Received: (at 53752) by debbugs.gnu.org; 8 Feb 2022 07:01:39 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Tue Feb 08 02:01:39 2022 Received: from localhost ([127.0.0.1]:45002 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1nHKVP-0007cW-BG for submit <at> debbugs.gnu.org; Tue, 08 Feb 2022 02:01:39 -0500 Received: from mailrelay.tugraz.at ([129.27.2.202]:50121) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <liliana.prikler@HIDDEN>) id 1nHKVL-0007YL-VB for 53752 <at> debbugs.gnu.org; Tue, 08 Feb 2022 02:01:38 -0500 Received: from lprikler-laptop.ist.intra (gw.ist.tugraz.at [129.27.202.101]) by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4JtDSr5Ddjz1LZWB; Tue, 8 Feb 2022 08:01:32 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 mailrelay.tugraz.at 4JtDSr5Ddjz1LZWB DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at; s=mailrelay; t=1644303692; bh=dy7MebW+XGfd8gtC2BWYDRoR7s9y+tf4MRbCsPhmk+k=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=m92A2gkZ+EyXM28V8Jext9mWpBeP8Fp1Og1HD8Nb1Lj4XjfNphatysw00obRaxCmv ChjSBpZdVvzaW4pBCiHhWEfUUu74ivtMxlsjOtLlQVS2uCCQUhqUYOx9cNsB6lKUvc NPaTucaOTR74cR4LUiPt3bLme3+EtzUX/zMCSQdA= Message-ID: <663fb5a97616a8ed1bf74f10b5ba5203f15abd61.camel@HIDDEN> Subject: Re: bug#53752: guix home symlink permissions From: Liliana Marie Prikler <liliana.prikler@HIDDEN> To: Maxime Devos <maximedevos@HIDDEN>, Zacchaeus Scheffer <zaccysc@HIDDEN> Date: Tue, 08 Feb 2022 08:01:33 +0100 In-Reply-To: <49b4975e6c61a7ed0010c850b52dab811e4803b7.camel@HIDDEN> References: <CAJejy7=okwP6Sous-ab_Ta44CgDDT9i795AxBcaZKyWaM8WErQ@HIDDEN> <af6b7c3774458e0c199f3ffc33dd6cebfc4e9ccd.camel@HIDDEN> <CAJejy7=OcPQ17hix2uNwdPbNnTBwGc=f-3m=OF4Q+ksJWhRhPg@HIDDEN> <CAJejy7=b-fbre8P_WLkT8A797-gj=XvqTL125LN+GJ1og0CK5A@HIDDEN> <49b4975e6c61a7ed0010c850b52dab811e4803b7.camel@HIDDEN> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TUG-Backscatter-control: waObeELIUl4ypBWmcn/8wQ X-Spam-Scanner: SpamAssassin 3.003001 X-Spam-Score-relay: -1.9 X-Scanned-By: MIMEDefang 2.74 on 129.27.10.116 X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 53752 Cc: 53752 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Am Montag, dem 07.02.2022 um 22:02 +0100 schrieb Maxime Devos: > Zacchaeus Scheffer schreef op ma 07-02-2022 om 14:47 [-0500]: > > I was able create the desired effect with the following service > > definition: > > (simple-service > > 'my-activation-service > > home-activation-service-type > > (gexp > > (begin > > (chdir (ungexp user-home)) > > (if (not (file-exists? ".ssh")) > > (mkdir ".ssh")) > > (chmod ".ssh" #o700) > > (chdir ".ssh") > > (let ((port (open-output-file "authorized_keys"))) > > (display (ungexp authorized-keys) port) > > (close-port port)) > > (chmod "authorized_keys" #o600) > > (chdir "..")))) > > where 'user-home and 'authorized-keys are appropriate strings > > defined earlier in the file. > > > > I believe that resolves the issue, > > Users shouldn't have to do this (relatively) huge block of relatively > inscrutable code though, I believe something along these lines (or a > different solution) needs to be implemented in Guix itself somewhere > before the issue is resolved. I'll again be pointing at the "don't put secrets into your store" shield. We'd have to find a reasonable way of encrypting sensitive data before we can do a home-ssh-service-type. @Zacchaeus, your code can likely be simplified to #~(with-directory-excursion #$user-home (mkdir-p ".ssh") (chmod ".ssh" #o700) (with-directory-excursion ".ssh" (copy-file #$authorized-keys "authorized_keys") (chmod "authorized_keys" #o600))) though perhaps there's some magic incantation to import (guix build utils) for mkdir-p and with-directory-excursion that I'm missing here. Cheers
bug-guix@HIDDEN
:bug#53752
; Package guix
.
Full text available.Received: (at 53752) by debbugs.gnu.org; 7 Feb 2022 21:02:31 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Feb 07 16:02:31 2022 Received: from localhost ([127.0.0.1]:43935 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1nHB9b-0001MH-4s for submit <at> debbugs.gnu.org; Mon, 07 Feb 2022 16:02:31 -0500 Received: from laurent.telenet-ops.be ([195.130.137.89]:39314) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <maximedevos@HIDDEN>) id 1nHB9Y-0001M7-3V for 53752 <at> debbugs.gnu.org; Mon, 07 Feb 2022 16:02:29 -0500 Received: from ptr-bvsjgyhxw7psv60dyze.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:3c5f:2eff:feb0:ba5a]) by laurent.telenet-ops.be with bizsmtp id sM2S260034UW6Th01M2SbL; Mon, 07 Feb 2022 22:02:26 +0100 Message-ID: <49b4975e6c61a7ed0010c850b52dab811e4803b7.camel@HIDDEN> Subject: Re: bug#53752: guix home symlink permissions From: Maxime Devos <maximedevos@HIDDEN> To: Zacchaeus Scheffer <zaccysc@HIDDEN>, Liliana Marie Prikler <liliana.prikler@HIDDEN> Date: Mon, 07 Feb 2022 22:02:26 +0100 In-Reply-To: <CAJejy7=b-fbre8P_WLkT8A797-gj=XvqTL125LN+GJ1og0CK5A@HIDDEN> References: <CAJejy7=okwP6Sous-ab_Ta44CgDDT9i795AxBcaZKyWaM8WErQ@HIDDEN> <af6b7c3774458e0c199f3ffc33dd6cebfc4e9ccd.camel@HIDDEN> <CAJejy7=OcPQ17hix2uNwdPbNnTBwGc=f-3m=OF4Q+ksJWhRhPg@HIDDEN> <CAJejy7=b-fbre8P_WLkT8A797-gj=XvqTL125LN+GJ1og0CK5A@HIDDEN> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-X5UHaOlAHGDtsQzwQmPO" User-Agent: Evolution 3.38.3-1 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22; t=1644267746; bh=4b1qjIoN37z9uerkIsU5vY8UusH2hAMsnvyGClO+T0Q=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=Pdc6o1SJ0jfROS2Ajxu5DtRP+DlAU2a9mqT8AT5vjGbQrxfbJ5Xkx7IQ5X10WpiDJ csz85gBXndZFkACucJjHHwpEprS1gzgavUFhbkZe2RLEoEYRt7FxSkwoZ2KpWHfXP7 blbK2X85SWENfIhxWvimvmMFxPpNwpFItbyu6M0k7llcn2RhPA1yS39IQlRhR1Kgbk 88cRSHwHnMpNSyzb4CTZXMBLbY8YD7JJ7emnQVRg/54wcvhryE0ZOdkSGnO2AW/OXW HZmJtIb0p32rrXxn9bPL5QRA9PcK0jY9pIzreUhktHilKpWfbaIoPNNLq3GMCM5zx/ 3w58xQGapL3zg== X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 53752 Cc: 53752 