lprikler-laptop.ist.intra (gw.ist.tugraz.at [129.27.202.101])
 by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4JtDSr5Ddjz1LZWB;
 Tue,  8 Feb 2022 08:01:32 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 mailrelay.tugraz.at 4JtDSr5Ddjz1LZWB
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at;
 s=mailrelay; t=1644303692;
 bh=dy7MebW+XGfd8gtC2BWYDRoR7s9y+tf4MRbCsPhmk+k=;
 h=Subject:From:To:Cc:Date:In-Reply-To:References:From;
 b=m92A2gkZ+EyXM28V8Jext9mWpBeP8Fp1Og1HD8Nb1Lj4XjfNphatysw00obRaxCmv
 ChjSBpZdVvzaW4pBCiHhWEfUUu74ivtMxlsjOtLlQVS2uCCQUhqUYOx9cNsB6lKUvc
 NPaTucaOTR74cR4LUiPt3bLme3+EtzUX/zMCSQdA=
Message-ID: <663fb5a97616a8ed1bf74f10b5ba5203f15abd61.camel@HIDDEN>
Subject: Re: bug#53752: guix home symlink permissions
From: Liliana Marie Prikler <liliana.prikler@HIDDEN>
To: Maxime Devos <maximedevos@HIDDEN>, Zacchaeus Scheffer
 <zaccysc@HIDDEN>
Date: Tue, 08 Feb 2022 08:01:33 +0100
In-Reply-To: <49b4975e6c61a7ed0010c850b52dab811e4803b7.camel@HIDDEN>
References: <CAJejy7=okwP6Sous-ab_Ta44CgDDT9i795AxBcaZKyWaM8WErQ@HIDDEN>
 <af6b7c3774458e0c199f3ffc33dd6cebfc4e9ccd.camel@HIDDEN>
 <CAJejy7=OcPQ17hix2uNwdPbNnTBwGc=f-3m=OF4Q+ksJWhRhPg@HIDDEN>
 <CAJejy7=b-fbre8P_WLkT8A797-gj=XvqTL125LN+GJ1og0CK5A@HIDDEN>
 <49b4975e6c61a7ed0010c850b52dab811e4803b7.camel@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.42.1 
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TUG-Backscatter-control: waObeELIUl4ypBWmcn/8wQ
X-Spam-Scanner: SpamAssassin 3.003001 
X-Spam-Score-relay: -1.9
X-Scanned-By: MIMEDefang 2.74 on 129.27.10.116
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 53752
Cc: 53752 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Am Montag, dem 07.02.2022 um 22:02 +0100 schrieb Maxime Devos:
> Zacchaeus Scheffer schreef op ma 07-02-2022 om 14:47 [-0500]:
> > I was able create the desired effect with the following service
> > definition:
> > (simple-service
> >  'my-activation-service
> >  home-activation-service-type
> >  (gexp
> >   (begin
> >     (chdir (ungexp user-home))
> >     (if (not (file-exists? ".ssh"))
> >         (mkdir ".ssh"))
> >     (chmod ".ssh" #o700)
> >     (chdir ".ssh")
> >     (let ((port (open-output-file "authorized_keys")))
> >       (display (ungexp authorized-keys) port)
> >       (close-port port))
> >     (chmod "authorized_keys" #o600)
> >     (chdir ".."))))
> > where 'user-home and 'authorized-keys are appropriate strings
> > defined earlier in the file.
> > 
> > I believe that resolves the issue,
> 
> Users shouldn't have to do this (relatively) huge block of relatively
> inscrutable code though, I believe something along these lines (or a
> different solution) needs to be implemented in Guix itself somewhere
> before the issue is resolved.
I'll again be pointing at the "don't put secrets into your store"
shield.  We'd have to find a reasonable way of encrypting sensitive
data before we can do a home-ssh-service-type.

@Zacchaeus, your code can likely be simplified to
#~(with-directory-excursion #$user-home
    (mkdir-p ".ssh")
    (chmod ".ssh" #o700)
    (with-directory-excursion ".ssh"
      (copy-file #$authorized-keys "authorized_keys")
      (chmod "authorized_keys" #o600)))
though perhaps there's some magic incantation to import (guix build
utils) for mkdir-p and with-directory-excursion that I'm missing here.

Cheers




Information forwarded to bug-guix@HIDDEN:
bug#53752; Package guix. Full text available.

Message received at 53752 <at> debbugs.gnu.org:


Received: (at 53752) by debbugs.gnu.org; 7 Feb 2022 21:02:31 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Feb 07 16:02:31 2022
Received: from localhost ([127.0.0.1]:43935 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nHB9b-0001MH-4s
	for submit <at> debbugs.gnu.org; Mon, 07 Feb 2022 16:02:31 -0500
Received: from laurent.telenet-ops.be ([195.130.137.89]:39314)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@HIDDEN>) id 1nHB9Y-0001M7-3V
 for 53752 <at> debbugs.gnu.org; Mon, 07 Feb 2022 16:02:29 -0500
Received: from ptr-bvsjgyhxw7psv60dyze.18120a2.ip6.access.telenet.be
 ([IPv6:2a02:1811:8c09:9d00:3c5f:2eff:feb0:ba5a])
 by laurent.telenet-ops.be with bizsmtp
 id sM2S260034UW6Th01M2SbL; Mon, 07 Feb 2022 22:02:26 +0100
Message-ID: <49b4975e6c61a7ed0010c850b52dab811e4803b7.camel@HIDDEN>
Subject: Re: bug#53752: guix home symlink permissions
From: Maxime Devos <maximedevos@HIDDEN>
To: Zacchaeus Scheffer <zaccysc@HIDDEN>, Liliana Marie Prikler
 <liliana.prikler@HIDDEN>
Date: Mon, 07 Feb 2022 22:02:26 +0100
In-Reply-To: <CAJejy7=b-fbre8P_WLkT8A797-gj=XvqTL125LN+GJ1og0CK5A@HIDDEN>
References: <CAJejy7=okwP6Sous-ab_Ta44CgDDT9i795AxBcaZKyWaM8WErQ@HIDDEN>
 <af6b7c3774458e0c199f3ffc33dd6cebfc4e9ccd.camel@HIDDEN>
 <CAJejy7=OcPQ17hix2uNwdPbNnTBwGc=f-3m=OF4Q+ksJWhRhPg@HIDDEN>
 <CAJejy7=b-fbre8P_WLkT8A797-gj=XvqTL125LN+GJ1og0CK5A@HIDDEN>
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-X5UHaOlAHGDtsQzwQmPO"
User-Agent: Evolution 3.38.3-1 
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22;
 t=1644267746; bh=4b1qjIoN37z9uerkIsU5vY8UusH2hAMsnvyGClO+T0Q=;
 h=Subject:From:To:Cc:Date:In-Reply-To:References;
 b=Pdc6o1SJ0jfROS2Ajxu5DtRP+DlAU2a9mqT8AT5vjGbQrxfbJ5Xkx7IQ5X10WpiDJ
 csz85gBXndZFkACucJjHHwpEprS1gzgavUFhbkZe2RLEoEYRt7FxSkwoZ2KpWHfXP7
 blbK2X85SWENfIhxWvimvmMFxPpNwpFItbyu6M0k7llcn2RhPA1yS39IQlRhR1Kgbk
 88cRSHwHnMpNSyzb4CTZXMBLbY8YD7JJ7emnQVRg/54wcvhryE0ZOdkSGnO2AW/OXW
 HZmJtIb0p32rrXxn9bPL5QRA9PcK0jY9pIzreUhktHilKpWfbaIoPNNLq3GMCM5zx/
 3w58xQGapL3zg==
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 53752
Cc: 53752 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--=-X5UHaOlAHGDtsQzwQmPO
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Zacchaeus Scheffer schreef op ma 07-02-2022 om 14:47 [-0500]:
> I was able create the desired=C2=A0effect with the following service
> definition:
> (simple-service
> =C2=A0'my-activation-service
> =C2=A0home-activation-service-type
> =C2=A0(gexp
> =C2=A0 (begin
> =C2=A0 =C2=A0 (chdir (ungexp user-home))
> =C2=A0 =C2=A0 (if (not (file-exists? ".ssh"))
> =C2=A0 =C2=A0 =C2=A0 =C2=A0 (mkdir ".ssh"))
> =C2=A0 =C2=A0 (chmod ".ssh" #o700)
> =C2=A0 =C2=A0 (chdir ".ssh")
> =C2=A0 =C2=A0 (let ((port (open-output-file "authorized_keys")))
> =C2=A0 =C2=A0 =C2=A0 (display (ungexp authorized-keys) port)
> =C2=A0 =C2=A0 =C2=A0 (close-port port))
> =C2=A0 =C2=A0 (chmod "authorized_keys" #o600)
> =C2=A0 =C2=A0 (chdir ".."))))
> where 'user-home and 'authorized-keys are appropriate strings defined
> earlier in the file.
>=20
> I believe that resolves the issue,

