GNU bug report logs - #73166
'shell-authorized-directories' located in the wrong place?

Message received at 73166 <at> debbugs.gnu.org:

Received: (at 73166) by debbugs.gnu.org; 14 Nov 2024 11:07:48 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Nov 14 06:07:48 2024
Received: from localhost ([127.0.0.1]:45239 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tBXhU-0000Ak-An
	for submit <at> debbugs.gnu.org; Thu, 14 Nov 2024 06:07:48 -0500
Received: from vmi571514.contaboserver.net ([75.119.130.101]:35770
 helo=mail.laesvuori.fi) by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <saku@HIDDEN>) id 1tBXhS-0000Ab-47
 for 73166 <at> debbugs.gnu.org; Thu, 14 Nov 2024 06:07:47 -0500
Received: from X-kone (87-94-110-203.bb.dnainternet.fi [87.94.110.203])
 by mail.laesvuori.fi (Postfix) with ESMTPSA id A69C4340830;
 Thu, 14 Nov 2024 12:07:51 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=laesvuori.fi; s=mail;
 t=1731582472; bh=H5cqUf1UCgvZcr/uBXoE0wLqWO0A5n3nqJwdkTeDeqE=;
 h=Date:From:To:Cc:Subject:References:In-Reply-To;
 b=ap3FAQSUxHdJGE9IvLlUkqucoa89dzh4/pZG+X9CQd4ENMEjtcuf/A0b/DtQ+P6yk
 g3rX11do4AFkkhlWJUf04R8zxvAKI0hgNlP5U2t8vZNeiVlkFAm4QBefPed+c6D08P
 80SsJ475kE4G0OIv52a7ojfnbyIowFElo8owYkPY=
Date: Thu, 14 Nov 2024 13:07:36 +0200
From: Saku Laesvuori <saku@HIDDEN>
To: Nicolas Graves <ngraves@HIDDEN>
Subject: Re: bug#73166: shell-autorized-directories
Message-ID: <sfd644m6yzghr7skqa6c56b3ixvc6hnljvcx6fdmfuaibkit5a@fnlnzhtrzjpi>
References: <87cyla7c0f.fsf@HIDDEN> <87mske8emf.fsf@HIDDEN>
 <874j4gpkbn.fsf@HIDDEN>
 <g7otyh2dfhpfj4qpvrg4mxe3pj3ftk6veajuqsl333pi42mpwm@6ptyp5vttqa2>
 <87bjyn1ga7.fsf@HIDDEN>
 <ewiboqbunbrh7ko3gztzbit56ijozomz2grgk4mhxuaudsjpcb@zelonmrn54os>
 <87ikstteal.fsf@HIDDEN> <87cyj06g97.fsf@HIDDEN>
 <87ttccmrp1.fsf@HIDDEN> <87o72k4cty.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="c3opbe2lndxy2yqq"
Content-Disposition: inline
In-Reply-To: <87o72k4cty.fsf@HIDDEN>
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 73166
Cc: 73166 <at> debbugs.gnu.org, Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>,
 Saku Laesvuori via Bug reports for GNU Guix <bug-guix@HIDDEN>,
 Suhail Singh <suhailsingh247@HIDDEN>, Andrew Tropin <andrew@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


--c3opbe2lndxy2yqq
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Nov 12, 2024 at 05:49:13PM +0100, Nicolas Graves wrote:
> On 2024-11-12 09:50, Suhail Singh wrote:
>=20
> > I was under the impression that the build phase in guix is always
> > containerized and without network access.  Could you please elaborate on
> > this?
>=20
> Building a package yes, but you can have external commands in a
> manifest.scm or guix.scm.  Saku provided an example in an earlier email
> of a valid but dangerous manifest:
>=20
> ```scheme
> (system* "rm -rf $HOME")
> (specifications->manifest (list "hello"))
> ```
>=20
> We could also have one that downloads malicious code, or uploads private
> info, the POC is left as an an exercice for the reader ;)=20
>=20
> What I was saying is that we could restrain recording `guix shell --allow`
> only if the manifest builds properly containerized and without network
> access (outside package building I mean), and otherwise refuse to allow
> (failing manifest, possibly because it tries to access the network or
> files outside the repo) with a warning message, providing the ability to
> restrain "automatic loading" to certain "safer" conditions only.
>=20
> This would in turn mean that (given the same guix revision) we can
> always run a `guix shell --allow`-ed using `guix shell --container`
> which actually makes a lot of sense in my use-case.  I don't really know
> about other use-cases, but I guess it's the same, even a scheme
> developper would probably want a manifest that doesn't depend on files
> outside of his repo or the network.  Saku, do you have an opinion on
> this?

There are likely some cases where someone would want to define a
manifest that depends on external factors, but I do agree they seem
rare. Probably not in a public project repo but maybe someone would want
to have (for example) different environments in different directories
and some common values in ~/.config that all of them refer to.

> The downside is that we would have to basically run `guix shell
> --container` (and build all there is to build) before being able to run
> `guix shell --allow`.

In the repository manifest use-case this seems to not be a downside (the
user is to build the environment anyway if they authorized it). In other
use-cases this might prevent people from using guix shell --allow even
though their case might be much more secure (like the environments in
different directories sharing common data).

> WDYT?

The only benefit seems to be in situations where the user would want the
shell to be in a container, so maybe in that case the default behaviour
should be to also evaluate the manifest in the container. I don't know
would that be a good choice. It increases security for those who use a
container and don't know that loading an environment is equivalent to
executing the file, but if it leads people assume that loading an
environment is safer than executing a file in general, they have less
security in non-container environments.

We should keep in mind that implicit manifests for guix shell are not
only useful in public repositories.