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.7 (-) --=-X5UHaOlAHGDtsQzwQmPO Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Zacchaeus Scheffer schreef op ma 07-02-2022 om 14:47 [-0500]: > I was able create the desired=C2=A0effect with the following service > definition: > (simple-service > =C2=A0'my-activation-service > =C2=A0home-activation-service-type > =C2=A0(gexp > =C2=A0 (begin > =C2=A0 =C2=A0 (chdir (ungexp user-home)) > =C2=A0 =C2=A0 (if (not (file-exists? ".ssh")) > =C2=A0 =C2=A0 =C2=A0 =C2=A0 (mkdir ".ssh")) > =C2=A0 =C2=A0 (chmod ".ssh" #o700) > =C2=A0 =C2=A0 (chdir ".ssh") > =C2=A0 =C2=A0 (let ((port (open-output-file "authorized_keys"))) > =C2=A0 =C2=A0 =C2=A0 (display (ungexp authorized-keys) port) > =C2=A0 =C2=A0 =C2=A0 (close-port port)) > =C2=A0 =C2=A0 (chmod "authorized_keys" #o600) > =C2=A0 =C2=A0 (chdir "..")))) > where 'user-home and 'authorized-keys are appropriate strings defined > earlier in the file. >=20 > I believe that resolves the issue, Users shouldn't have to do this (relatively) huge block of relatively inscrutable code though, I believe something along these lines (or a different solution) needs to be implemented in Guix itself somewhere before the issue is resolved. Greetings, Maxime. --=-X5UHaOlAHGDtsQzwQmPO Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYgGI4hccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7tNBAP9AUydUD7lT40Sbkf2vbmAQ6mMf oRjqyTjzsnyRo50bYwEAtcTtaFTLNID2npaF9/jT4+x2n+6kAR+CY/Sa71LlSAM= =F8/E -----END PGP SIGNATURE----- --=-X5UHaOlAHGDtsQzwQmPO--
bug-guix@HIDDEN
:bug#53752
; Package guix
.
Full text available.Received: (at 53752) by debbugs.gnu.org; 7 Feb 2022 19:48:18 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Mon Feb 07 14:48:18 2022 Received: from localhost ([127.0.0.1]:43837 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1nH9zl-0007ty-Rn for submit <at> debbugs.gnu.org; Mon, 07 Feb 2022 14:48:18 -0500 Received: from mail-ej1-f49.google.com ([209.85.218.49]:35560) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <zaccysc@HIDDEN>) id 1nH9zi-0007tl-Sa for 53752 <at> debbugs.gnu.org; Mon, 07 Feb 2022 14:48:16 -0500 Received: by mail-ej1-f49.google.com with SMTP id y3so24481162ejf.2 for <53752 <at> debbugs.gnu.org>; Mon, 07 Feb 2022 11:48:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sOWfOqgPMEm6mtKVZ4vPea46YDPZkPrzfSNmO9klABQ=; b=AD8f5CDzXT9rRJPtwdGl+Pwg7/VtM4EGNzJl5yPjgVob2QYx/ZwqRyu9oVjX2p00ek ydmTqQ2I9svdYYI1/jdnM4rSV7p3g0tsxMpxbDneUPgoszfsn6J20dTRE0bOBRfRDqob qAMJXKJD+0KPi8thq2iT9kvh16kAJ0W6A50fobInGj3lV8hJvQl+zpoknKEeQ/09Lp9Q D3PJVtIi3KAn9TUSGEIprXHpUEIzRX73Ju3nBR0FhkzCFr2BPYFg6hXGoHb4qn3T79gq /WlKyXddTwfeiZx7cJUVTsyX2oVUVTZA6BD5ZE/PnzfSRV3skqEQQYvYCK2Kf4nCMxKE 7IbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sOWfOqgPMEm6mtKVZ4vPea46YDPZkPrzfSNmO9klABQ=; b=3Laydzrv4GFPAoMdWJPpaSdnqbPc6agk0MG2Hde1G+yIJUCAxA8g8C4zWBV7zg/pFK r1hLwtpPQpeFtEcLPBq9lF4T/JMHvcShuUF0218rAGXcRXQ09dOHziLn2ESm0Dm2mPFk fLVqDTRv3Rdncz2jCF6LpL2/5H0+kegI0ftGV6jBCsx9U6YSWyw7Ek3HwmoiVFf+pXBB NenzBM0cU3jhFtfyZdjc0pJi19STVkrmuKbJemKA4lbD13nyApAP1JGdBO+02MYv0GQQ CltZHIWMjU+91Z7i8ICET4fSnikRw14HniNEWjywsGVCVL0GHYe+xiMMXAS2y4b6lw9u 8dtA== X-Gm-Message-State: AOAM5334wf/1teFlmPSRYDx0v6Gm8ZmXzgMNjzZPZuMJhIlkikl+EJOB /unSvLYNeedwG/8YZw6/CG2xDfeUrSPWl0AO+3o= X-Google-Smtp-Source: ABdhPJxAcOro1yxP2gSD1HQwjVIFBPbEpwGU6QrzFgiF6dw0+GIPzVLGOwekoQ+RYVidPi9ypY0QQzfn/0zOa+wJei0= X-Received: by 2002:a17:907:60c9:: with SMTP id hv9mr954984ejc.670.1644263288716; Mon, 07 Feb 2022 11:48:08 -0800 (PST) MIME-Version: 1.0 References: <CAJejy7=okwP6Sous-ab_Ta44CgDDT9i795AxBcaZKyWaM8WErQ@HIDDEN> <af6b7c3774458e0c199f3ffc33dd6cebfc4e9ccd.camel@HIDDEN> <CAJejy7=OcPQ17hix2uNwdPbNnTBwGc=f-3m=OF4Q+ksJWhRhPg@HIDDEN> In-Reply-To: <CAJejy7=OcPQ17hix2uNwdPbNnTBwGc=f-3m=OF4Q+ksJWhRhPg@HIDDEN> From: Zacchaeus Scheffer <zaccysc@HIDDEN> Date: Mon, 7 Feb 2022 14:47:57 -0500 Message-ID: <CAJejy7=b-fbre8P_WLkT8A797-gj=XvqTL125LN+GJ1og0CK5A@HIDDEN> Subject: Re: guix home symlink permissions To: Liliana Marie Prikler <liliana.prikler@HIDDEN> Content-Type: multipart/alternative; boundary="0000000000003dc2f905d772e142" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 53752 Cc: 53752 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) --0000000000003dc2f905d772e142 Content-Type: text/plain; charset="UTF-8" > > > I finally migrated my home configuration to guix home. However, it >> > seems guix home creates all symlinks with 777 permissions. This causes >> > problems with openssh as it will not recognize my >> > ~/.ssh/authorized_keys. It seems the directories have reasonable >> > permissions (maybe because they already existed?), but it seems like >> > someone could in theory edit the symlinks in-place (though I wasn't >> > able to figure that out). >> Instead of using symllinks for ~/.ssh/authorized_keys, you could try to >> write a home-activation-service, which >> >> 1. creates ~/.ssh with chmod 700 >> 1a. if it already existed, enforces chmod 700 anyways >> 2. creates authorized_keys with chmod 600 if it doesn't exist >> 3. writes the authorized keys. >> > > I'll try that soon (next 1-3 days), and hopefully then we can close this > issue. > I was able create the desired effect with the following service definition: (simple-service 'my-activation-service home-activation-service-type (gexp (begin (chdir (ungexp user-home)) (if (not (file-exists? ".ssh")) (mkdir ".ssh")) (chmod ".ssh" #o700) (chdir ".ssh") (let ((port (open-output-file "authorized_keys"))) (display (ungexp authorized-keys) port) (close-port port)) (chmod "authorized_keys" #o600) (chdir "..")))) where 'user-home and 'authorized-keys are appropriate strings defined earlier in the file. I believe that resolves the issue, Zacchaeus Scheffer --0000000000003dc2f905d772e142 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div class=3D"gmail_quote"><blockquote class=3D"gmail_quot= e" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204)= ;padding-left:1ex"><div dir=3D"ltr"><div class=3D"gmail_quote"><blockquote = class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px sol= id rgb(204,204,204);padding-left:1ex">> I finally migrated my home confi= guration to guix home.