Users shouldn't have to do this (relatively) huge block of relatively
inscrutable code though, I believe something along these lines (or a
different solution) needs to be implemented in Guix itself somewhere
before the issue is resolved.

Greetings,
Maxime.

--=-X5UHaOlAHGDtsQzwQmPO
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYgGI4hccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7tNBAP9AUydUD7lT40Sbkf2vbmAQ6mMf
oRjqyTjzsnyRo50bYwEAtcTtaFTLNID2npaF9/jT4+x2n+6kAR+CY/Sa71LlSAM=
=F8/E
-----END PGP SIGNATURE-----

--=-X5UHaOlAHGDtsQzwQmPO--





Information forwarded to bug-guix@HIDDEN:
bug#53752; Package guix. Full text available.

Message received at 53752 <at> debbugs.gnu.org:


Received: (at 53752) by debbugs.gnu.org; 7 Feb 2022 19:48:18 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Feb 07 14:48:18 2022
Received: from localhost ([127.0.0.1]:43837 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nH9zl-0007ty-Rn
	for submit <at> debbugs.gnu.org; Mon, 07 Feb 2022 14:48:18 -0500
Received: from mail-ej1-f49.google.com ([209.85.218.49]:35560)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zaccysc@HIDDEN>) id 1nH9zi-0007tl-Sa
 for 53752 <at> debbugs.gnu.org; Mon, 07 Feb 2022 14:48:16 -0500
Received: by mail-ej1-f49.google.com with SMTP id y3so24481162ejf.2
 for <53752 <at> debbugs.gnu.org>; Mon, 07 Feb 2022 11:48:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=sOWfOqgPMEm6mtKVZ4vPea46YDPZkPrzfSNmO9klABQ=;
 b=AD8f5CDzXT9rRJPtwdGl+Pwg7/VtM4EGNzJl5yPjgVob2QYx/ZwqRyu9oVjX2p00ek
 ydmTqQ2I9svdYYI1/jdnM4rSV7p3g0tsxMpxbDneUPgoszfsn6J20dTRE0bOBRfRDqob
 qAMJXKJD+0KPi8thq2iT9kvh16kAJ0W6A50fobInGj3lV8hJvQl+zpoknKEeQ/09Lp9Q
 D3PJVtIi3KAn9TUSGEIprXHpUEIzRX73Ju3nBR0FhkzCFr2BPYFg6hXGoHb4qn3T79gq
 /WlKyXddTwfeiZx7cJUVTsyX2oVUVTZA6BD5ZE/PnzfSRV3skqEQQYvYCK2Kf4nCMxKE
 7IbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=sOWfOqgPMEm6mtKVZ4vPea46YDPZkPrzfSNmO9klABQ=;
 b=3Laydzrv4GFPAoMdWJPpaSdnqbPc6agk0MG2Hde1G+yIJUCAxA8g8C4zWBV7zg/pFK
 r1hLwtpPQpeFtEcLPBq9lF4T/JMHvcShuUF0218rAGXcRXQ09dOHziLn2ESm0Dm2mPFk
 fLVqDTRv3Rdncz2jCF6LpL2/5H0+kegI0ftGV6jBCsx9U6YSWyw7Ek3HwmoiVFf+pXBB
 NenzBM0cU3jhFtfyZdjc0pJi19STVkrmuKbJemKA4lbD13nyApAP1JGdBO+02MYv0GQQ
 CltZHIWMjU+91Z7i8ICET4fSnikRw14HniNEWjywsGVCVL0GHYe+xiMMXAS2y4b6lw9u
 8dtA==
X-Gm-Message-State: AOAM5334wf/1teFlmPSRYDx0v6Gm8ZmXzgMNjzZPZuMJhIlkikl+EJOB
 /unSvLYNeedwG/8YZw6/CG2xDfeUrSPWl0AO+3o=
X-Google-Smtp-Source: ABdhPJxAcOro1yxP2gSD1HQwjVIFBPbEpwGU6QrzFgiF6dw0+GIPzVLGOwekoQ+RYVidPi9ypY0QQzfn/0zOa+wJei0=
X-Received: by 2002:a17:907:60c9:: with SMTP id
 hv9mr954984ejc.670.1644263288716; 
 Mon, 07 Feb 2022 11:48:08 -0800 (PST)
MIME-Version: 1.0
References: <CAJejy7=okwP6Sous-ab_Ta44CgDDT9i795AxBcaZKyWaM8WErQ@HIDDEN>
 <af6b7c3774458e0c199f3ffc33dd6cebfc4e9ccd.camel@HIDDEN>
 <CAJejy7=OcPQ17hix2uNwdPbNnTBwGc=f-3m=OF4Q+ksJWhRhPg@HIDDEN>
In-Reply-To: <CAJejy7=OcPQ17hix2uNwdPbNnTBwGc=f-3m=OF4Q+ksJWhRhPg@HIDDEN>
From: Zacchaeus Scheffer <zaccysc@HIDDEN>
Date: Mon, 7 Feb 2022 14:47:57 -0500
Message-ID: <CAJejy7=b-fbre8P_WLkT8A797-gj=XvqTL125LN+GJ1og0CK5A@HIDDEN>
Subject: Re: guix home symlink permissions
To: Liliana Marie Prikler <liliana.prikler@HIDDEN>
Content-Type: multipart/alternative; boundary="0000000000003dc2f905d772e142"
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 53752
Cc: 53752 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--0000000000003dc2f905d772e142
Content-Type: text/plain; charset="UTF-8"