- Saku

--c3opbe2lndxy2yqq
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEoMkZR3NPB29fCOn/JX0oSiodOjIFAmc12fgACgkQJX0oSiod
OjJnpA//bCspwJDxmE8ICVfKEczHwdZqHvK8dq15YZ/tXMcRE34RZhNs6dUuVaIQ
fpl/eJNwltEpjD3CtmlPJ996Y0GZgs8dI+MDErc7CBNfROqQIcOrryXeK6XkBKe4
xMKNq5NurJVvTK3ZzOSZpQErY2weivpAcFV53nzqXhXnZHfBJwdCsMq2bwn4FBrG
A5PrwlIT7/worAHuRQ6N6UC0gYWBoaS7oT5YW7GabABreItNIrF6wJIfR5Xfi+4p
PExQHAUydChMFEKoVHqXHHChPsGokhI1x3Lzs6BAM4s5NXw9r/P+NAxlR3+x3kwh
7HhnU6xr1a/eegPOc9TD1PehqVMAFLdwYh4qOGEEadN2a/NJ1+V0lPxQVVZVnd/p
2VUOB/pIYIlm6jjMi5kewW6IIGJdSt1C3O5PMg/DHI/f1jcaQ0gt0p+MIMHQuuzQ
WEfNT2C2Lq2C0y/SgksnU7QiOzczTjaMQgZxwvS3foXzYX9HcapTfsZk7aKHw2Es
vt6hfxUUrC3cw+5s8WJ+WTVW9s8B7XaEm3GmUryxhqJhd5HpWfWa10ylKGKGIPGv
qPEDGEIFgCqbfP9SHHZFGW6gAM/S6MBS/fPCHP7Ge5YY9i8xi7Ef0Wnjuo8uRt2A
axpbnQ7DxLTZUcbp3V6bVeYcK3whwD1sffAhU8zclNk6DQon1/U=
=GRhG
-----END PGP SIGNATURE-----

--c3opbe2lndxy2yqq--

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 14 Nov 2024 11:07:55 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Nov 14 06:07:55 2024
Received: from localhost ([127.0.0.1]:45242 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tBXha-0000B8-QO
	for submit <at> debbugs.gnu.org; Thu, 14 Nov 2024 06:07:55 -0500
Received: from lists.gnu.org ([209.51.188.17]:53890)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <saku@HIDDEN>) id 1tBXhZ-0000B0-5h
 for submit <at> debbugs.gnu.org; Thu, 14 Nov 2024 06:07:53 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <saku@HIDDEN>) id 1tBXhX-00064Z-49
 for bug-guix@HIDDEN; Thu, 14 Nov 2024 06:07:51 -0500
Received: from vmi571514.contaboserver.net ([75.119.130.101]
 helo=mail.laesvuori.fi)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <saku@HIDDEN>)
 id 1tBXhV-0000Kx-4t; Thu, 14 Nov 2024 06:07:50 -0500
Received: from X-kone (87-94-110-203.bb.dnainternet.fi [87.94.110.203])
 by mail.laesvuori.fi (Postfix) with ESMTPSA id A69C4340830;
 Thu, 14 Nov 2024 12:07:51 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=laesvuori.fi; s=mail;
 t=1731582472; bh=H5cqUf1UCgvZcr/uBXoE0wLqWO0A5n3nqJwdkTeDeqE=;
 h=Date:From:To:Cc:Subject:References:In-Reply-To;
 b=ap3FAQSUxHdJGE9IvLlUkqucoa89dzh4/pZG+X9CQd4ENMEjtcuf/A0b/DtQ+P6yk
 g3rX11do4AFkkhlWJUf04R8zxvAKI0hgNlP5U2t8vZNeiVlkFAm4QBefPed+c6D08P
 80SsJ475kE4G0OIv52a7ojfnbyIowFElo8owYkPY=
Date: Thu, 14 Nov 2024 13:07:36 +0200
From: Saku Laesvuori <saku@HIDDEN>
To: Nicolas Graves <ngraves@HIDDEN>
Subject: Re: bug#73166: shell-autorized-directories
Message-ID: <sfd644m6yzghr7skqa6c56b3ixvc6hnljvcx6fdmfuaibkit5a@fnlnzhtrzjpi>
References: <87cyla7c0f.fsf@HIDDEN> <87mske8emf.fsf@HIDDEN>
 <874j4gpkbn.fsf@HIDDEN>
 <g7otyh2dfhpfj4qpvrg4mxe3pj3ftk6veajuqsl333pi42mpwm@6ptyp5vttqa2>
 <87bjyn1ga7.fsf@HIDDEN>
 <ewiboqbunbrh7ko3gztzbit56ijozomz2grgk4mhxuaudsjpcb@zelonmrn54os>
 <87ikstteal.fsf@HIDDEN> <87cyj06g97.fsf@HIDDEN>
 <87ttccmrp1.fsf@HIDDEN> <87o72k4cty.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="c3opbe2lndxy2yqq"
Content-Disposition: inline
In-Reply-To: <87o72k4cty.fsf@HIDDEN>
Received-SPF: pass client-ip=75.119.130.101; envelope-from=saku@HIDDEN;
 helo=mail.laesvuori.fi
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
Cc: 73166 <at> debbugs.gnu.org, Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>,
 Saku Laesvuori via Bug reports for GNU Guix <bug-guix@HIDDEN>,
 Suhail Singh <suhailsingh247@HIDDEN>, Andrew Tropin <andrew@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.4 (--)


--c3opbe2lndxy2yqq
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Nov 12, 2024 at 05:49:13PM +0100, Nicolas Graves wrote:
> On 2024-11-12 09:50, Suhail Singh wrote:
>=20
> > I was under the impression that the build phase in guix is always
> > containerized and without network access.  Could you please elaborate on
> > this?
>=20
> Building a package yes, but you can have external commands in a
> manifest.scm or guix.scm.  Saku provided an example in an earlier email
> of a valid but dangerous manifest:
>=20
> ```scheme
> (system* "rm -rf $HOME")
> (specifications->manifest (list "hello"))
> ```
>=20
> We could also have one that downloads malicious code, or uploads private
> info, the POC is left as an an exercice for the reader ;)=20
>=20
> What I was saying is that we could restrain recording `guix shell --allow`
> only if the manifest builds properly containerized and without network
> access (outside package building I mean), and otherwise refuse to allow
> (failing manifest, possibly because it tries to access the network or
> files outside the repo) with a warning message, providing the ability to
> restrain "automatic loading" to certain "safer" conditions only.
>=20
> This would in turn mean that (given the same guix revision) we can
> always run a `guix shell --allow`-ed using `guix shell --container`
> which actually makes a lot of sense in my use-case.  I don't really know
> about other use-cases, but I guess it's the same, even a scheme
> developper would probably want a manifest that doesn't depend on files
> outside of his repo or the network.  Saku, do you have an opinion on
> this?