=C2=A0 However, it<br> > seems guix home creates all symlinks with 777 permissions.=C2=A0 This = causes<br> > problems with openssh as it will not recognize my<br> > ~/.ssh/authorized_keys.=C2=A0 It seems the directories have reasonable= <br> > permissions (maybe because they already existed?), but it seems like<b= r> > someone could in theory edit the symlinks in-place (though I wasn'= t<br> > able to figure that out).<br> Instead of using symllinks for ~/.ssh/authorized_keys, you could try to<br> write a home-activation-service, which<br> <br> 1. creates ~/.ssh with chmod 700<br> 1a. if it already existed, enforces chmod 700 anyways<br> 2. creates authorized_keys with chmod 600 if it doesn't exist<br> 3. writes the authorized keys.<br></blockquote><div>=C2=A0</div><div>I'= ll try that soon (next 1-3 days), and hopefully then we can close this issu= e.<br></div></div></div></blockquote><div class=3D"gmail_quote"><br></div>I= was able create the desired=C2=A0effect with the following service definit= ion:</div><div class=3D"gmail_quote"><div>(simple-service<br>=C2=A0'my-= activation-service<br>=C2=A0home-activation-service-type<br>=C2=A0(gexp<br>= =C2=A0 (begin<br>=C2=A0 =C2=A0 (chdir (ungexp user-home))<br>=C2=A0 =C2=A0 = (if (not (file-exists? ".ssh"))<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 (m= kdir ".ssh"))<br>=C2=A0 =C2=A0 (chmod ".ssh" #o700)<br>= =C2=A0 =C2=A0 (chdir ".ssh")<br>=C2=A0 =C2=A0 (let ((port (open-o= utput-file "authorized_keys")))<br>=C2=A0 =C2=A0 =C2=A0 (display = (ungexp authorized-keys) port)<br>=C2=A0 =C2=A0 =C2=A0 (close-port port))<b= r>=C2=A0 =C2=A0 (chmod "authorized_keys" #o600)<br>=C2=A0 =C2=A0 = (chdir ".."))))</div><div>where 'user-home and 'authorize= d-keys are appropriate strings defined earlier in the file.</div><div><div>= <br class=3D"gmail-Apple-interchange-newline">I believe that resolves the i= ssue,</div><div>Zacchaeus Scheffer</div></div></div></div> --0000000000003dc2f905d772e142--
bug-guix@HIDDEN
:bug#53752
; Package guix
.
Full text available.Received: (at 53752) by debbugs.gnu.org; 4 Feb 2022 18:18:13 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Feb 04 13:18:13 2022 Received: from localhost ([127.0.0.1]:32776 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1nG39x-00073W-15 for submit <at> debbugs.gnu.org; Fri, 04 Feb 2022 13:18:13 -0500 Received: from mail-ej1-f53.google.com ([209.85.218.53]:43549) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <zaccysc@HIDDEN>) id 1nG39v-00073K-Uk for 53752 <at> debbugs.gnu.org; Fri, 04 Feb 2022 13:18:12 -0500 Received: by mail-ej1-f53.google.com with SMTP id d10so21784306eje.10 for <53752 <at> debbugs.gnu.org>; Fri, 04 Feb 2022 10:18:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uH9PD55S/b+ddACD87B5MOkTvPUoCvpsbc+84Q7dPLk=; b=ptG/6hbD/FvcGsn0C/Tak/0kJAbX8jNUcXj4QFozlos5LJrdefXhhCM5dDGtPNxCbN xpcCo9QvnPh5sBx3uk2zAoBswhvu/af8lpAGK8StG7eaqOtpJ0kOon6epDTXQgQ6wFxW 9u0bukB2UbGjck0w9wd6stKbThNy/B0JKzWPsu2RJBdLo+Z3VwFxSvKxUFrC5XgrHplw x5VxnpZFRUeZFqdSQWEPStYDMfKYlwZ87ipQIqWKIxOaSOnc687VQiK+amPF95Zekdmg 7gz7CMmJ9MWd/Pe/U84yZ727bJdaMOQXceVlWkd49AJBDv0tsOh1u8j+iDUlB9tAAtYA YODQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uH9PD55S/b+ddACD87B5MOkTvPUoCvpsbc+84Q7dPLk=; b=DLRYEeMH8601rLn+HCQP+8Cll1lzRzNViIi+KP1CRr4Yqen5Oj6AGPU2sps5coebAx R3W42siGqBOuVvju0TX15HZXbwfJo3CAxCxy5PZ5AS/2JPW5cXGElAdCa+2vQEK3x/tr 5U75Ba8K6Kub0woIQ7ftqtntnvzIwvLqSGrb0yUDp/fZ6vXhP4lWgpi1rSUKDnTY3+1Q +qrHh3p06vFwpQihlgBqyl1zZ80VRaXLvbuIW2G/qlhOxHi/TgJyCgAPc/87XygnCGWQ 0T+wVp2sIjWc/eTXQZL2CZqJK7sitRHkXBH6IszDCMdkksacG8MbN7cuNxDBbWWk5lub dTrA== X-Gm-Message-State: AOAM530jGftffdOSTE7BDQCDYc0/anO1GzVaJ4jpeyncl+Qh5wLLU+SU gcavO2Tmwb8twbao4kBrpE/pIn7WJJ/wbxdKJ7k= X-Google-Smtp-Source: ABdhPJzVhzfgG0e2nrEO29RkECBez2XD2G8iBhvVeyaXUXx2PzM2T7d3dSuHuFu/WJ+/IudIA4QCHOmdAA6EhaUX99E= X-Received: by 2002:a17:906:eb89:: with SMTP id mh9mr94307ejb.399.1643998685326; Fri, 04 Feb 2022 10:18:05 -0800 (PST) MIME-Version: 1.0 References: <CAJejy7=okwP6Sous-ab_Ta44CgDDT9i795AxBcaZKyWaM8WErQ@HIDDEN> <af6b7c3774458e0c199f3ffc33dd6cebfc4e9ccd.camel@HIDDEN> In-Reply-To: <af6b7c3774458e0c199f3ffc33dd6cebfc4e9ccd.camel@HIDDEN> From: Zacchaeus Scheffer <zaccysc@HIDDEN> Date: Fri, 4 Feb 2022 13:17:54 -0500 Message-ID: <CAJejy7=OcPQ17hix2uNwdPbNnTBwGc=f-3m=OF4Q+ksJWhRhPg@HIDDEN> Subject: Re: guix home symlink permissions To: Liliana Marie Prikler <liliana.prikler@HIDDEN> Content-Type: multipart/alternative; boundary="000000000000a66f7405d7354581" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 53752 Cc: 53752 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) --000000000000a66f7405d7354581 Content-Type: text/plain; charset="UTF-8" > > > I finally migrated my home configuration to guix home. However, it > > seems guix home creates all symlinks with 777 permissions. This causes > > problems with openssh as it will not recognize my > > ~/.ssh/authorized_keys. It seems the directories have reasonable > > permissions (maybe because they already existed?), but it seems like > > someone could in theory edit the symlinks in-place (though I wasn't > > able to figure that out). > Instead of using symllinks for ~/.ssh/authorized_keys, you could try to > write a home-activation-service, which > > 1. creates ~/.ssh with chmod 700 > 1a. if it already existed, enforces chmod 700 anyways > 2. creates authorized_keys with chmod 600 if it doesn't exist > 3. writes the authorized keys. > I'll try that soon (next 1-3 days), and hopefully then we can close this issue. I would strongly advise against that