GNU bug report logs -
#65832
[PATCH] guix: shell: Don't whitelist / by typo in `shell-authorized-directories'.
Previous Next
Reported by: Janneke Nieuwenhuizen <janneke <at> gnu.org>
Date: Fri, 8 Sep 2023 20:50:01 UTC
Severity: important
Tags: patch, security
Done: Janneke Nieuwenhuizen <janneke <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 65832 in the body.
You can then email your comments to 65832 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#65832; Package
guix.
(Fri, 08 Sep 2023 20:50:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Janneke Nieuwenhuizen <janneke <at> gnu.org>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Fri, 08 Sep 2023 20:50:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Title says it all...
So, i've started using direnv with envrc.el, really great!
...which meant that on top op `guix shell' pestering me with its
shell-authorized-directories, I had to also type `direnv allow' all day.
Anyway, I found that direnv has a whitelist, prefix even; so I looked
into what guix shell might have and found that using
--8<---------------cut here---------------start------------->8---
echo '-allow-all- > ~/.config/guix/shell-authorized-directories
--8<---------------cut here---------------end--------------->8---
acts like an undocumented whitelist prefix for /.
Find a fix attached.
Greetings,
Janneke
[0001-guix-shell-Don-t-whitelist-by-typo-in-shell-authoriz.patch (text/x-patch, inline)]
From 5b7af1342f4f0d91df9de960877889d40b8c5d64 Mon Sep 17 00:00:00 2001
Message-ID: <5b7af1342f4f0d91df9de960877889d40b8c5d64.1694206063.git.janneke <at> gnu.org>
From: Janneke Nieuwenhuizen <janneke <at> gnu.org>
Date: Wed, 6 Sep 2023 10:52:17 +0200
Subject: [PATCH] guix: shell: Don't whitelist / by typo in
`shell-authorized-directories'.
Fixes <https://issues.guix.gnu.org/...>
* guix/scripts/shell.scm (authorized-shell-directory?): After warning,
continue LOOP to return valid query result for DIRECTORY.
---
guix/scripts/shell.scm | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/guix/scripts/shell.scm b/guix/scripts/shell.scm
index d67152cef7..83888eee1d 100644
--- a/guix/scripts/shell.scm
+++ b/guix/scripts/shell.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2021-2023 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2023 Janneke Nieuwenhuizen <janneke <at> gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -232,7 +233,8 @@ (define (authorized-shell-directory? directory)
(port-line port)
(port-column port))))
(warning loc (G_ "ignoring invalid file name: '~a'~%")
- line))))))))))
+ line)
+ (loop))))))))))
(const #f)))
(define (options-with-caching opts)
base-commit: 4dd33fc62899134606f36f92594cf160b972f685
--
2.41.0
[Message part 3 (text/plain, inline)]
--
Janneke Nieuwenhuizen <janneke <at> gnu.org> | GNU LilyPond https://LilyPond.org
Freelance IT https://www.JoyOfSource.com | Avatar® https://AvatarAcademy.com
Reply sent
to
Janneke Nieuwenhuizen <janneke <at> gnu.org>:
You have taken responsibility.
(Fri, 08 Sep 2023 20:56:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Janneke Nieuwenhuizen <janneke <at> gnu.org>:
bug acknowledged by developer.
(Fri, 08 Sep 2023 20:56:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 65832-done <at> debbugs.gnu.org (full text, mbox):
Janneke Nieuwenhuizen writes:
Hi!
> Title says it all...
[..]
After discussing with the security team, pushed to master as
1ef4974be94d75d935d98399dcda44199a1fca47
Greetings,
Janneke
--
Janneke Nieuwenhuizen <janneke <at> gnu.org> | GNU LilyPond https://LilyPond.org
Freelance IT https://www.JoyOfSource.com | Avatar® https://AvatarAcademy.com
Severity set to 'important' from 'normal'
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Mon, 11 Sep 2023 15:50:02 GMT)
Full text and
rfc822 format available.
Added tag(s) security.
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org.
(Mon, 11 Sep 2023 15:50:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#65832; Package
guix.
(Mon, 11 Sep 2023 15:51:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 65832 <at> debbugs.gnu.org (full text, mbox):
Hi,
Janneke Nieuwenhuizen <janneke <at> gnu.org> skribis:
> From: Janneke Nieuwenhuizen <janneke <at> gnu.org>
> Date: Wed, 6 Sep 2023 10:52:17 +0200
> Subject: [PATCH] guix: shell: Don't whitelist / by typo in
> `shell-authorized-directories'.
>
> Fixes <https://issues.guix.gnu.org/...>
>
> * guix/scripts/shell.scm (authorized-shell-directory?): After warning,
> continue LOOP to return valid query result for DIRECTORY.
Thanks a lot for finding, reporting, and fixing this issue!
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 10 Oct 2023 11:24:08 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 212 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.