GNU bug report logs -
#57217
home-openssh-service-type creates .ssh/config with wrong permissions
Previous Next
Reported by: Elias Kueny <elias.kueny <at> posteo.net>
Date: Sun, 14 Aug 2022 22:03:02 UTC
Severity: important
Tags: notabug
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 57217 in the body.
You can then email your comments to 57217 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#57217; Package
guix.
(Sun, 14 Aug 2022 22:03:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Elias Kueny <elias.kueny <at> posteo.net>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Sun, 14 Aug 2022 22:03:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hello,
I'm trying to use home-openssh-service-type. I'm testing the configuration by running
guix home container home-configuration.scm
The files are created with too open permissions, so ssh refuses to run:
$ ssh xxx
Bad owner or permissions on ~/.ssh/config
$ ls -l .ssh
lrwxrwxrwx 1 user users 59 Aug 14 18:17 authorized_keys -> /gnu/store/y8g2d9kmlrhfna23r26cfgp5mr1sxl72-authorized_keys
lrwxrwxrwx 1 user users 52 Aug 14 18:17 config -> /gnu/store/dnnzwrz4hp1z6wnr76a6j57v95vyrbf3-ssh.conf
And the file system being read-only, a manual chmod is not possible.
$ guix describe
guix 9e46320
repository URL: https://git.savannah.gnu.org/git/guix.git
branch: master
commit: 9e4632081ff31bf0d1715edd66f514614c6dc4bb
Best,
Elias
Severity set to 'important' from 'normal'
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Wed, 31 Aug 2022 10:52:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#57217; Package
guix.
(Fri, 23 Sep 2022 07:15:01 GMT)
Full text and
rfc822 format available.
Message #10 received at 57217 <at> debbugs.gnu.org (full text, mbox):
Hi Elias,
Elias Kueny <elias.kueny <at> posteo.net> skribis:
> The files are created with too open permissions, so ssh refuses to run:
>
> $ ssh xxx
> Bad owner or permissions on ~/.ssh/config
>
> $ ls -l .ssh
> lrwxrwxrwx 1 user users 59 Aug 14 18:17 authorized_keys -> /gnu/store/y8g2d9kmlrhfna23r26cfgp5mr1sxl72-authorized_keys
> lrwxrwxrwx 1 user users 52 Aug 14 18:17 config -> /gnu/store/dnnzwrz4hp1z6wnr76a6j57v95vyrbf3-ssh.conf
Here’s what I see in a container:
--8<---------------cut here---------------start------------->8---
$ ls -ld .ssh
drwx------ 2 ludo users 80 Sep 23 06:39 .ssh/
$ ls -l .ssh/config
lrwxrwxrwx 1 ludo users 52 Sep 23 06:39 .ssh/config -> /gnu/store/5lksmnx3mlyinlja2lhd84p0jkp06bg5-ssh.conf
$ ls -l $(readlink .ssh/config)
-r--r--r-- 1 65534 overflow 6219 Jan 1 1970 /gnu/store/5lksmnx3mlyinlja2lhd84p0jkp06bg5-ssh.conf
--8<---------------cut here---------------end--------------->8---
The relevant check in OpenSSH is this:
--8<---------------cut here---------------start------------->8---
if (fstat(fileno(f), &sb) == -1)
fatal("fstat %s: %s", filename, strerror(errno));
if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
(sb.st_mode & 022) != 0))
fatal("Bad owner or permissions on %s", filename);
--8<---------------cut here---------------end--------------->8---
That is, if ~/.ssh/config is owned by root, it’s fine; and this is
exactly what happens outside the container:
--8<---------------cut here---------------start------------->8---
$ ls -l $(readlink ~/.ssh/config)
-r--r--r-- 1 root root 6219 Jan 1 1970 /gnu/store/5lksmnx3mlyinlja2lhd84p0jkp06bg5-ssh.conf
--8<---------------cut here---------------end--------------->8---
So ‘ssh’ works fine outside the container, but not inside.
To address the issue at hand, we would need to map UID 0 of the host as
UID 0 of the guest, but I’m not sure this can be done.
To be continued…
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org:
bug#57217; Package
guix.
(Fri, 23 Sep 2022 20:17:01 GMT)
Full text and
rfc822 format available.
Message #13 received at 57217 <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès <ludo <at> gnu.org> skribis:
> To address the issue at hand, we would need to map UID 0 of the host as
> UID 0 of the guest, but I’m not sure this can be done.
I believe it cannot be done: we can only map a single UID (at least
unless/until we use subordinate UIDs.)
Back to the original problem: it only affects ‘guix home container’; so
while this is annoying, it’s not a showstopper. WDYT?
Ludo’.
Added tag(s) notabug.
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Fri, 07 Oct 2022 08:33:01 GMT)
Full text and
rfc822 format available.
bug closed, send any further explanations to
57217 <at> debbugs.gnu.org and Elias Kueny <elias.kueny <at> posteo.net>
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Fri, 07 Oct 2022 08:33:01 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Fri, 04 Nov 2022 11:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 172 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.