>
> > I finally migrated my home configuration to guix home.  However, it
>> > seems guix home creates all symlinks with 777 permissions.  This causes
>> > problems with openssh as it will not recognize my
>> > ~/.ssh/authorized_keys.  It seems the directories have reasonable
>> > permissions (maybe because they already existed?), but it seems like
>> > someone could in theory edit the symlinks in-place (though I wasn't
>> > able to figure that out).
>> Instead of using symllinks for ~/.ssh/authorized_keys, you could try to
>> write a home-activation-service, which
>>
>> 1. creates ~/.ssh with chmod 700
>> 1a. if it already existed, enforces chmod 700 anyways
>> 2. creates authorized_keys with chmod 600 if it doesn't exist
>> 3. writes the authorized keys.
>>
>
> I'll try that soon (next 1-3 days), and hopefully then we can close this
> issue.
>

I was able create the desired effect with the following service definition:
(simple-service
 'my-activation-service
 home-activation-service-type
 (gexp
  (begin
    (chdir (ungexp user-home))
    (if (not (file-exists? ".ssh"))
        (mkdir ".ssh"))
    (chmod ".ssh" #o700)
    (chdir ".ssh")
    (let ((port (open-output-file "authorized_keys")))
      (display (ungexp authorized-keys) port)
      (close-port port))
    (chmod "authorized_keys" #o600)
    (chdir ".."))))
where 'user-home and 'authorized-keys are appropriate strings defined
earlier in the file.

I believe that resolves the issue,
Zacchaeus Scheffer

--0000000000003dc2f905d772e142
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_quote"><blockquote class=3D"gmail_quot=
e" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204)=
;padding-left:1ex"><div dir=3D"ltr"><div class=3D"gmail_quote"><blockquote =
class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px sol=
id rgb(204,204,204);padding-left:1ex">&gt; I finally migrated my home confi=
guration to guix home.=C2=A0 However, it<br>
&gt; seems guix home creates all symlinks with 777 permissions.=C2=A0 This =
causes<br>
&gt; problems with openssh as it will not recognize my<br>
&gt; ~/.ssh/authorized_keys.=C2=A0 It seems the directories have reasonable=
<br>
&gt; permissions (maybe because they already existed?), but it seems like<b=
r>
&gt; someone could in theory edit the symlinks in-place (though I wasn&#39;=
t<br>
&gt; able to figure that out).<br>
Instead of using symllinks for ~/.ssh/authorized_keys, you could try to<br>
write a home-activation-service, which<br>
<br>
1. creates ~/.ssh with chmod 700<br>
1a. if it already existed, enforces chmod 700 anyways<br>
2. creates authorized_keys with chmod 600 if it doesn&#39;t exist<br>
3. writes the authorized keys.<br></blockquote><div>=C2=A0</div><div>I&#39;=
ll try that soon (next 1-3 days), and hopefully then we can close this issu=
e.<br></div></div></div></blockquote><div class=3D"gmail_quote"><br></div>I=
 was able create the desired=C2=A0effect with the following service definit=
ion:</div><div class=3D"gmail_quote"><div>(simple-service<br>=C2=A0&#39;my-=
activation-service<br>=C2=A0home-activation-service-type<br>=C2=A0(gexp<br>=
=C2=A0 (begin<br>=C2=A0 =C2=A0 (chdir (ungexp user-home))<br>=C2=A0 =C2=A0 =
(if (not (file-exists? &quot;.ssh&quot;))<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 (m=
kdir &quot;.ssh&quot;))<br>=C2=A0 =C2=A0 (chmod &quot;.ssh&quot; #o700)<br>=
=C2=A0 =C2=A0 (chdir &quot;.ssh&quot;)<br>=C2=A0 =C2=A0 (let ((port (open-o=
utput-file &quot;authorized_keys&quot;)))<br>=C2=A0 =C2=A0 =C2=A0 (display =
(ungexp authorized-keys) port)<br>=C2=A0 =C2=A0 =C2=A0 (close-port port))<b=
r>=C2=A0 =C2=A0 (chmod &quot;authorized_keys&quot; #o600)<br>=C2=A0 =C2=A0 =
(chdir &quot;..&quot;))))</div><div>where &#39;user-home and &#39;authorize=
d-keys are appropriate strings defined earlier in the file.</div><div><div>=
<br class=3D"gmail-Apple-interchange-newline">I believe that resolves the i=
ssue,</div><div>Zacchaeus Scheffer</div></div></div></div>

--0000000000003dc2f905d772e142--




Information forwarded to bug-guix@HIDDEN:
bug#53752; Package guix. Full text available.

Message received at 53752 <at> debbugs.gnu.org:


Received: (at 53752) by debbugs.gnu.org; 4 Feb 2022 18:18:13 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Feb 04 13:18:13 2022
Received: from localhost ([127.0.0.1]:32776 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nG39x-00073W-15
	for submit <at> debbugs.gnu.org; Fri, 04 Feb 2022 13:18:13 -0500
Received: from mail-ej1-f53.google.com ([209.85.218.53]:43549)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zaccysc@HIDDEN>) id 1nG39v-00073K-Uk
 for 53752 <at> debbugs.gnu.org; Fri, 04 Feb 2022 13:18:12 -0500
Received: by mail-ej1-f53.google.com with SMTP id d10so21784306eje.10
 for <53752 <at> debbugs.gnu.org>; Fri, 04 Feb 2022 10:18:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=uH9PD55S/b+ddACD87B5MOkTvPUoCvpsbc+84Q7dPLk=;
 b=ptG/6hbD/FvcGsn0C/Tak/0kJAbX8jNUcXj4QFozlos5LJrdefXhhCM5dDGtPNxCbN
 xpcCo9QvnPh5sBx3uk2zAoBswhvu/af8lpAGK8StG7eaqOtpJ0kOon6epDTXQgQ6wFxW
 9u0bukB2UbGjck0w9wd6stKbThNy/B0JKzWPsu2RJBdLo+Z3VwFxSvKxUFrC5XgrHplw
 x5VxnpZFRUeZFqdSQWEPStYDMfKYlwZ87ipQIqWKIxOaSOnc687VQiK+amPF95Zekdmg
 7gz7CMmJ9MWd/Pe/U84yZ727bJdaMOQXceVlWkd49AJBDv0tsOh1u8j+iDUlB9tAAtYA
 YODQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=uH9PD55S/b+ddACD87B5MOkTvPUoCvpsbc+84Q7dPLk=;
 b=DLRYEeMH8601rLn+HCQP+8Cll1lzRzNViIi+KP1CRr4Yqen5Oj6AGPU2sps5coebAx
 R3W42siGqBOuVvju0TX15HZXbwfJo3CAxCxy5PZ5AS/2JPW5cXGElAdCa+2vQEK3x/tr
 5U75Ba8K6Kub0woIQ7ftqtntnvzIwvLqSGrb0yUDp/fZ6vXhP4lWgpi1rSUKDnTY3+1Q
 +qrHh3p06vFwpQihlgBqyl1zZ80VRaXLvbuIW2G/qlhOxHi/TgJyCgAPc/87XygnCGWQ
 0T+wVp2sIjWc/eTXQZL2CZqJK7sitRHkXBH6IszDCMdkksacG8MbN7cuNxDBbWWk5lub
 dTrA==
X-Gm-Message-State: AOAM530jGftffdOSTE7BDQCDYc0/anO1GzVaJ4jpeyncl+Qh5wLLU+SU
 gcavO2Tmwb8twbao4kBrpE/pIn7WJJ/wbxdKJ7k=
X-Google-Smtp-Source: ABdhPJzVhzfgG0e2nrEO29RkECBez2XD2G8iBhvVeyaXUXx2PzM2T7d3dSuHuFu/WJ+/IudIA4QCHOmdAA6EhaUX99E=
X-Received: by 2002:a17:906:eb89:: with SMTP id
 mh9mr94307ejb.399.1643998685326; 
 Fri, 04 Feb 2022 10:18:05 -0800 (PST)
MIME-Version: 1.0
References: <CAJejy7=okwP6Sous-ab_Ta44CgDDT9i795AxBcaZKyWaM8WErQ@HIDDEN>
 <af6b7c3774458e0c199f3ffc33dd6cebfc4e9ccd.camel@HIDDEN>
In-Reply-To: <af6b7c3774458e0c199f3ffc33dd6cebfc4e9ccd.camel@HIDDEN>
From: Zacchaeus Scheffer <zaccysc@HIDDEN>
Date: Fri, 4 Feb 2022 13:17:54 -0500
Message-ID: <CAJejy7=OcPQ17hix2uNwdPbNnTBwGc=f-3m=OF4Q+ksJWhRhPg@HIDDEN>
Subject: Re: guix home symlink permissions
To: Liliana Marie Prikler <liliana.prikler@HIDDEN>
Content-Type: multipart/alternative; boundary="000000000000a66f7405d7354581"
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 53752
Cc: 53752 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--000000000000a66f7405d7354581
Content-Type: text/plain; charset="UTF-8"