however. While user homes are by > default 700 in Guix, the store is world readable and so are your > authorized keys if you put them there. A malicious user can't > necessarily change them, but they can spy on you. > For context, I keep such info in my password store, but am ok with certain things from it not being "secret". It is already standard for public keys to be kept in the store; see: - operating-system -> services -> openssh -> authorized-keys and as a more extreme example, encrypted user passwords are often kept in the store; see: - operating-system -> users -> user -> password It's not ideal that someone can snoop my public keys, but that is worth enabling me to have private keys that can reproducibly connect to my user. If one is worried about it, they could avoid usage of those specific private keys as much as possible, so I think it's ok... > Guix currently has no way of securely storing your data in the store > (in a cryptographic sense). This is exacerbated by the fact that such > files aren't well-encrypted by default -- user read-only is "good > enough" in many cases, e.g. gnome-keyring does encrypt passwords, but > stores metadata in plain. Emacs plstores and Recfiles likewise support > partial encryption based on GPG. > > This issue has been known since June 2020 [1]. While there would in > theory exist solutions that can work for (guix home) but not (guix > system), I can not yet make any statements regarding their quality. > Indeed, storing secrets with Guix is an open issue, that will likely be > given some attention during the upcoming Guix Days. > At the end of the day, there will be setup that should NOT happen automatically (should require gpg passphrase input). Currently, I do this for private keys by automatically pulling from my password store (requiring password input) using fancy emacs org tangling. I'll look into managing even this with guix home, but that is probably a discussion for guix-devel. Thanks all, Zacchaeus Scheffer --000000000000a66f7405d7354581 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div class=3D"gmail_quote"><blockquote class=3D"gmail_quot= e" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204)= ;padding-left:1ex">> I finally migrated my home configuration to guix ho= me.=C2=A0 However, it<br> > seems guix home creates all symlinks with 777 permissions.=C2=A0 This = causes<br> > problems with openssh as it will not recognize my<br> > ~/.ssh/authorized_keys.=C2=A0 It seems the directories have reasonable= <br> > permissions (maybe because they already existed?), but it seems like<b= r> > someone could in theory edit the symlinks in-place (though I wasn'= t<br> > able to figure that out).<br> Instead of using symllinks for ~/.ssh/authorized_keys, you could try to<br> write a home-activation-service, which<br> <br> 1. creates ~/.ssh with chmod 700<br> 1a. if it already existed, enforces chmod 700 anyways<br> 2. creates authorized_keys with chmod 600 if it doesn't exist<br> 3. writes the authorized keys.<br></blockquote><div>=C2=A0</div><div>I'= ll try that soon (next 1-3 days), and hopefully then we can close this issu= e.<br></div><div><br></div><blockquote class=3D"gmail_quote" style=3D"margi= n:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex= ">I would strongly advise against that however.=C2=A0 While user homes are = by<br> default 700 in Guix, the store is world readable and so are your<br> authorized keys if you put them there.=C2=A0 A malicious user can't<br> necessarily change them, but they can spy on you.<br></blockquote><div><br>= </div><div>For context, I keep such info in my password store, but am ok wi= th certain things from it not being "secret".=C2=A0 It is already= standard for public keys to be kept in the store; see:</div><div>=C2=A0- o= perating-system -> services -> openssh -> authorized-keys</div><di= v>and as a more extreme example, encrypted user passwords are often kept in= the store; see:</div><div>=C2=A0- operating-system -> users -> user = -> password</div><div>It's not ideal that someone can snoop my publi= c keys, but that is worth enabling me to have private keys that can reprodu= cibly connect to my user.=C2=A0 If one is worried about it, they could avoi= d usage of those specific private keys as much as possible, so I think it&#= 39;s ok...<br></div><div>=C2=A0</div><blockquote class=3D"gmail_quote" styl= e=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);paddin= g-left:1ex"> Guix currently has no way of securely storing your data in the store<br> (in a cryptographic sense).=C2=A0 This is exacerbated by the fact that such= <br> files aren't well-encrypted by default -- user read-only is "good<= br> enough" in many cases, e.g. gnome-keyring does encrypt passwords, but<= br> stores metadata in plain.=C2=A0 Emacs plstores and Recfiles likewise suppor= t<br> partial encryption based on GPG.<br> <br> This issue has been known since June 2020 [1].=C2=A0 While there would in<b= r> theory exist solutions that can work for (guix home) but not (guix<br> system), I can not yet make any statements regarding their quality. <br> Indeed, storing secrets with Guix is an open issue, that will likely be<br> given some attention during the upcoming Guix Days.<br></blockquote><div><b= r></div><div>At the end of the day, there will be setup=C2=A0that should NO= T happen automatically (should require gpg passphrase input).=C2=A0 Current= ly, I do this for private keys by automatically pulling from my password st= ore (requiring=C2=A0password input) using fancy emacs org tangling.=C2=A0 I= 'll look into=C2=A0managing even this with guix home,=C2=A0but that is = probably a discussion for guix-devel.</div><div><br></div><div>Thanks all,<= /div><div>Zacchaeus Scheffer</div><div><br></div></div></div> --000000000000a66f7405d7354581--
bug-guix@HIDDEN
:bug#53752
; Package guix
.