There are likely some cases where someone would want to define a
manifest that depends on external factors, but I do agree they seem
rare. Probably not in a public project repo but maybe someone would want
to have (for example) different environments in different directories
and some common values in ~/.config that all of them refer to.

> The downside is that we would have to basically run `guix shell
> --container` (and build all there is to build) before being able to run
> `guix shell --allow`.

In the repository manifest use-case this seems to not be a downside (the
user is to build the environment anyway if they authorized it). In other
use-cases this might prevent people from using guix shell --allow even
though their case might be much more secure (like the environments in
different directories sharing common data).

> WDYT?

The only benefit seems to be in situations where the user would want the
shell to be in a container, so maybe in that case the default behaviour
should be to also evaluate the manifest in the container. I don't know
would that be a good choice. It increases security for those who use a
container and don't know that loading an environment is equivalent to
executing the file, but if it leads people assume that loading an
environment is safer than executing a file in general, they have less
security in non-container environments.

We should keep in mind that implicit manifests for guix shell are not
only useful in public repositories.

- Saku

--c3opbe2lndxy2yqq
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEoMkZR3NPB29fCOn/JX0oSiodOjIFAmc12fgACgkQJX0oSiod
OjJnpA//bCspwJDxmE8ICVfKEczHwdZqHvK8dq15YZ/tXMcRE34RZhNs6dUuVaIQ
fpl/eJNwltEpjD3CtmlPJ996Y0GZgs8dI+MDErc7CBNfROqQIcOrryXeK6XkBKe4
xMKNq5NurJVvTK3ZzOSZpQErY2weivpAcFV53nzqXhXnZHfBJwdCsMq2bwn4FBrG
A5PrwlIT7/worAHuRQ6N6UC0gYWBoaS7oT5YW7GabABreItNIrF6wJIfR5Xfi+4p
PExQHAUydChMFEKoVHqXHHChPsGokhI1x3Lzs6BAM4s5NXw9r/P+NAxlR3+x3kwh
7HhnU6xr1a/eegPOc9TD1PehqVMAFLdwYh4qOGEEadN2a/NJ1+V0lPxQVVZVnd/p
2VUOB/pIYIlm6jjMi5kewW6IIGJdSt1C3O5PMg/DHI/f1jcaQ0gt0p+MIMHQuuzQ
WEfNT2C2Lq2C0y/SgksnU7QiOzczTjaMQgZxwvS3foXzYX9HcapTfsZk7aKHw2Es
vt6hfxUUrC3cw+5s8WJ+WTVW9s8B7XaEm3GmUryxhqJhd5HpWfWa10ylKGKGIPGv
qPEDGEIFgCqbfP9SHHZFGW6gAM/S6MBS/fPCHP7Ge5YY9i8xi7Ef0Wnjuo8uRt2A
axpbnQ7DxLTZUcbp3V6bVeYcK3whwD1sffAhU8zclNk6DQon1/U=
=GRhG
-----END PGP SIGNATURE-----

--c3opbe2lndxy2yqq--

Message received at 73166 <at> debbugs.gnu.org:

Received: (at 73166) by debbugs.gnu.org; 12 Nov 2024 17:10:13 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 12 12:10:13 2024
Received: from localhost ([127.0.0.1]:39388 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tAuP6-0002Mc-Ou
	for submit <at> debbugs.gnu.org; Tue, 12 Nov 2024 12:10:13 -0500
Received: from mail-qt1-f195.google.com ([209.85.160.195]:50181)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <suhailsingh247@HIDDEN>) id 1tAuP4-0002Ky-Ta
 for 73166 <at> debbugs.gnu.org; Tue, 12 Nov 2024 12:10:11 -0500
Received: by mail-qt1-f195.google.com with SMTP id
 d75a77b69052e-46094b68e30so46597311cf.0
 for <73166 <at> debbugs.gnu.org>; Tue, 12 Nov 2024 09:10:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1731431345; x=1732036145; darn=debbugs.gnu.org;
 h=mime-version:user-agent:message-id:date:references:in-reply-to
 :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=e9gQE6o6jFByBvprxpdyebqlGhbXizT9IjlrC6lbtsc=;
 b=kiHh17Q/tFw/EtGRcmrG1IFstnblxzc3DrVlIyBKv9Z3qvnqAzRMC3ByhMeUL/5wKC
 /1vX3EMfsJkSXUaCcIFJU6qGeZf2ACi0Zla7Fpc9OJ18Xjq/yVgGFS9egd68OtOW5t7W
 MMOCiQFBAe9E7KIxMfS9/qgh1zU5nh2SnRb8wIxCBbmnBA/ukL++80zSRZnYUYiL0/kt
 lc2VTfI+VmNObf9hmde5Mwzem0QhNE3GD6VjaYzpwErt6USDV9QBXajn6d4Ws+ts7162
 JGCE1u7ts9Nj75I+mh9ZhdFRmXU2aE9xFPdK02TNwS0xfXdSxpvT2mwQ8KF/MYTLjiLk
 qU8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1731431345; x=1732036145;
 h=mime-version:user-agent:message-id:date:references:in-reply-to
 :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date
 :message-id:reply-to;
 bh=e9gQE6o6jFByBvprxpdyebqlGhbXizT9IjlrC6lbtsc=;
 b=GZOh0NRiiZdOToS7Q2WBTjOWUXKYZC+yPyUDk9bFm6lf7Ih900faKJP42xzs68sEij
 qrkpAr5yHm3/jAke9tr4Bzve5zeAH/JbbqoRY/pELAkoUyy3bszYyXzddGMQN0J26pHi
 ooMFRfD6MTlOpzmvurkHy8hN3rNBRjZXlbu2g3prUY1kSsj/5AeomtI2bpGpyupfSEy1
 uTSswHGepWg18B/Pqz2eoQlWi91UkOYqsK1SUJiUdzTROEP9SVHur8+g6moXcU3Lcam4
 AnT+zhb1Hf3hLbVvpGA2fNuk+DVSCaYaqGGJ4UMCDGdNKh4fGNI812aTSa2+wtOgeo3N
 k1YA==
X-Forwarded-Encrypted: i=1;
 AJvYcCX2FEZMd7S4geFhPEnoyY0sUYvOrsx0OsDaL2fwnjpw1YWck6X/XX829oyLw/j1rAY4pGQobw==@debbugs.gnu.org
X-Gm-Message-State: AOJu0YyH1PVYOAeJ0zpmAlzc3oJ8lsYnC4vs2kcIvfdX4Hfqw372vkXI
 yrkqzXqgSagWYCQ7osL8IutsqiLdMSJTSzk/irQ1kCQNCTuAMORh
X-Google-Smtp-Source: AGHT+IGu/clQ/+5tNOTCxOzoR5dqbh73Cmu8BiMwE+IdLRc7niY04GFupIGOR1ICvTHU/5QDykupZg==
X-Received: by 2002:ac8:5e4d:0:b0:458:2894:984e with SMTP id
 d75a77b69052e-4630931f2d4mr259410181cf.3.1731431345190; 
 Tue, 12 Nov 2024 09:09:05 -0800 (PST)
Received: from gnus ([70.26.179.129]) by smtp.gmail.com with ESMTPSA id
 d75a77b69052e-462ff4677e7sm76748421cf.42.2024.11.12.09.09.03
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 12 Nov 2024 09:09:03 -0800 (PST)
From: Suhail Singh <suhailsingh247@HIDDEN>
To: Nicolas Graves <ngraves@HIDDEN>
Subject: Re: bug#73166: shell-autorized-directories
In-Reply-To: <87o72k4cty.fsf@HIDDEN> (Nicolas Graves's message of "Tue, 12
 Nov 2024 17:49:13 +0100")
References: <877cbjwxs4.fsf@HIDDEN> <87cyla7c0f.fsf@HIDDEN>
 <87mske8emf.fsf@HIDDEN> <874j4gpkbn.fsf@HIDDEN>
 <g7otyh2dfhpfj4qpvrg4mxe3pj3ftk6veajuqsl333pi42mpwm@6ptyp5vttqa2>
 <87bjyn1ga7.fsf@HIDDEN>
 <ewiboqbunbrh7ko3gztzbit56ijozomz2grgk4mhxuaudsjpcb@zelonmrn54os>
 <87ikstteal.fsf@HIDDEN> <87cyj06g97.fsf@HIDDEN>
 <87ttccmrp1.fsf@HIDDEN> <87o72k4cty.fsf@HIDDEN>
Date: Tue, 12 Nov 2024 12:08:52 -0500
Message-ID: <875xosmlaz.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: 73166
Cc: Saku Laesvuori via Bug reports for GNU Guix <bug-guix@HIDDEN>,
 Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, 73166 <at> debbugs.gnu.org,
 Suhail Singh <suhailsingh247@HIDDEN>, Andrew Tropin <andrew@HIDDEN>,
 Saku Laesvuori <saku@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