>
> > I finally migrated my home configuration to guix home.  However, it
> > seems guix home creates all symlinks with 777 permissions.  This causes
> > problems with openssh as it will not recognize my
> > ~/.ssh/authorized_keys.  It seems the directories have reasonable
> > permissions (maybe because they already existed?), but it seems like
> > someone could in theory edit the symlinks in-place (though I wasn't
> > able to figure that out).
> Instead of using symllinks for ~/.ssh/authorized_keys, you could try to
> write a home-activation-service, which
>
> 1. creates ~/.ssh with chmod 700
> 1a. if it already existed, enforces chmod 700 anyways
> 2. creates authorized_keys with chmod 600 if it doesn't exist
> 3. writes the authorized keys.
>

I'll try that soon (next 1-3 days), and hopefully then we can close this
issue.

I would strongly advise against that however.  While user homes are by
> default 700 in Guix, the store is world readable and so are your
> authorized keys if you put them there.  A malicious user can't
> necessarily change them, but they can spy on you.
>

For context, I keep such info in my password store, but am ok with certain
things from it not being "secret".  It is already standard for public keys
to be kept in the store; see:
 - operating-system -> services -> openssh -> authorized-keys
and as a more extreme example, encrypted user passwords are often kept in
the store; see:
 - operating-system -> users -> user -> password
It's not ideal that someone can snoop my public keys, but that is worth
enabling me to have private keys that can reproducibly connect to my user.
If one is worried about it, they could avoid usage of those specific
private keys as much as possible, so I think it's ok...


> Guix currently has no way of securely storing your data in the store
> (in a cryptographic sense).  This is exacerbated by the fact that such
> files aren't well-encrypted by default -- user read-only is "good
> enough" in many cases, e.g. gnome-keyring does encrypt passwords, but
> stores metadata in plain.  Emacs plstores and Recfiles likewise support
> partial encryption based on GPG.
>
> This issue has been known since June 2020 [1].  While there would in
> theory exist solutions that can work for (guix home) but not (guix
> system), I can not yet make any statements regarding their quality.
> Indeed, storing secrets with Guix is an open issue, that will likely be
> given some attention during the upcoming Guix Days.
>

At the end of the day, there will be setup that should NOT happen
automatically (should require gpg passphrase input).  Currently, I do this
for private keys by automatically pulling from my password store
(requiring password input) using fancy emacs org tangling.  I'll look
into managing even this with guix home, but that is probably a discussion
for guix-devel.

Thanks all,
Zacchaeus Scheffer

--000000000000a66f7405d7354581
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_quote"><blockquote class=3D"gmail_quot=
e" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204)=
;padding-left:1ex">&gt; I finally migrated my home configuration to guix ho=
me.=C2=A0 However, it<br>
&gt; seems guix home creates all symlinks with 777 permissions.=C2=A0 This =
causes<br>
&gt; problems with openssh as it will not recognize my<br>
&gt; ~/.ssh/authorized_keys.=C2=A0 It seems the directories have reasonable=
<br>
&gt; permissions (maybe because they already existed?), but it seems like<b=
r>
&gt; someone could in theory edit the symlinks in-place (though I wasn&#39;=
t<br>
&gt; able to figure that out).<br>
Instead of using symllinks for ~/.ssh/authorized_keys, you could try to<br>
write a home-activation-service, which<br>
<br>
1. creates ~/.ssh with chmod 700<br>
1a. if it already existed, enforces chmod 700 anyways<br>
2. creates authorized_keys with chmod 600 if it doesn&#39;t exist<br>
3. writes the authorized keys.<br></blockquote><div>=C2=A0</div><div>I&#39;=
ll try that soon (next 1-3 days), and hopefully then we can close this issu=
e.<br></div><div><br></div><blockquote class=3D"gmail_quote" style=3D"margi=
n:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex=
">I would strongly advise against that however.=C2=A0 While user homes are =
by<br>
default 700 in Guix, the store is world readable and so are your<br>
authorized keys if you put them there.=C2=A0 A malicious user can&#39;t<br>
necessarily change them, but they can spy on you.<br></blockquote><div><br>=
</div><div>For context, I keep such info in my password store, but am ok wi=
th certain things from it not being &quot;secret&quot;.=C2=A0 It is already=
 standard for public keys to be kept in the store; see:</div><div>=C2=A0- o=
perating-system -&gt; services -&gt; openssh -&gt; authorized-keys</div><di=
v>and as a more extreme example, encrypted user passwords are often kept in=
 the store; see:</div><div>=C2=A0- operating-system -&gt; users -&gt; user =
-&gt; password</div><div>It&#39;s not ideal that someone can snoop my publi=
c keys, but that is worth enabling me to have private keys that can reprodu=
cibly connect to my user.=C2=A0 If one is worried about it, they could avoi=
d usage of those specific private keys as much as possible, so I think it&#=
39;s ok...<br></div><div>=C2=A0</div><blockquote class=3D"gmail_quote" styl=
e=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);paddin=
g-left:1ex">
Guix currently has no way of securely storing your data in the store<br>
(in a cryptographic sense).=C2=A0 This is exacerbated by the fact that such=
<br>
files aren&#39;t well-encrypted by default -- user read-only is &quot;good<=
br>
enough&quot; in many cases, e.g. gnome-keyring does encrypt passwords, but<=
br>
stores metadata in plain.=C2=A0 Emacs plstores and Recfiles likewise suppor=
t<br>
partial encryption based on GPG.<br>
<br>
This issue has been known since June 2020 [1].=C2=A0 While there would in<b=
r>
theory exist solutions that can work for (guix home) but not (guix<br>
system), I can not yet make any statements regarding their quality. <br>
Indeed, storing secrets with Guix is an open issue, that will likely be<br>
given some attention during the upcoming Guix Days.<br></blockquote><div><b=
r></div><div>At the end of the day, there will be setup=C2=A0that should NO=
T happen automatically (should require gpg passphrase input).=C2=A0 Current=
ly, I do this for private keys by automatically pulling from my password st=
ore (requiring=C2=A0password input) using fancy emacs org tangling.=C2=A0 I=
&#39;ll look into=C2=A0managing even this with guix home,=C2=A0but that is =
probably a discussion for guix-devel.</div><div><br></div><div>Thanks all,<=
/div><div>Zacchaeus Scheffer</div><div><br></div></div></div>

--000000000000a66f7405d7354581--




Information forwarded to bug-guix@HIDDEN:
bug#53752; Package guix. Full text available.