Full text available.Received: (at 53752) by debbugs.gnu.org; 4 Feb 2022 09:58:34 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Feb 04 04:58:34 2022 Received: from localhost ([127.0.0.1]:58804 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1nFvMQ-0006Fk-GV for submit <at> debbugs.gnu.org; Fri, 04 Feb 2022 04:58:34 -0500 Received: from mailrelay.tugraz.at ([129.27.2.202]:45914) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <liliana.prikler@HIDDEN>) id 1nFvMN-0006Fa-Nr for 53752 <at> debbugs.gnu.org; Fri, 04 Feb 2022 04:58:32 -0500 Received: from lprikler-laptop.ist.intra (gw.ist.tugraz.at [129.27.202.101]) by mailrelay.tugraz.at (Postfix) with ESMTPSA id 4JqrZm5F8Sz3xXF; Fri, 4 Feb 2022 10:58:24 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tugraz.at; s=mailrelay; t=1643968704; bh=wz69JUPEYxpu85oSBexeAmwSckEeo+WEqeavgggxYDI=; h=Subject:From:To:Date:In-Reply-To:References; b=a5lxSKNLsrckwDFon61F9leiZrIQtthtsIcBhQqahjELUozJco/U6dVt5brvxxJ29 d4GCTve1ZFomqKmPOjTcHIdeannsv9RwRnTx90iPQz8TJiHxg/gF9Y/9ebNrSMcYtF B9rUT06Sq0qK2Mpz49IIOXC7BX/7O1RnmLQIH4Fo= Message-ID: <af6b7c3774458e0c199f3ffc33dd6cebfc4e9ccd.camel@HIDDEN> Subject: Re: guix home symlink permissions From: Liliana Marie Prikler <liliana.prikler@HIDDEN> To: Zacchaeus Scheffer <zaccysc@HIDDEN>, 53752 <at> debbugs.gnu.org Date: Fri, 04 Feb 2022 10:58:22 +0100 In-Reply-To: <CAJejy7=okwP6Sous-ab_Ta44CgDDT9i795AxBcaZKyWaM8WErQ@HIDDEN> References: <CAJejy7=okwP6Sous-ab_Ta44CgDDT9i795AxBcaZKyWaM8WErQ@HIDDEN> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TUG-Backscatter-control: waObeELIUl4ypBWmcn/8wQ X-Spam-Scanner: SpamAssassin 3.003001 X-Spam-Score-relay: -1.9 X-Scanned-By: MIMEDefang 2.74 on 129.27.10.117 X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 53752 X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -3.3 (---) Am Donnerstag, dem 03.02.2022 um 13:08 -0500 schrieb Zacchaeus Scheffer: > I finally migrated my home configuration to guix home. However, it > seems guix home creates all symlinks with 777 permissions. This causes > problems with openssh as it will not recognize my > ~/.ssh/authorized_keys. It seems the directories have reasonable > permissions (maybe because they already existed?), but it seems like > someone could in theory edit the symlinks in-place (though I wasn't > able to figure that out). Instead of using symllinks for ~/.ssh/authorized_keys, you could try to write a home-activation-service, which 1. creates ~/.ssh with chmod 700 1a. if it already existed, enforces chmod 700 anyways 2. creates authorized_keys with chmod 600 if it doesn't exist 3. writes the authorized keys. I would strongly advise against that however. While user homes are by default 700 in Guix, the store is world readable and so are your authorized keys if you put them there. A malicious user can't necessarily change them, but they can spy on you. Guix currently has no way of securely storing your data in the store (in a cryptographic sense). This is exacerbated by the fact that such files aren't well-encrypted by default -- user read-only is "good enough" in many cases, e.g. gnome-keyring does encrypt passwords, but stores metadata in plain. Emacs plstores and Recfiles likewise support partial encryption based on GPG. This issue has been known since June 2020 [1]. While there would in theory exist solutions that can work for (guix home) but not (guix system), I can not yet make any statements regarding their quality. Indeed, storing secrets with Guix is an open issue, that will likely be given some attention during the upcoming Guix Days. Cheers [1] https://lists.gnu.org/archive/html/guix-devel/2020-06/msg00091.html
bug-guix@HIDDEN
:bug#53752
; Package guix
.
Full text available.Received: (at 53752) by debbugs.gnu.org; 3 Feb 2022 23:06:58 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Feb 03 18:06:58 2022 Received: from localhost ([127.0.0.1]:58250 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1nFlBp-0004ML-Rh for submit <at> debbugs.gnu.org; Thu, 03 Feb 2022 18:06:58 -0500 Received: from mx.kolabnow.com ([212.103.80.155]:36920) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <bauermann@HIDDEN>) id 1nFlBl-0004M4-Vo for 53752 <at> debbugs.gnu.org; Thu, 03 Feb 2022 18:06:56 -0500 Received: from localhost (unknown [127.0.0.1]) by mx.kolabnow.com (Postfix) with ESMTP id 1EDF912E6; Fri, 4 Feb 2022 00:06:43 +0100 (CET) Authentication-Results: ext-mx-out002.mykolab.com (amavisd-new); dkim=pass (4096-bit key) reason="pass (just generated, assumed good)" header.d=kolabnow.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kolabnow.com; h= content-type:content-type:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:date:subject:subject :from:from:received:received:received; s=dkim20160331; t= 1643929602; x=1645744003; bh=Od/xB3erBd5mF1+7a2GwR5erhVmDGV0FHPs TD/39MdE=; b=Qp7eJMeUF/7G2SzehYiRC26yCSqsYS+46zRYO5YqdZH9ngdhBWi dMeWmo+mCT0NYvemVD7cRWz2sbU0LX15lapbNkbG9NyrsKtN0uDOKQQyjTPG5t/o MvEyBjQLzyuRO6O9zvjifl5qC+YLCOiClHcj3zUXWDL5pNaPZ38uWtFNqiUtdzFD oym4gC6DyepkF+qqinlGN4YF//agA2OiZJ+XzCtfgLYyXfO9PgHBgtPUjxe4/GYW Hx0ZhobtBD0NnK3vs46hxrq1wGpjyIEUS80weaceZJ+bhW8xrvbggeILV1baK215 4wSjfKdMCnfug7XXdfVykt1wq3gwIk9y3saCLO4coZ7C+hoR2ifGaoHFLseGn/9Z hd2NvmFNenIvSD1HO6P37Elj0T2YfxZsmNdNdsBqepNUAZVzva72301lr6ny8ahi BxG0hPXH054c0TrKH8qkEzG9ASAdkCr4381sepVSe+6zQsopOQI15yl87fQ1lI45 Te8QEiaQvP64UoxkF3AczJzjy1rcIeoZWT7p+GSQi43zetf9Feftnd0kPmoOzNY9 UUP1QLamVrLGJFJf29lJ/XDgQ1rgr5NPKiRVEj5OPQs0C0bg/IuidO73nDgyxiNQ jxQhL9+iAALlSbXGd4CAFlI34F+VAghrQGp+yt4igWFUREN4i+/2IUyQ= X-Virus-Scanned: amavisd-new at mykolab.