Nicolas Graves <ngraves@HIDDEN> writes:

> Building a package yes, but you can have external commands in a
> manifest.scm or guix.scm.
>
> ...
>
> What I was saying is that we could restrain recording `guix shell --allow`
> only if the manifest builds properly containerized and without network
> access (outside package building I mean), and otherwise refuse to allow
> (failing manifest, possibly because it tries to access the network or
> files outside the repo) with a warning message, providing the ability to
> restrain "automatic loading" to certain "safer" conditions only.

I see.  I think in the event that the manifest doesn't build in a
containerized environment without networking access, providing a warning
when using --allow would be quite helpful.  It would inform the user of
situations where what's happening in the manifest has fewer guarantees.

If we were to do the above for --allow, but still allow the user to
bypass that via shell-authorized-directories if desired, I believe it
would be a good tradeoff: make well-behaved code easier to use, while
still allowing for less-well-behaved workflows with some minor
inconvenience.

I am assuming in the above that this wouldn't interfere with additional
channels being used in the repo.

> The downside is that we would have to basically run `guix shell
> --container` (and build all there is to build) before being able to
> run `guix shell --allow`.

As long as we properly document this, I think that that's acceptable.

-- 
Suhail

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 12 Nov 2024 17:09:27 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 12 12:09:27 2024
Received: from localhost ([127.0.0.1]:39378 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tAuOM-0002J3-Uz
	for submit <at> debbugs.gnu.org; Tue, 12 Nov 2024 12:09:27 -0500
Received: from lists.gnu.org ([209.51.188.17]:60776)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <suhailsingh247@HIDDEN>) id 1tAuOK-0002It-5x
 for submit <at> debbugs.gnu.org; Tue, 12 Nov 2024 12:09:24 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <suhailsingh247@HIDDEN>)
 id 1tAuOG-0007DE-Db
 for bug-guix@HIDDEN; Tue, 12 Nov 2024 12:09:21 -0500
Received: from mail-qt1-x841.google.com ([2607:f8b0:4864:20::841])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <suhailsingh247@HIDDEN>)
 id 1tAuOE-0002Hr-1f; Tue, 12 Nov 2024 12:09:20 -0500
Received: by mail-qt1-x841.google.com with SMTP id
 d75a77b69052e-460d1145cd8so45125231cf.3; 
 Tue, 12 Nov 2024 09:09:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1731431345; x=1732036145; darn=gnu.org;
 h=mime-version:user-agent:message-id:date:references:in-reply-to
 :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=e9gQE6o6jFByBvprxpdyebqlGhbXizT9IjlrC6lbtsc=;
 b=aWDrchbX47C5LL6AeAfEXCDz5AwHL6InGUewTXC0+48Z7UG5m0lXBdeC3bH/FJKNui
 MR135irlnnqdOgfY7UUqQLjc2+ML6OXjxeoihEIcEtZnEJIE4zAIIW5bxuCB5nvfy7ip
 Kuno5K8dvBQKq/8cIkHg7uh9kxz0xGwpYvJll/LE8eCuDoM8gcBoG1itvet+OwxnPSmN
 eeSQh8yoH7T63gdr5MGGvi5VUHKu+kXfmXtZZNh7kLAQ4Tg3rQvHsmBEBUTIbdjSdEqq
 i2XPdDrHU2Bv6CAMfYcnSr+LuiVfIpbPRmYhHrc/jPl1yQ02IibHnbSGbShYpAlwTjFo
 TD6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1731431345; x=1732036145;
 h=mime-version:user-agent:message-id:date:references:in-reply-to
 :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date
 :message-id:reply-to;
 bh=e9gQE6o6jFByBvprxpdyebqlGhbXizT9IjlrC6lbtsc=;
 b=OAnss9yOa1KSUSKWitNNkkzBcxHQ3zIYIEsMyGj8GQDeEKTKi0E+YtIExqVbrXUYPS
 WrlkVwH4mm7MokxPtbPnxLgZdSWx2qK18c1iIjGMgYZMwmxpI9BouJNe8W5urf7wSQQj
 0B1sHfiucxo9dVUlOaj890kld45KqzcqUS22GVyDQYgcKkbGFQgrclfKhSy60vZTwoOQ
 ewi+ZDlJgrsFblsgYoOrhZDYWN5etj9ziWjkQhAFMt/Z6l8IUPTsi5JD6NsIluCeg5DB