Message received at 53752 <at> debbugs.gnu.org:


Received: (at 53752) by debbugs.gnu.org; 4 Feb 2022 09:58:34 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Feb 04 04:58:34 2022
Received: from localhost ([127.0.0.1]:58804 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nFvMQ-0006Fk-GV
	for submit <at> debbugs.gnu.org; Fri, 04 Feb 2022 04:58:34 -0500
Received: from mailrelay.tugraz.at ([129.27.2.202]:45914)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <liliana.prikler@HIDDEN>) id 1nFvMN-0006Fa-Nr
 for 53752 <at> debbugs.gnu.org; Fri, 04 Feb 2022 04:58:32 -0500
Received: from lprikler-laptop.ist.intra (gw.ist.tugraz.at [129.27.202.101])
 by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4JqrZm5F8Sz3xXF;
 Fri,  4 Feb 2022 10:58:24 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at;
 s=mailrelay; t=1643968704;
 bh=wz69JUPEYxpu85oSBexeAmwSckEeo+WEqeavgggxYDI=;
 h=Subject:From:To:Date:In-Reply-To:References;
 b=a5lxSKNLsrckwDFon61F9leiZrIQtthtsIcBhQqahjELUozJco/U6dVt5brvxxJ29
 d4GCTve1ZFomqKmPOjTcHIdeannsv9RwRnTx90iPQz8TJiHxg/gF9Y/9ebNrSMcYtF
 B9rUT06Sq0qK2Mpz49IIOXC7BX/7O1RnmLQIH4Fo=
Message-ID: <af6b7c3774458e0c199f3ffc33dd6cebfc4e9ccd.camel@HIDDEN>
Subject: Re: guix home symlink permissions
From: Liliana Marie Prikler <liliana.prikler@HIDDEN>
To: Zacchaeus Scheffer <zaccysc@HIDDEN>, 53752 <at> debbugs.gnu.org
Date: Fri, 04 Feb 2022 10:58:22 +0100
In-Reply-To: <CAJejy7=okwP6Sous-ab_Ta44CgDDT9i795AxBcaZKyWaM8WErQ@HIDDEN>
References: <CAJejy7=okwP6Sous-ab_Ta44CgDDT9i795AxBcaZKyWaM8WErQ@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.42.1 
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TUG-Backscatter-control: waObeELIUl4ypBWmcn/8wQ
X-Spam-Scanner: SpamAssassin 3.003001 
X-Spam-Score-relay: -1.9
X-Scanned-By: MIMEDefang 2.74 on 129.27.10.117
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 53752
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Am Donnerstag, dem 03.02.2022 um 13:08 -0500 schrieb Zacchaeus
Scheffer:
> I finally migrated my home configuration to guix home.  However, it
> seems guix home creates all symlinks with 777 permissions.  This causes
> problems with openssh as it will not recognize my
> ~/.ssh/authorized_keys.  It seems the directories have reasonable
> permissions (maybe because they already existed?), but it seems like
> someone could in theory edit the symlinks in-place (though I wasn't
> able to figure that out).
Instead of using symllinks for ~/.ssh/authorized_keys, you could try to
write a home-activation-service, which

1. creates ~/.ssh with chmod 700
1a. if it already existed, enforces chmod 700 anyways
2. creates authorized_keys with chmod 600 if it doesn't exist
3. writes the authorized keys.

I would strongly advise against that however.  While user homes are by
default 700 in Guix, the store is world readable and so are your
authorized keys if you put them there.  A malicious user can't
necessarily change them, but they can spy on you.

Guix currently has no way of securely storing your data in the store
(in a cryptographic sense).  This is exacerbated by the fact that such
files aren't well-encrypted by default -- user read-only is "good
enough" in many cases, e.g. gnome-keyring does encrypt passwords, but
stores metadata in plain.  Emacs plstores and Recfiles likewise support
partial encryption based on GPG.

This issue has been known since June 2020 [1].  While there would in
theory exist solutions that can work for (guix home) but not (guix
system), I can not yet make any statements regarding their quality. 
Indeed, storing secrets with Guix is an open issue, that will likely be
given some attention during the upcoming Guix Days.

Cheers

[1] https://lists.gnu.org/archive/html/guix-devel/2020-06/msg00091.html




Information forwarded to bug-guix@HIDDEN:
bug#53752; Package guix. Full text available.

Message received at 53752 <at> debbugs.gnu.org:


Received: (at 53752) by debbugs.gnu.org; 3 Feb 2022 23:06:58 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Feb 03 18:06:58 2022
Received: from localhost ([127.0.0.1]:58250 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nFlBp-0004ML-Rh
	for submit <at> debbugs.gnu.org; Thu, 03 Feb 2022 18:06:58 -0500
Received: from mx.kolabnow.com ([212.103.80.155]:36920)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <bauermann@HIDDEN>) id 1nFlBl-0004M4-Vo
 for 53752 <at> debbugs.gnu.org; Thu, 03 Feb 2022 18:06:56 -0500
Received: from localhost (unknown [127.0.0.1])
 by mx.kolabnow.com (Postfix) with ESMTP id 1EDF912E6;
 Fri,  4 Feb 2022 00:06:43 +0100 (CET)
Authentication-Results: ext-mx-out002.mykolab.com (amavisd-new);
 dkim=pass (4096-bit key) reason="pass (just generated, assumed good)"
 header.d=kolabnow.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kolabnow.com; h=
 content-type:content-type:content-transfer-encoding:mime-version
 :references:in-reply-to:message-id:date:date:subject:subject
 :from:from:received:received:received; s=dkim20160331; t=
 1643929602; x=1645744003; bh=Od/xB3erBd5mF1+7a2GwR5erhVmDGV0FHPs
 TD/39MdE=; b=Qp7eJMeUF/7G2SzehYiRC26yCSqsYS+46zRYO5YqdZH9ngdhBWi
 dMeWmo+mCT0NYvemVD7cRWz2sbU0LX15lapbNkbG9NyrsKtN0uDOKQQyjTPG5t/o
 MvEyBjQLzyuRO6O9zvjifl5qC+YLCOiClHcj3zUXWDL5pNaPZ38uWtFNqiUtdzFD
 oym4gC6DyepkF+qqinlGN4YF//agA2OiZJ+XzCtfgLYyXfO9PgHBgtPUjxe4/GYW
 Hx0ZhobtBD0NnK3vs46hxrq1wGpjyIEUS80weaceZJ+bhW8xrvbggeILV1baK215
 4wSjfKdMCnfug7XXdfVykt1wq3gwIk9y3saCLO4coZ7C+hoR2ifGaoHFLseGn/9Z
 hd2NvmFNenIvSD1HO6P37Elj0T2YfxZsmNdNdsBqepNUAZVzva72301lr6ny8ahi
 BxG0hPXH054c0TrKH8qkEzG9ASAdkCr4381sepVSe+6zQsopOQI15yl87fQ1lI45
 Te8QEiaQvP64UoxkF3AczJzjy1rcIeoZWT7p+GSQi43zetf9Feftnd0kPmoOzNY9
 UUP1QLamVrLGJFJf29lJ/XDgQ1rgr5NPKiRVEj5OPQs0C0bg/IuidO73nDgyxiNQ
 jxQhL9+iAALlSbXGd4CAFlI34F+VAghrQGp+yt4igWFUREN4i+/2IUyQ=
X-Virus-Scanned: amavisd-new at mykolab.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-10 required=5
 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mx.kolabnow.com ([127.0.0.1])
 by localhost (ext-mx-out002.mykolab.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 2ChMi2-Fp4CF; Fri,  4 Feb 2022 00:06:42 +0100 (CET)
Received: from int-mx002.mykolab.com (unknown [10.9.13.2])
 by mx.kolabnow.com (Postfix) with ESMTPS id 96D7EB53;
 Fri,  4 Feb 2022 00:06:35 +0100 (CET)
Received: from ext-subm002.mykolab.com (unknown [10.9.6.2])
 by int-mx002.mykolab.com (Postfix) with ESMTPS id 19D312F9A;
 Fri,  4 Feb 2022 00:06:34 +0100 (CET)
From: Thiago Jung Bauermann <bauermann@HIDDEN>
To: Zacchaeus Scheffer <zaccysc@HIDDEN>
Subject: Re: bug#53752: guix home symlink permissions
Date: Thu, 03 Feb 2022 20:06:25 -0300
Message-ID: <68523536.hgpfNYuzMs@popigai>
In-Reply-To: <CAJejy7mVv5whyc3nJt3e8S+DkKyZbRdoXRNT5q-DdVdJNLfX4A@HIDDEN>
References: <CAJejy7=okwP6Sous-ab_Ta44CgDDT9i795AxBcaZKyWaM8WErQ@HIDDEN>
 <1737102.PxY0oXxzeL@popigai>
 <CAJejy7mVv5whyc3nJt3e8S+DkKyZbRdoXRNT5q-DdVdJNLfX4A@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 53752
Cc: 53752 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Em quinta-feira, 3 de fevereiro de 2022, =C3=A0s 18:22:49 -03, Zacchaeus Sc=
heffer=20
escreveu:
> It seems the permissions on the symlink don't matter.  The problem is
> that the file linked to in the store is readable by everyone (which I am
> ok with because it's just public keys).
>=20
> There is a solution with guix system by configuring openssh directly (see
> openssh-configuration -> authorized-keys), but there really should be a
> way to do this with guix home.  (anyone that can call guix home for my
> user can see/modify my authorized_keys anyway)
>=20
> Maybe this bug should be renamed to something like "guix home cannot
> configure authorized_keys"?

Good idea. I just made that change.

I don=E2=80=99t use Guix Home and I don=E2=80=99t know much about its inter=
nals, so=20
unfortunately I can=E2=80=99t help much with this problem.

=2D-=20
Thanks,
Thiago






Information forwarded to bug-guix@HIDDEN:
bug#53752; Package guix. Full text available.
Changed bug title to 'guix home cannot configure authorized_keys' from 'guix home symlink permissions' Request was from Thiago Jung Bauermann <bauermann@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 53752 <at> debbugs.gnu.org:


Received: (at 53752) by debbugs.gnu.org; 3 Feb 2022 21:23:10 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Feb 03 16:23:10 2022
Received: from localhost ([127.0.0.1]:58118 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nFjZO-0007wJ-Ch
	for submit <at> debbugs.gnu.org; Thu, 03 Feb 2022 16:23:10 -0500
Received: from mail-ej1-f48.google.com ([209.85.218.48]:43738)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zaccysc@HIDDEN>) id 1nFjZK-0007vO-5d
 for 53752 <at> debbugs.gnu.org; Thu, 03 Feb 2022 16:23:09 -0500
Received: by mail-ej1-f48.google.com with SMTP id d10so12710836eje.10
 for <53752 <at> debbugs.gnu.org>; Thu, 03 Feb 2022 13:23:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=NZ46hDI2akv6NEd0EocaZt0HtnWQIMJf0BSDUmDmdyE=;
 b=B9O/1tx+g7Ijl7f0xziWuTIj9ztPqh0eKXNqCK+NzYVKxLxwP+GKU/pP6qY5MMqFMx
 y0AoOQBa5FJYcyKvPni2HPkVlOXlWZ+pXZkgO435zBdiGQNTvfdaanFHWxpnP/e+DagP
 tps/20JlmpEr+41737qF43y3mELeeS35Qlf254KeUwrHMmYf/wdH63Ke6XfgW87dRQB5
 HXTFftKNPAOQhO6bg+e6eTjWHtq5fOnHtmoqVZhp+1h//zgmY6DuI5yq8VJpUmXx90RM
 mSdQbnXz96Sli4kDH858a0l3uxjqljveDcG6QLRtckvQ1LMxcO+kmc45wwQUI+xAO7z2
 zGqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=NZ46hDI2akv6NEd0EocaZt0HtnWQIMJf0BSDUmDmdyE=;
 b=3iCby3gUKwZTS3Hv9a8ZBkq+J4Cn8gbnSTVpNXUVuUrhDCvpu8wdhcNo7vcGvFFvEI
 DE0mwABv3hkm/e+nZkGFkWwvW9s0XEaE4W0ir9ICXPeC9RydNbhJGgs2T2sx63+lQm2E
 CjFSL5BVwosJxJ+Kh6+E1EitH6iRFedj151Og8sXbPzud83jQFrEg7r1d47RBMMsM/pl
 tuniBZ+E67sgCaaQ3OFg49iCEw1b85KAMBCQuR5GCpV/B0iC1pM4mFPSavtUD3VJ1Xmu
 XHQa5vVRREZM5UQYcSp8Ym1If7IZ6kvU9ZMbF4SUg9+ISU4b+lY1G1I7qVNguTT8QqUC
 vTug==
X-Gm-Message-State: AOAM530PXn6LU2KW/xHFdlB78tM0ZxnSXVxl3B9IEFtDCZdVE8fSHoJL
 0w3OdteVu2WCEJP9hEnXfHnk2IiO+TbuMmFTSqo=
X-Google-Smtp-Source: ABdhPJzYXncF6t7ofK1uZ5Vg4MoNek3F2jTuaN4pKZP48E2k0LRcTbxQ1qSQiAYqZr4ugrUg+mwfM0VNyHT2/wtiTC0=
X-Received: by 2002:a17:906:9b87:: with SMTP id
 dd7mr30435982ejc.178.1643923380029; 
 Thu, 03 Feb 2022 13:23:00 -0800 (PST)
MIME-Version: 1.0
References: <CAJejy7=okwP6Sous-ab_Ta44CgDDT9i795AxBcaZKyWaM8WErQ@HIDDEN>
 <1737102.PxY0oXxzeL@popigai>
In-Reply-To: <1737102.PxY0oXxzeL@popigai>
From: Zacchaeus Scheffer <zaccysc@HIDDEN>
Date: Thu, 3 Feb 2022 16:22:49 -0500
Message-ID: <CAJejy7mVv5whyc3nJt3e8S+DkKyZbRdoXRNT5q-DdVdJNLfX4A@HIDDEN>
Subject: Re: bug#53752: guix home symlink permissions
To: Thiago Jung Bauermann <bauermann@HIDDEN>
Content-Type: multipart/alternative; boundary="0000000000001acc0b05d723bd26"
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 53752
Cc: 53752 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--0000000000001acc0b05d723bd26
Content-Type: text/plain; charset="UTF-8"

It seems the permissions on the symlink don't matter.  The problem is that
the file linked to in the store is readable by everyone (which I am ok with
because it's just public keys).