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-10 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mx.kolabnow.com ([127.0.0.1]) by localhost (ext-mx-out002.mykolab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ChMi2-Fp4CF; Fri, 4 Feb 2022 00:06:42 +0100 (CET) Received: from int-mx002.mykolab.com (unknown [10.9.13.2]) by mx.kolabnow.com (Postfix) with ESMTPS id 96D7EB53; Fri, 4 Feb 2022 00:06:35 +0100 (CET) Received: from ext-subm002.mykolab.com (unknown [10.9.6.2]) by int-mx002.mykolab.com (Postfix) with ESMTPS id 19D312F9A; Fri, 4 Feb 2022 00:06:34 +0100 (CET) From: Thiago Jung Bauermann <bauermann@HIDDEN> To: Zacchaeus Scheffer <zaccysc@HIDDEN> Subject: Re: bug#53752: guix home symlink permissions Date: Thu, 03 Feb 2022 20:06:25 -0300 Message-ID: <68523536.hgpfNYuzMs@popigai> In-Reply-To: <CAJejy7mVv5whyc3nJt3e8S+DkKyZbRdoXRNT5q-DdVdJNLfX4A@HIDDEN> References: <CAJejy7=okwP6Sous-ab_Ta44CgDDT9i795AxBcaZKyWaM8WErQ@HIDDEN> <1737102.PxY0oXxzeL@popigai> <CAJejy7mVv5whyc3nJt3e8S+DkKyZbRdoXRNT5q-DdVdJNLfX4A@HIDDEN> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 53752 Cc: 53752 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Em quinta-feira, 3 de fevereiro de 2022, =C3=A0s 18:22:49 -03, Zacchaeus Sc= heffer=20 escreveu: > It seems the permissions on the symlink don't matter. The problem is > that the file linked to in the store is readable by everyone (which I am > ok with because it's just public keys). >=20 > There is a solution with guix system by configuring openssh directly (see > openssh-configuration -> authorized-keys), but there really should be a > way to do this with guix home. (anyone that can call guix home for my > user can see/modify my authorized_keys anyway) >=20 > Maybe this bug should be renamed to something like "guix home cannot > configure authorized_keys"? Good idea. I just made that change. I don=E2=80=99t use Guix Home and I don=E2=80=99t know much about its inter= nals, so=20 unfortunately I can=E2=80=99t help much with this problem. =2D-=20 Thanks, Thiago
bug-guix@HIDDEN
:bug#53752
; Package guix
.
Full text available.Thiago Jung Bauermann <bauermann@HIDDEN>
to control <at> debbugs.gnu.org
.
Full text available.Received: (at 53752) by debbugs.gnu.org; 3 Feb 2022 21:23:10 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Feb 03 16:23:10 2022 Received: from localhost ([127.0.0.1]:58118 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1nFjZO-0007wJ-Ch for submit <at> debbugs.gnu.org; Thu, 03 Feb 2022 16:23:10 -0500 Received: from mail-ej1-f48.google.com ([209.85.218.48]:43738) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <zaccysc@HIDDEN>) id 1nFjZK-0007vO-5d for 53752 <at> debbugs.gnu.org; Thu, 03 Feb 2022 16:23:09 -0500 Received: by mail-ej1-f48.google.com with SMTP id d10so12710836eje.10 for <53752 <at> debbugs.gnu.org>; Thu, 03 Feb 2022 13:23:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NZ46hDI2akv6NEd0EocaZt0HtnWQIMJf0BSDUmDmdyE=; b=B9O/1tx+g7Ijl7f0xziWuTIj9ztPqh0eKXNqCK+NzYVKxLxwP+GKU/pP6qY5MMqFMx y0AoOQBa5FJYcyKvPni2HPkVlOXlWZ+pXZkgO435zBdiGQNTvfdaanFHWxpnP/e+DagP tps/20JlmpEr+41737qF43y3mELeeS35Qlf254KeUwrHMmYf/wdH63Ke6XfgW87dRQB5 HXTFftKNPAOQhO6bg+e6eTjWHtq5fOnHtmoqVZhp+1h//zgmY6DuI5yq8VJpUmXx90RM mSdQbnXz96Sli4kDH858a0l3uxjqljveDcG6QLRtckvQ1LMxcO+kmc45wwQUI+xAO7z2 zGqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NZ46hDI2akv6NEd0EocaZt0HtnWQIMJf0BSDUmDmdyE=; b=3iCby3gUKwZTS3Hv9a8ZBkq+J4Cn8gbnSTVpNXUVuUrhDCvpu8wdhcNo7vcGvFFvEI DE0mwABv3hkm/e+nZkGFkWwvW9s0XEaE4W0ir9ICXPeC9RydNbhJGgs2T2sx63+lQm2E CjFSL5BVwosJxJ+Kh6+E1EitH6iRFedj151Og8sXbPzud83jQFrEg7r1d47RBMMsM/pl tuniBZ+E67sgCaaQ3OFg49iCEw1b85KAMBCQuR5GCpV/B0iC1pM4mFPSavtUD3VJ1Xmu XHQa5vVRREZM5UQYcSp8Ym1If7IZ6kvU9ZMbF4SUg9+ISU4b+lY1G1I7qVNguTT8QqUC vTug== X-Gm-Message-State: AOAM530PXn6LU2KW/xHFdlB78tM0ZxnSXVxl3B9IEFtDCZdVE8fSHoJL 0w3OdteVu2WCEJP9hEnXfHnk2IiO+TbuMmFTSqo= X-Google-Smtp-Source: ABdhPJzYXncF6t7ofK1uZ5Vg4MoNek3F2jTuaN4pKZP48E2k0LRcTbxQ1qSQiAYqZr4ugrUg+mwfM0VNyHT2/wtiTC0= X-Received: by 2002:a17:906:9b87:: with SMTP id dd7mr30435982ejc.178.1643923380029; Thu, 03 Feb 2022 13:23:00 -0800 (PST) MIME-Version: 1.0 References: <CAJejy7=okwP6Sous-ab_Ta44CgDDT9i795AxBcaZKyWaM8WErQ@HIDDEN> <1737102.PxY0oXxzeL@popigai> In-Reply-To: <1737102.PxY0oXxzeL@popigai> From: Zacchaeus Scheffer <zaccysc@HIDDEN> Date: Thu, 3 Feb 2022 16:22:49 -0500 Message-ID: <CAJejy7mVv5whyc3nJt3e8S+DkKyZbRdoXRNT5q-DdVdJNLfX4A@HIDDEN> Subject: Re: bug#53752: guix home symlink permissions To: Thiago Jung Bauermann <bauermann@HIDDEN> Content-Type: multipart/alternative; boundary="0000000000001acc0b05d723bd26" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 53752 Cc: 53752 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) --0000000000001acc0b05d723bd26 Content-Type: text/plain; charset="UTF-8" It seems the permissions on the symlink don't matter. The problem is that the file linked to in the store is readable by everyone (which I am ok with because it's just public keys). There is a solution with guix system by configuring openssh directly (see openssh-configuration -> authorized-keys), but there really should be a way to do this with guix home. (anyone that can call guix home for my user can see/modify my authorized_keys anyway) Maybe this bug should be renamed to something like "guix home cannot configure authorized_keys"? --0000000000001acc0b05d723bd26 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr">It seems the permissions on the symlink don't matter.= =C2=A0 The problem is that the file linked to in the store is readable by e= veryone (which I am ok with because it's just public keys).<div><br></d= iv><div>There is a solution with guix system by configuring openssh directl= y (see openssh-configuration -> authorized-keys), but there really shoul= d be a way to do this with guix home.=C2=A0 (anyone that can call guix home= for my user can see/modify my authorized_keys anyway)</div><div><br></div>= <div>Maybe this bug should be renamed to something like "guix home can= not configure authorized_keys"?</div></div> --0000000000001acc0b05d723bd26--
bug-guix@HIDDEN
:bug#53752
; Package guix
.