 9U2tDd/y1f7ymJssNhb2jyaR306ZJbY+IeKAhgkt6eE7TDjc5QKbAY4HwBn5KNguE7yF
 24yA==
X-Forwarded-Encrypted: i=1;
 AJvYcCXDo52SCmyErlEPnHUpY5todaKzEFIiXhnyNHYFsP4SRhOzPVRcVFJM8yTlVQ66vroQbZKXYg==@gnu.org,
 AJvYcCXGShYVmtsSoNp2z3xtsqnoW4Ps8uz4gIDbErFKiWkf2K1swg5uPhe1IoeYnQ/eZyZIOa+TrY5q3A==@gnu.org
X-Gm-Message-State: AOJu0YwstrcElE4vcZpgBfsw3Cn9R8iH4rf4HAH2+n2XYtkEsfyI70Uu
 GQuozpx2PFK3L15p5Y12Jhtwh57isxjbte4+LFvmFusmidyfU8AkshIVLnME
X-Google-Smtp-Source: AGHT+IGu/clQ/+5tNOTCxOzoR5dqbh73Cmu8BiMwE+IdLRc7niY04GFupIGOR1ICvTHU/5QDykupZg==
X-Received: by 2002:ac8:5e4d:0:b0:458:2894:984e with SMTP id
 d75a77b69052e-4630931f2d4mr259410181cf.3.1731431345190; 
 Tue, 12 Nov 2024 09:09:05 -0800 (PST)
Received: from gnus ([70.26.179.129]) by smtp.gmail.com with ESMTPSA id
 d75a77b69052e-462ff4677e7sm76748421cf.42.2024.11.12.09.09.03
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 12 Nov 2024 09:09:03 -0800 (PST)
From: Suhail Singh <suhailsingh247@HIDDEN>
To: Nicolas Graves <ngraves@HIDDEN>
Subject: Re: bug#73166: shell-autorized-directories
In-Reply-To: <87o72k4cty.fsf@HIDDEN> (Nicolas Graves's message of "Tue, 12
 Nov 2024 17:49:13 +0100")
References: <877cbjwxs4.fsf@HIDDEN> <87cyla7c0f.fsf@HIDDEN>
 <87mske8emf.fsf@HIDDEN> <874j4gpkbn.fsf@HIDDEN>
 <g7otyh2dfhpfj4qpvrg4mxe3pj3ftk6veajuqsl333pi42mpwm@6ptyp5vttqa2>
 <87bjyn1ga7.fsf@HIDDEN>
 <ewiboqbunbrh7ko3gztzbit56ijozomz2grgk4mhxuaudsjpcb@zelonmrn54os>
 <87ikstteal.fsf@HIDDEN> <87cyj06g97.fsf@HIDDEN>
 <87ttccmrp1.fsf@HIDDEN> <87o72k4cty.fsf@HIDDEN>
Date: Tue, 12 Nov 2024 12:08:52 -0500
Message-ID: <875xosmlaz.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=2607:f8b0:4864:20::841;
 envelope-from=suhailsingh247@HIDDEN; helo=mail-qt1-x841.google.com
X-Spam_score_int: -17
X-Spam_score: -1.8
X-Spam_bar: -
X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.1 (-)
X-Debbugs-Envelope-To: submit
Cc: Saku Laesvuori via Bug reports for GNU Guix <bug-guix@HIDDEN>,
 Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, 73166 <at> debbugs.gnu.org,
 Suhail Singh <suhailsingh247@HIDDEN>, Andrew Tropin <andrew@HIDDEN>,
 Saku Laesvuori <saku@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.1 (--)

Nicolas Graves <ngraves@HIDDEN> writes:

> Building a package yes, but you can have external commands in a
> manifest.scm or guix.scm.
>
> ...
>
> What I was saying is that we could restrain recording `guix shell --allow`
> only if the manifest builds properly containerized and without network
> access (outside package building I mean), and otherwise refuse to allow
> (failing manifest, possibly because it tries to access the network or
> files outside the repo) with a warning message, providing the ability to
> restrain "automatic loading" to certain "safer" conditions only.

I see.  I think in the event that the manifest doesn't build in a
containerized environment without networking access, providing a warning
when using --allow would be quite helpful.  It would inform the user of
situations where what's happening in the manifest has fewer guarantees.

If we were to do the above for --allow, but still allow the user to
bypass that via shell-authorized-directories if desired, I believe it
would be a good tradeoff: make well-behaved code easier to use, while
still allowing for less-well-behaved workflows with some minor
inconvenience.

I am assuming in the above that this wouldn't interfere with additional
channels being used in the repo.

> The downside is that we would have to basically run `guix shell
> --container` (and build all there is to build) before being able to
> run `guix shell --allow`.

As long as we properly document this, I think that that's acceptable.