There is a solution with guix system by configuring openssh directly (see
openssh-configuration -> authorized-keys), but there really should be a way
to do this with guix home.  (anyone that can call guix home for my user can
see/modify my authorized_keys anyway)

Maybe this bug should be renamed to something like "guix home cannot
configure authorized_keys"?

--0000000000001acc0b05d723bd26
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">It seems the permissions on the symlink don&#39;t matter.=
=C2=A0 The problem is that the file linked to in the store is readable by e=
veryone (which I am ok with because it&#39;s just public keys).<div><br></d=
iv><div>There is a solution with guix system by configuring openssh directl=
y (see openssh-configuration -&gt; authorized-keys), but there really shoul=
d be a way to do this with guix home.=C2=A0 (anyone that can call guix home=
 for my user can see/modify my authorized_keys anyway)</div><div><br></div>=
<div>Maybe this bug should be renamed to something like &quot;guix home can=
not configure authorized_keys&quot;?</div></div>

--0000000000001acc0b05d723bd26--




Information forwarded to bug-guix@HIDDEN:
bug#53752; Package guix. Full text available.

Message received at 53752 <at> debbugs.gnu.org:


Received: (at 53752) by debbugs.gnu.org; 3 Feb 2022 19:56:53 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Feb 03 14:56:53 2022
Received: from localhost ([127.0.0.1]:57964 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nFiDt-0000Y8-77
	for submit <at> debbugs.gnu.org; Thu, 03 Feb 2022 14:56:53 -0500
Received: from mx.kolabnow.com ([212.103.80.154]:57500)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <bauermann@HIDDEN>) id 1nFiDp-0000Xu-FS
 for 53752 <at> debbugs.gnu.org; Thu, 03 Feb 2022 14:56:51 -0500
Received: from localhost (unknown [127.0.0.1])
 by mx.kolabnow.com (Postfix) with ESMTP id B7EFE9D5;
 Thu,  3 Feb 2022 20:56:34 +0100 (CET)
Authentication-Results: ext-mx-out001.mykolab.com (amavisd-new);
 dkim=pass (4096-bit key) reason="pass (just generated, assumed good)"
 header.d=kolabnow.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kolabnow.com; h=
 content-type:content-type:content-transfer-encoding:mime-version
 :references:in-reply-to:message-id:date:date:subject:subject
 :from:from:received:received:received; s=dkim20160331; t=
 1643918194; x=1645732595; bh=uOpjtIuCQve47k8Hz5E+1PASSAq08wh5WYK
 Rw0xeH0M=; b=ZBVBd4OM/bTZ7KaxRn18kcwAB/8d296qYuxYQA/LjbvozKrhleP
 uq7xsd+BZq8CBzavKKYKzaEkyV/NhqSGasPnAN9ZTdhjkpUqvixuOot76v0NHHyP
 /4Ti1mbawkduR3iVSq4YYcd2tkEOLZSJiMHBVwAVyVN0LlT6XSDF1Ec2fMFGU4lB
 4B0XYefMZx84EdKex/l7oa3IqvwWtYBwghKZl07tgGlzGfCf3baJZpIcgyipO1OU
 /Mbiqi6ZPvc4DmGxF85Uuk+cBoqWEy1qUedXzpEALcDrPjRdjH4kv3YQpj7FNCfX
 jcnqz+86cHLzQotXggVxrxRtY257dobY0FaTtu33oG5Z5yl+42EnSBvjnMZ0prl6
 jx72WsJCTkuILdehjksqVL2Xo3VG1d8ZQf62mr6g7Y7zOLXAZ4rM8ut8qI3Q4Euu
 /VY343PLTbzgRl7T+M12avN7oEu3xigsyuDBh/OXT8p7oviaim2Uf1lSenFou5rL
 sYmIfdTnx1GnN1p7utbfkn0F2tmoyJykDjLYjPYHaN5Pr8KDttb2uXcvyFycI3YT
 dLKTNuCEGGfOziZaMJAv1E3Yubn3VBZUOvSQ8nuFrD51cfVGswCoxMCXxpGlaQX5
 dXSg4h4rFrEkuzLJd1iOyF78cNSv32ezGjSTfYHs1RMatV+nXLNxIW0g=
X-Virus-Scanned: amavisd-new at mykolab.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-10 required=5
 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mx.kolabnow.com ([127.0.0.1])
 by localhost (ext-mx-out001.mykolab.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 6GbhHU2CvXes; Thu,  3 Feb 2022 20:56:34 +0100 (CET)
Received: from int-mx001.mykolab.com (unknown [10.9.13.1])
 by mx.kolabnow.com (Postfix) with ESMTPS id 82D44499;
 Thu,  3 Feb 2022 20:56:22 +0100 (CET)
Received: from ext-subm003.mykolab.com (unknown [10.9.6.3])
 by int-mx001.mykolab.com (Postfix) with ESMTPS id A66BC8D0;
 Thu,  3 Feb 2022 20:56:11 +0100 (CET)
From: Thiago Jung Bauermann <bauermann@HIDDEN>
To: Zacchaeus Scheffer <zaccysc@HIDDEN>
Subject: Re: bug#53752: guix home symlink permissions
Date: Thu, 03 Feb 2022 16:56:06 -0300
Message-ID: <1737102.PxY0oXxzeL@popigai>
In-Reply-To: <CAJejy7=okwP6Sous-ab_Ta44CgDDT9i795AxBcaZKyWaM8WErQ@HIDDEN>
References: <CAJejy7=okwP6Sous-ab_Ta44CgDDT9i795AxBcaZKyWaM8WErQ@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 53752
Cc: 53752 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hello Zacchaeus,

Em quinta-feira, 3 de fevereiro de 2022, =C3=A0s 15:08:12 -03, Zacchaeus Sc=
heffer=20
escreveu:
> I finally migrated my home configuration to guix home.  However, it seems
> guix home creates all symlinks with 777 permissions.  This causes
> problems with openssh as it will not recognize my
> ~/.ssh/authorized_keys.  It seems the directories have reasonable
> permissions (maybe because they already existed?), but it seems like
> someone could in theory edit the symlinks in-place (though I wasn't able
> to figure that out).

In Linux, symlink permissions are meaningless. From the chmod(1) man page:

=E2=80=9Cchmod never changes the permissions of symbolic links; the chmod s=
ystem=20
call cannot change their permissions.  This is not a problem since the=20
permissions of symbolic links are never used.  However,  for  each symbolic=
=20
link listed on the command line, chmod changes the permissions of the=20
pointed-to file.  In contrast, chmod ignores symbolic links encountered=20
during recursive directory traversals.=E2=80=9D

So AFAIK there=E2=80=99s nothing that guix home can do about that.
I don=E2=80=99t know what that implies for OpenSSH and authorized_keys, tho=
ugh.