Full text available.Received: (at 53752) by debbugs.gnu.org; 3 Feb 2022 19:56:53 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Feb 03 14:56:53 2022 Received: from localhost ([127.0.0.1]:57964 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1nFiDt-0000Y8-77 for submit <at> debbugs.gnu.org; Thu, 03 Feb 2022 14:56:53 -0500 Received: from mx.kolabnow.com ([212.103.80.154]:57500) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <bauermann@HIDDEN>) id 1nFiDp-0000Xu-FS for 53752 <at> debbugs.gnu.org; Thu, 03 Feb 2022 14:56:51 -0500 Received: from localhost (unknown [127.0.0.1]) by mx.kolabnow.com (Postfix) with ESMTP id B7EFE9D5; Thu, 3 Feb 2022 20:56:34 +0100 (CET) Authentication-Results: ext-mx-out001.mykolab.com (amavisd-new); dkim=pass (4096-bit key) reason="pass (just generated, assumed good)" header.d=kolabnow.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kolabnow.com; h= content-type:content-type:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:date:subject:subject :from:from:received:received:received; s=dkim20160331; t= 1643918194; x=1645732595; bh=uOpjtIuCQve47k8Hz5E+1PASSAq08wh5WYK Rw0xeH0M=; b=ZBVBd4OM/bTZ7KaxRn18kcwAB/8d296qYuxYQA/LjbvozKrhleP uq7xsd+BZq8CBzavKKYKzaEkyV/NhqSGasPnAN9ZTdhjkpUqvixuOot76v0NHHyP /4Ti1mbawkduR3iVSq4YYcd2tkEOLZSJiMHBVwAVyVN0LlT6XSDF1Ec2fMFGU4lB 4B0XYefMZx84EdKex/l7oa3IqvwWtYBwghKZl07tgGlzGfCf3baJZpIcgyipO1OU /Mbiqi6ZPvc4DmGxF85Uuk+cBoqWEy1qUedXzpEALcDrPjRdjH4kv3YQpj7FNCfX jcnqz+86cHLzQotXggVxrxRtY257dobY0FaTtu33oG5Z5yl+42EnSBvjnMZ0prl6 jx72WsJCTkuILdehjksqVL2Xo3VG1d8ZQf62mr6g7Y7zOLXAZ4rM8ut8qI3Q4Euu /VY343PLTbzgRl7T+M12avN7oEu3xigsyuDBh/OXT8p7oviaim2Uf1lSenFou5rL sYmIfdTnx1GnN1p7utbfkn0F2tmoyJykDjLYjPYHaN5Pr8KDttb2uXcvyFycI3YT dLKTNuCEGGfOziZaMJAv1E3Yubn3VBZUOvSQ8nuFrD51cfVGswCoxMCXxpGlaQX5 dXSg4h4rFrEkuzLJd1iOyF78cNSv32ezGjSTfYHs1RMatV+nXLNxIW0g= X-Virus-Scanned: amavisd-new at mykolab.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-10 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mx.kolabnow.com ([127.0.0.1]) by localhost (ext-mx-out001.mykolab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6GbhHU2CvXes; Thu, 3 Feb 2022 20:56:34 +0100 (CET) Received: from int-mx001.mykolab.com (unknown [10.9.13.1]) by mx.kolabnow.com (Postfix) with ESMTPS id 82D44499; Thu, 3 Feb 2022 20:56:22 +0100 (CET) Received: from ext-subm003.mykolab.com (unknown [10.9.6.3]) by int-mx001.mykolab.com (Postfix) with ESMTPS id A66BC8D0; Thu, 3 Feb 2022 20:56:11 +0100 (CET) From: Thiago Jung Bauermann <bauermann@HIDDEN> To: Zacchaeus Scheffer <zaccysc@HIDDEN> Subject: Re: bug#53752: guix home symlink permissions Date: Thu, 03 Feb 2022 16:56:06 -0300 Message-ID: <1737102.PxY0oXxzeL@popigai> In-Reply-To: <CAJejy7=okwP6Sous-ab_Ta44CgDDT9i795AxBcaZKyWaM8WErQ@HIDDEN> References: <CAJejy7=okwP6Sous-ab_Ta44CgDDT9i795AxBcaZKyWaM8WErQ@HIDDEN> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 53752 Cc: 53752 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Hello Zacchaeus, Em quinta-feira, 3 de fevereiro de 2022, =C3=A0s 15:08:12 -03, Zacchaeus Sc= heffer=20 escreveu: > I finally migrated my home configuration to guix home. However, it seems > guix home creates all symlinks with 777 permissions. This causes > problems with openssh as it will not recognize my > ~/.ssh/authorized_keys. It seems the directories have reasonable > permissions (maybe because they already existed?), but it seems like > someone could in theory edit the symlinks in-place (though I wasn't able > to figure that out). In Linux, symlink permissions are meaningless. From the chmod(1) man page: =E2=80=9Cchmod never changes the permissions of symbolic links; the chmod s= ystem=20 call cannot change their permissions. This is not a problem since the=20 permissions of symbolic links are never used. However, for each symbolic= =20 link listed on the command line, chmod changes the permissions of the=20 pointed-to file. In contrast, chmod ignores symbolic links encountered=20 during recursive directory traversals.=E2=80=9D So AFAIK there=E2=80=99s nothing that guix home can do about that. I don=E2=80=99t know what that implies for OpenSSH and authorized_keys, tho= ugh. =2D-=20 Thanks, Thiago
bug-guix@HIDDEN
:bug#53752
; Package guix
.