-- 
Suhail

Message received at 73166 <at> debbugs.gnu.org:

Received: (at 73166) by debbugs.gnu.org; 12 Nov 2024 16:49:22 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 12 11:49:22 2024
Received: from localhost ([127.0.0.1]:39316 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tAu4v-0001Nk-M8
	for submit <at> debbugs.gnu.org; Tue, 12 Nov 2024 11:49:22 -0500
Received: from 1.mo576.mail-out.ovh.net ([178.33.251.173]:42177)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ngraves@HIDDEN>) id 1tAu4q-0001NV-Bu
 for 73166 <at> debbugs.gnu.org; Tue, 12 Nov 2024 11:49:19 -0500
Received: from director5.ghost.mail-out.ovh.net (unknown [10.108.17.3])
 by mo576.mail-out.ovh.net (Postfix) with ESMTP id 4Xnsnk6Hr7z1sV3
 for <73166 <at> debbugs.gnu.org>; Tue, 12 Nov 2024 16:49:14 +0000 (UTC)
Received: from ghost-submission-5b5ff79f4f-fzvbv (unknown [10.110.168.23])
 by director5.ghost.mail-out.ovh.net (Postfix) with ESMTPS id E9C381FE03;
 Tue, 12 Nov 2024 16:49:13 +0000 (UTC)
Received: from ngraves.fr ([37.59.142.100])
 by ghost-submission-5b5ff79f4f-fzvbv with ESMTPSA
 id +nnkLwmHM2fHDAEArr37Ng
 (envelope-from <ngraves@HIDDEN>); Tue, 12 Nov 2024 16:49:13 +0000
Authentication-Results: garm.ovh; auth=pass
 (GARM-100R00301b1fc06-d0e2-490b-a77f-3595f1ba5ee1,
 0B7C747073764E4F408419E75FC43749CA20D107) smtp.auth=ngraves@HIDDEN
X-OVh-ClientIp: 90.92.117.144
From: Nicolas Graves <ngraves@HIDDEN>
To: Suhail Singh <suhailsingh247@HIDDEN>
Subject: Re: bug#73166: shell-autorized-directories
In-Reply-To: <87ttccmrp1.fsf@HIDDEN>
References: <877cbjwxs4.fsf@HIDDEN> <87cyla7c0f.fsf@HIDDEN>
 <87mske8emf.fsf@HIDDEN> <874j4gpkbn.fsf@HIDDEN>
 <g7otyh2dfhpfj4qpvrg4mxe3pj3ftk6veajuqsl333pi42mpwm@6ptyp5vttqa2>
 <87bjyn1ga7.fsf@HIDDEN>
 <ewiboqbunbrh7ko3gztzbit56ijozomz2grgk4mhxuaudsjpcb@zelonmrn54os>
 <87ikstteal.fsf@HIDDEN> <87cyj06g97.fsf@HIDDEN>
 <87ttccmrp1.fsf@HIDDEN>
Date: Tue, 12 Nov 2024 17:49:13 +0100
Message-ID: <87o72k4cty.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Ovh-Tracer-Id: 9730589945237135963
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: -100
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeefuddrudeggdeklecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhvfevufgjfhffkfggtgesthdtredttddttdenucfhrhhomheppfhitgholhgrshcuifhrrghvvghsuceonhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrqeenucggtffrrghtthgvrhhnpeevkeelueejtdehgfffkeelkefhhffftefgvdehkeeluefhheeuleejtdejhfdvgfenucfkphepuddvjedrtddrtddruddpledtrdelvddruddujedrudeggedpfeejrdehledrudegvddruddttdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeduvdejrddtrddtrddupdhmrghilhhfrhhomhepnhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrpdhnsggprhgtphhtthhopedupdhrtghpthhtohepjeefudeiieesuggvsggsuhhgshdrghhnuhdrohhrghdpoffvtefjohhsthepmhhoheejiegmpdhmohguvgepshhmthhpohhuth
DKIM-Signature: a=rsa-sha256; bh=FZYTLGm3Xzng+9bphtquvHRbNIokUx4D1gPbge6yFNc=; 
 c=relaxed/relaxed; d=ngraves.fr; h=From;
 s=ovhmo4487190-selector1; t=1731430155; v=1;
 b=ydz+7Qgn/vD5cWPCOqU+R7Op1kuHG66C7T47mRaNhChY3UEidJ7+8F3nT6sLt8n3LCXZaAxT
 +jYjCtUT40qR62UXG+XeDJBmaWHgNOF0uxWW71/y8F5DAiOm8n3JtVCaLA/DyvkCoSxb03665gb
 YrA/qdAlNvJXMzO+8xZQ4nC5eQ/+yiWRM5/2zAJ9NBgR67eE1rT/doTpW4UdvRxCxWA1+3SeZ6w
 54n37qaxs6ZXXTQzp2MKKB21C1h/ztBlYv0nRXidO4yQ+kzGyhLJaQXBGQp6vcRZzwg9FZ5zxMg
 r8VQV5VMeNGcd0UqhXhYxT2IhBGvNY9QmifRdh2czWv8Q==
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 73166
Cc: Saku Laesvuori via Bug reports for GNU Guix <bug-guix@HIDDEN>,
 Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, 73166 <at> debbugs.gnu.org,
 Suhail Singh <suhailsingh247@HIDDEN>, Andrew Tropin <andrew@HIDDEN>,
 Saku Laesvuori <saku@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On 2024-11-12 09:50, Suhail Singh wrote:

> I was under the impression that the build phase in guix is always
> containerized and without network access.  Could you please elaborate on
> this?

Building a package yes, but you can have external commands in a
manifest.scm or guix.scm.  Saku provided an example in an earlier email
of a valid but dangerous manifest:

```scheme
(system* "rm -rf $HOME")
(specifications->manifest (list "hello"))
```

We could also have one that downloads malicious code, or uploads private
info, the POC is left as an an exercice for the reader ;) 

What I was saying is that we could restrain recording `guix shell --allow`
only if the manifest builds properly containerized and without network
access (outside package building I mean), and otherwise refuse to allow
(failing manifest, possibly because it tries to access the network or
files outside the repo) with a warning message, providing the ability to
restrain "automatic loading" to certain "safer" conditions only.

This would in turn mean that (given the same guix revision) we can
always run a `guix shell --allow`-ed using `guix shell --container`
which actually makes a lot of sense in my use-case.  I don't really know
about other use-cases, but I guess it's the same, even a scheme
developper would probably want a manifest that doesn't depend on files
outside of his repo or the network.  Saku, do you have an opinion on
this?

The downside is that we would have to basically run `guix shell
--container` (and build all there is to build) before being able to run
`guix shell --allow`.

WDYT?