=2D-=20
Thanks,
Thiago






Information forwarded to bug-guix@HIDDEN:
bug#53752; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 3 Feb 2022 18:08:42 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Feb 03 13:08:42 2022
Received: from localhost ([127.0.0.1]:57678 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1nFgXB-0007iw-4U
	for submit <at> debbugs.gnu.org; Thu, 03 Feb 2022 13:08:42 -0500
Received: from lists.gnu.org ([209.51.188.17]:60326)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zaccysc@HIDDEN>) id 1nFgX6-0007im-Kv
 for submit <at> debbugs.gnu.org; Thu, 03 Feb 2022 13:08:40 -0500
Received: from eggs.gnu.org ([209.51.188.92]:37320)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <zaccysc@HIDDEN>) id 1nFgX5-0004t8-SW
 for bug-guix@HIDDEN; Thu, 03 Feb 2022 13:08:36 -0500
Received: from [2a00:1450:4864:20::62c] (port=44659
 helo=mail-ej1-x62c.google.com)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <zaccysc@HIDDEN>) id 1nFgX3-00012T-P4
 for bug-guix@HIDDEN; Thu, 03 Feb 2022 13:08:35 -0500
Received: by mail-ej1-x62c.google.com with SMTP id ka4so11206533ejc.11
 for <bug-guix@HIDDEN>; Thu, 03 Feb 2022 10:08:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=mime-version:from:date:message-id:subject:to;
 bh=Y8Sx0vhnmYcJwhrWXgxyUXxLWJQ0QWaPvEUd5TggkPM=;
 b=EQo1pifQsrrXwL5aRzVT/JdZxEl9eHpi0aBpBvDGv3hRKZdksrlSYz7fg0+zCCup2f
 GO7bdps9KVX38tBy66E9RebsQjh1zC2/xxPH+PPAjeCHrroRmCuqZB+wHxM6gJTH9Lu7
 TU6h20uE1BFPv2yg6JER9qlZaqzjyPZHkX3Fof3S0FLeC7Q7kzPOktahMj+BtB3QbTk6
 ma2JTH0NV8YF1k7XLamodSzGcTZivT1UJKjaTzlXusHBD81JIr7WEDaEmrpnbnuUeG/9
 Q6TCh506Q9VRHBZ5rdP5BdG6ILjcc3pUW6a++1Tp3yNbvf+mtJW2IU4QUSyuArulbCbD
 mc1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=Y8Sx0vhnmYcJwhrWXgxyUXxLWJQ0QWaPvEUd5TggkPM=;
 b=iLc0FjW6/4X9iz/xL6P7RmEo4SWx2s0xu/UISkga3lerj/C3vWUYMiy9n1CTsn8/ma
 Pm80XDbqZvzcrGpjIXJJy58/kzMFKN/uVbMgtDY1x28NW9NEejk0VvttngToojTghPRU
 0lbBLMjtvbn1mYQGnU68dQY9HH/nRvCugHaxiHyh4uj30uR1WffNcb3JU3p5hFyMDjsT
 qmsAWVQtudjPjHehpmH2rLcHxVYewC1lwKAGprK9yFOriNjz2MmnblL/Q9CpPC72aGi4
 J3kdIzgAYRxmKhUPesOY2cAprEol/P+ClTF+UxjX8oh1atFN2zAuP3+cHQKvAKGldGWb
 blzw==
X-Gm-Message-State: AOAM530kWx3YOWlFpUvyxeQ3e1toA8FxKA3Hrcu0o8ADgdBhDLkZ5vVz
 hg2s9OdHtsGyR9treOmyA8j/3ATt/Lk9BRcdYyBoq7mpK18YqQ==
X-Google-Smtp-Source: ABdhPJzkEHEFjUz3HfInnxBXJf8VoBJU6H1Pt60HrsT5+hWXfxzQCsV3ilZCI0CTMWBWSZ7cUTwNlDbANKf4iHFgY4U=
X-Received: by 2002:a17:907:3da4:: with SMTP id
 he36mr30112812ejc.617.1643911703250; 
 Thu, 03 Feb 2022 10:08:23 -0800 (PST)
MIME-Version: 1.0
From: Zacchaeus Scheffer <zaccysc@HIDDEN>
Date: Thu, 3 Feb 2022 13:08:12 -0500
Message-ID: <CAJejy7=okwP6Sous-ab_Ta44CgDDT9i795AxBcaZKyWaM8WErQ@HIDDEN>
Subject: guix home symlink permissions
To: bug-guix@HIDDEN
Content-Type: multipart/alternative; boundary="0000000000001d4bcb05d72105d6"
X-Host-Lookup-Failed: Reverse DNS lookup failed for 2a00:1450:4864:20::62c
 (failed)
Received-SPF: pass client-ip=2a00:1450:4864:20::62c;
 envelope-from=zaccysc@HIDDEN; helo=mail-ej1-x62c.google.com
X-Spam_score_int: 1
X-Spam_score: 0.1
X-Spam_bar: /
X-Spam_report: (0.1 / 5.0 requ) BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, PDS_HP_HELO_NORDNS=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
 RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

--0000000000001d4bcb05d72105d6
Content-Type: text/plain; charset="UTF-8"

I finally migrated my home configuration to guix home.  However, it seems
guix home creates all symlinks with 777 permissions.  This causes problems
with openssh as it will not recognize my ~/.ssh/authorized_keys.  It seems
the directories have reasonable permissions (maybe because they already
existed?), but it seems like someone could in theory edit the symlinks
in-place (though I wasn't able to figure that out).

I formulated based on the example in Section 11.1 of the devel user
manual.  You should be able to recreate the problem with (replacing <your
ssh public key here>):

(home-environment
  (services
    (list
      (simple-service
       'my-home-files-service
       home-files-service-type
       (list
         `("ssh/authorized_keys"
            ,(plain-file
               "home-authorized-keys"
               "<your ssh public key here>")))))))

--0000000000001d4bcb05d72105d6
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">I finally migrated my home configuration to guix home.=C2=
=A0 However, it seems guix home creates all symlinks with 777 permissions.=
=C2=A0 This causes problems with openssh as it will not recognize my ~/.ssh=
/authorized_keys.=C2=A0 It seems the directories have reasonable permission=
s (maybe because they already existed?), but it seems like someone could in=
 theory edit the symlinks in-place (though I wasn&#39;t able to figure that=
 out).<div><div><br></div><div>I formulated based on the example in Section=
 11.1 of the devel user manual.=C2=A0 You should be able to recreate the pr=
oblem with (replacing &lt;your ssh public key here&gt;):<br><div><br></div>=
<div>(home-environment</div><div>=C2=A0 (services</div><div>=C2=A0 =C2=A0 (=
list</div><div>=C2=A0 =C2=A0 =C2=A0 (simple-service</div>=C2=A0 =C2=A0 =C2=
=A0 =C2=A0&#39;my-home-files-service<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0home-fil=
es-service-type<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0(list<br>=C2=A0 =C2=A0 =C2=A0=
 =C2=A0 =C2=A0`(&quot;ssh/authorized_keys&quot;<br>=C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 ,(plain-file<div>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0&quot;home-authorized-keys&quot;</div><div>=C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0&quot;&lt;your ssh public key here=
&gt;&quot;)))))))</div></div></div></div>

--0000000000001d4bcb05d72105d6--




Acknowledgement sent to Zacchaeus Scheffer <zaccysc@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#53752; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Tue, 8 Feb 2022 07:15:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.