Full text available.Received: (at submit) by debbugs.gnu.org; 3 Feb 2022 18:08:42 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Feb 03 13:08:42 2022 Received: from localhost ([127.0.0.1]:57678 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1nFgXB-0007iw-4U for submit <at> debbugs.gnu.org; Thu, 03 Feb 2022 13:08:42 -0500 Received: from lists.gnu.org ([209.51.188.17]:60326) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <zaccysc@HIDDEN>) id 1nFgX6-0007im-Kv for submit <at> debbugs.gnu.org; Thu, 03 Feb 2022 13:08:40 -0500 Received: from eggs.gnu.org ([209.51.188.92]:37320) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <zaccysc@HIDDEN>) id 1nFgX5-0004t8-SW for bug-guix@HIDDEN; Thu, 03 Feb 2022 13:08:36 -0500 Received: from [2a00:1450:4864:20::62c] (port=44659 helo=mail-ej1-x62c.google.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <zaccysc@HIDDEN>) id 1nFgX3-00012T-P4 for bug-guix@HIDDEN; Thu, 03 Feb 2022 13:08:35 -0500 Received: by mail-ej1-x62c.google.com with SMTP id ka4so11206533ejc.11 for <bug-guix@HIDDEN>; Thu, 03 Feb 2022 10:08:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=Y8Sx0vhnmYcJwhrWXgxyUXxLWJQ0QWaPvEUd5TggkPM=; b=EQo1pifQsrrXwL5aRzVT/JdZxEl9eHpi0aBpBvDGv3hRKZdksrlSYz7fg0+zCCup2f GO7bdps9KVX38tBy66E9RebsQjh1zC2/xxPH+PPAjeCHrroRmCuqZB+wHxM6gJTH9Lu7 TU6h20uE1BFPv2yg6JER9qlZaqzjyPZHkX3Fof3S0FLeC7Q7kzPOktahMj+BtB3QbTk6 ma2JTH0NV8YF1k7XLamodSzGcTZivT1UJKjaTzlXusHBD81JIr7WEDaEmrpnbnuUeG/9 Q6TCh506Q9VRHBZ5rdP5BdG6ILjcc3pUW6a++1Tp3yNbvf+mtJW2IU4QUSyuArulbCbD mc1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Y8Sx0vhnmYcJwhrWXgxyUXxLWJQ0QWaPvEUd5TggkPM=; b=iLc0FjW6/4X9iz/xL6P7RmEo4SWx2s0xu/UISkga3lerj/C3vWUYMiy9n1CTsn8/ma Pm80XDbqZvzcrGpjIXJJy58/kzMFKN/uVbMgtDY1x28NW9NEejk0VvttngToojTghPRU 0lbBLMjtvbn1mYQGnU68dQY9HH/nRvCugHaxiHyh4uj30uR1WffNcb3JU3p5hFyMDjsT qmsAWVQtudjPjHehpmH2rLcHxVYewC1lwKAGprK9yFOriNjz2MmnblL/Q9CpPC72aGi4 J3kdIzgAYRxmKhUPesOY2cAprEol/P+ClTF+UxjX8oh1atFN2zAuP3+cHQKvAKGldGWb blzw== X-Gm-Message-State: AOAM530kWx3YOWlFpUvyxeQ3e1toA8FxKA3Hrcu0o8ADgdBhDLkZ5vVz hg2s9OdHtsGyR9treOmyA8j/3ATt/Lk9BRcdYyBoq7mpK18YqQ== X-Google-Smtp-Source: ABdhPJzkEHEFjUz3HfInnxBXJf8VoBJU6H1Pt60HrsT5+hWXfxzQCsV3ilZCI0CTMWBWSZ7cUTwNlDbANKf4iHFgY4U= X-Received: by 2002:a17:907:3da4:: with SMTP id he36mr30112812ejc.617.1643911703250; Thu, 03 Feb 2022 10:08:23 -0800 (PST) MIME-Version: 1.0 From: Zacchaeus Scheffer <zaccysc@HIDDEN> Date: Thu, 3 Feb 2022 13:08:12 -0500 Message-ID: <CAJejy7=okwP6Sous-ab_Ta44CgDDT9i795AxBcaZKyWaM8WErQ@HIDDEN> Subject: guix home symlink permissions To: bug-guix@HIDDEN Content-Type: multipart/alternative; boundary="0000000000001d4bcb05d72105d6" X-Host-Lookup-Failed: Reverse DNS lookup failed for 2a00:1450:4864:20::62c (failed) Received-SPF: pass client-ip=2a00:1450:4864:20::62c; envelope-from=zaccysc@HIDDEN; helo=mail-ej1-x62c.google.com X-Spam_score_int: 1 X-Spam_score: 0.1 X-Spam_bar: / X-Spam_report: (0.1 / 5.0 requ) BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_HP_HELO_NORDNS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.2 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -2.3 (--) --0000000000001d4bcb05d72105d6 Content-Type: text/plain; charset="UTF-8" I finally migrated my home configuration to guix home. However, it seems guix home creates all symlinks with 777 permissions. This causes problems with openssh as it will not recognize my ~/.ssh/authorized_keys. It seems the directories have reasonable permissions (maybe because they already existed?), but it seems like someone could in theory edit the symlinks in-place (though I wasn't able to figure that out). I formulated based on the example in Section 11.1 of the devel user manual. You should be able to recreate the problem with (replacing <your ssh public key here>): (home-environment (services (list (simple-service 'my-home-files-service home-files-service-type (list `("ssh/authorized_keys" ,(plain-file "home-authorized-keys" "<your ssh public key here>"))))))) --0000000000001d4bcb05d72105d6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr">I finally migrated my home configuration to guix home.=C2= =A0 However, it seems guix home creates all symlinks with 777 permissions.= =C2=A0 This causes problems with openssh as it will not recognize my ~/.ssh= /authorized_keys.=C2=A0 It seems the directories have reasonable permission= s (maybe because they already existed?), but it seems like someone could in= theory edit the symlinks in-place (though I wasn't able to figure that= out).<div><div><br></div><div>I formulated based on the example in Section= 11.1 of the devel user manual.=C2=A0 You should be able to recreate the pr= oblem with (replacing <your ssh public key here>):<br><div><br></div>= <div>(home-environment</div><div>=C2=A0 (services</div><div>=C2=A0 =C2=A0 (= list</div><div>=C2=A0 =C2=A0 =C2=A0 (simple-service</div>=C2=A0 =C2=A0 =C2= =A0 =C2=A0'my-home-files-service<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0home-fil= es-service-type<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0(list<br>=C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0`("ssh/authorized_keys"<br>=C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 ,(plain-file<div>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0"home-authorized-keys"</div><div>=C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"<your ssh public key here= >")))))))</div></div></div></div> --0000000000001d4bcb05d72105d6--
Zacchaeus Scheffer <zaccysc@HIDDEN>
:bug-guix@HIDDEN
.
Full text available.bug-guix@HIDDEN
:bug#53752
; Package guix
.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.