-- 
Best regards,
Nicolas Graves

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 12 Nov 2024 16:49:35 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 12 11:49:35 2024
Received: from localhost ([127.0.0.1]:39320 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tAu59-0001OC-34
	for submit <at> debbugs.gnu.org; Tue, 12 Nov 2024 11:49:35 -0500
Received: from lists.gnu.org ([209.51.188.17]:35858)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ngraves@HIDDEN>) id 1tAu57-0001O5-Ip
 for submit <at> debbugs.gnu.org; Tue, 12 Nov 2024 11:49:34 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ngraves@HIDDEN>)
 id 1tAu54-0001VV-7T
 for bug-guix@HIDDEN; Tue, 12 Nov 2024 11:49:31 -0500
Received: from 15.mo550.mail-out.ovh.net ([188.165.38.232])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ngraves@HIDDEN>)
 id 1tAu51-00081P-Up
 for bug-guix@HIDDEN; Tue, 12 Nov 2024 11:49:29 -0500
Received: from director5.ghost.mail-out.ovh.net (unknown [10.108.25.209])
 by mo550.mail-out.ovh.net (Postfix) with ESMTP id 4Xnsnk5jzzz1RMR
 for <bug-guix@HIDDEN>; Tue, 12 Nov 2024 16:49:14 +0000 (UTC)
Received: from ghost-submission-5b5ff79f4f-fzvbv (unknown [10.110.168.23])
 by director5.ghost.mail-out.ovh.net (Postfix) with ESMTPS id E9C381FE03;
 Tue, 12 Nov 2024 16:49:13 +0000 (UTC)
Received: from ngraves.fr ([37.59.142.100])
 by ghost-submission-5b5ff79f4f-fzvbv with ESMTPSA
 id +nnkLwmHM2fHDAEArr37Ng
 (envelope-from <ngraves@HIDDEN>); Tue, 12 Nov 2024 16:49:13 +0000
Authentication-Results: garm.ovh; auth=pass
 (GARM-100R00301b1fc06-d0e2-490b-a77f-3595f1ba5ee1,
 0B7C747073764E4F408419E75FC43749CA20D107) smtp.auth=ngraves@HIDDEN
X-OVh-ClientIp: 90.92.117.144
From: Nicolas Graves <ngraves@HIDDEN>
To: Suhail Singh <suhailsingh247@HIDDEN>
Subject: Re: bug#73166: shell-autorized-directories
In-Reply-To: <87ttccmrp1.fsf@HIDDEN>
References: <877cbjwxs4.fsf@HIDDEN> <87cyla7c0f.fsf@HIDDEN>
 <87mske8emf.fsf@HIDDEN> <874j4gpkbn.fsf@HIDDEN>
 <g7otyh2dfhpfj4qpvrg4mxe3pj3ftk6veajuqsl333pi42mpwm@6ptyp5vttqa2>
 <87bjyn1ga7.fsf@HIDDEN>
 <ewiboqbunbrh7ko3gztzbit56ijozomz2grgk4mhxuaudsjpcb@zelonmrn54os>
 <87ikstteal.fsf@HIDDEN> <87cyj06g97.fsf@HIDDEN>
 <87ttccmrp1.fsf@HIDDEN>
Date: Tue, 12 Nov 2024 17:49:13 +0100
Message-ID: <87o72k4cty.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Ovh-Tracer-Id: 9730589945237135963
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: -100
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeefuddrudeggdeklecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhvfevufgjfhffkfggtgesthdtredttddttdenucfhrhhomheppfhitgholhgrshcuifhrrghvvghsuceonhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrqeenucggtffrrghtthgvrhhnpeevkeelueejtdehgfffkeelkefhhffftefgvdehkeeluefhheeuleejtdejhfdvgfenucfkphepuddvjedrtddrtddruddpledtrdelvddruddujedrudeggedpfeejrdehledrudegvddruddttdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeduvdejrddtrddtrddupdhmrghilhhfrhhomhepnhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrpdhnsggprhgtphhtthhopedupdhrtghpthhtohepsghughdqghhuihigsehgnhhurdhorhhgpdfovfetjfhoshhtpehmohehhedtmgdpmhhouggvpehsmhhtphhouhht
DKIM-Signature: a=rsa-sha256; bh=FZYTLGm3Xzng+9bphtquvHRbNIokUx4D1gPbge6yFNc=; 
 c=relaxed/relaxed; d=ngraves.fr; h=From;
 s=ovhmo4487190-selector1; t=1731430154; v=1;
 b=rT3Mnu0lMb5BTCji5wC0nhrIT1umiIQMEQ8LF61OUf/nrtFLamvYtuE3wofQDF9KFAH0KwZi
 FwKBVtCYaurBOyCwmZMrKTwEc73WLAFCDPOhz0F2sK5KdTGddqQRwLnQFqW6fAGv/dsrZKIiyah
 ILx0ng+48/pwETN7J2xy5bcwQP5ZCyPWi92OkVDBa9gEwMP7PZuFo0XkFIcWC8CPVpa0WSHPFMS
 ucnX4ZhiKFMlhhs1Oxs4YlqTveur785vfpJPg/PFA6HDbxeFxBioNknt5Qr8h2gPIQ65Z1PKx8z
 yg9PiqmmQ8wJp/rcWOBfBIpbKSLlMmbjZ/PF9bEYVXoDg==
Received-SPF: pass client-ip=188.165.38.232; envelope-from=ngraves@HIDDEN;
 helo=15.mo550.mail-out.ovh.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
Cc: Saku Laesvuori via Bug reports for GNU Guix <bug-guix@HIDDEN>,
 Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, 73166 <at> debbugs.gnu.org,
 Suhail Singh <suhailsingh247@HIDDEN>, Andrew Tropin <andrew@HIDDEN>,
 Saku Laesvuori <saku@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

On 2024-11-12 09:50, Suhail Singh wrote:

> I was under the impression that the build phase in guix is always
> containerized and without network access.  Could you please elaborate on
> this?

Building a package yes, but you can have external commands in a
manifest.scm or guix.scm.  Saku provided an example in an earlier email
of a valid but dangerous manifest:

```scheme
(system* "rm -rf $HOME")
(specifications->manifest (list "hello"))
```

We could also have one that downloads malicious code, or uploads private
info, the POC is left as an an exercice for the reader ;) 

What I was saying is that we could restrain recording `guix shell --allow`
only if the manifest builds properly containerized and without network
access (outside package building I mean), and otherwise refuse to allow
(failing manifest, possibly because it tries to access the network or
files outside the repo) with a warning message, providing the ability to
restrain "automatic loading" to certain "safer" conditions only.

This would in turn mean that (given the same guix revision) we can
always run a `guix shell --allow`-ed using `guix shell --container`
which actually makes a lot of sense in my use-case.  I don't really know
about other use-cases, but I guess it's the same, even a scheme
developper would probably want a manifest that doesn't depend on files
outside of his repo or the network.  Saku, do you have an opinion on
this?

The downside is that we would have to basically run `guix shell
--container` (and build all there is to build) before being able to run
`guix shell --allow`.

WDYT?

-- 
Best regards,
Nicolas Graves

Message received at 73166 <at> debbugs.gnu.org:

Received: (at 73166) by debbugs.gnu.org; 12 Nov 2024 14:52:10 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 12 09:52:10 2024
Received: from localhost ([127.0.0.1]:33067 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tAsFV-0002sf-Tz
	for submit <at> debbugs.gnu.org; Tue, 12 Nov 2024 09:52:10 -0500
Received: from mail-qk1-f196.google.com ([209.85.222.196]:44290)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <suhailsingh247@HIDDEN>) id 1tAsFT-0002sH-OD
 for 73166 <at> debbugs.gnu.org; Tue, 12 Nov 2024 09:52:08 -0500
Received: by mail-qk1-f196.google.com with SMTP id
 af79cd13be357-7b13ff3141aso423298185a.1
 for <73166 <at> debbugs.gnu.org>; Tue, 12 Nov 2024 06:52:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1731423062; x=1732027862; darn=debbugs.gnu.org;
 h=mime-version:user-agent:message-id:date:references:in-reply-to
 :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=0qt5QoO49jD1qsAJYrCwHYUQrPDq2QEqd1nlSWcYvZc=;
 b=ZBsMXgZ19r1qdcHIyMMFFCElTW1B/5Lz4DNqg23Pixioe0yQlnCcbCLeLyFOCVod88
 3oGvgVLa1e/VtZEKSmQAJzG/sczTgDcDQwEuIdyZ++GF7X83papZ1K8MDxHHPGqDWjnt
 NcvQU6YsKonzijcMiNKy5BbZP41imnBu03TFZ028nPZM7w2ASkQ2FF8wVOuuXWqOMT+j
 u/WcqRGDTGYz2royXio+sqpdOnyPDDges6YoiT1oUkD2SZb0hUB60oPQyR9D8fCbmmXD
 PX4hsePqKZOP09SSG+89b+jkYdMhPzeYf57Qjss1uRS5iZ6uyeZaXCLjgGcumGoMqymj
 igvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1731423062; x=1732027862;
 h=mime-version:user-agent:message-id:date:references:in-reply-to
 :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date
 :message-id:reply-to;
 bh=0qt5QoO49jD1qsAJYrCwHYUQrPDq2QEqd1nlSWcYvZc=;
 b=Y/0be84deCa1wjh24uIJ9tflXu/ac0T2x5tem01nX9+FF2KWL9tIpzAQLMJvJb92yS
 SHl3/7HUsQGh48j97vt/ZuhdlOKxdUxVpVZu4TNZrcc/MDyttsms04+CLo5m9orLRFeQ
 y/S7snvwvC1ISzez+KB6KCMH6ZkuJ2JmaZIPzqlNs6szyRDS8biitMdlNiiwcuu4qgN1
 bEHTNXX1C3Nhf8lLHtIRTqq98euzE9rIkd8DK72hy7LHC+gvUF668b92RZkv4/KF9ekr
 ilvuSAu7DAxogePWtJUQR/m2YHwDHrapoNrgxSzdFmOD0JRZPRYJsM3K3km0Q0z+qS09
 FBqQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCU1lrG6dkg0DCxjmDmBXJaVejlLgxEUhRMQtfBKTIaflwMJ5A3YoniqlJ84PJN6gMPVGiaVow==@debbugs.gnu.org
X-Gm-Message-State: AOJu0YxDwP66jMOw621l4PMnqbUlataD79Gmf9qaWtgHwqOdpcck2yi2
 4CAXlFjmhkl95kFlNLwHEuiwUJxAIGtHeIe/I664wf4p8TyJNrwA
X-Google-Smtp-Source: AGHT+IHF6++peeBXqELyJWbM/eMIgPtucF2IVtZCmZIqkLIH94PXLkozqwY/k7Vx1GR04DpKlH077g==
X-Received: by 2002:a05:620a:4047:b0:7a1:e4e4:3a9e with SMTP id
 af79cd13be357-7b34bb17b3bmr377623585a.21.1731423061796; 
 Tue, 12 Nov 2024 06:51:01 -0800 (PST)
Received: from gnus ([70.26.179.129]) by smtp.gmail.com with ESMTPSA id
 af79cd13be357-7b32ac2dbfasm594543585a.24.2024.11.12.06.51.00
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 12 Nov 2024 06:51:01 -0800 (PST)
From: Suhail Singh <suhailsingh247@HIDDEN>
To: Nicolas Graves <ngraves@HIDDEN>
Subject: Re: bug#73166: shell-autorized-directories
In-Reply-To: <87cyj06g97.fsf@HIDDEN> (Nicolas Graves's message of "Tue, 12
 Nov 2024 08:52:20 +0100")
References: <877cbjwxs4.fsf@HIDDEN> <87cyla7c0f.fsf@HIDDEN>
 <87mske8emf.fsf@HIDDEN> <874j4gpkbn.fsf@HIDDEN>
 <g7otyh2dfhpfj4qpvrg4mxe3pj3ftk6veajuqsl333pi42mpwm@6ptyp5vttqa2>
 <87bjyn1ga7.fsf@HIDDEN>
 <ewiboqbunbrh7ko3gztzbit56ijozomz2grgk4mhxuaudsjpcb@zelonmrn54os>
 <87ikstteal.fsf@HIDDEN> <87cyj06g97.fsf@HIDDEN>
Date: Tue, 12 Nov 2024 09:50:50 -0500
Message-ID: <87ttccmrp1.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.4 (/)
X-Debbugs-Envelope-To: 73166
Cc: Saku Laesvuori via Bug reports for GNU Guix <bug-guix@HIDDEN>,
 Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, 73166 <at> debbugs.gnu.org,
 Suhail Singh <suhailsingh247@HIDDEN>, Andrew Tropin <andrew@HIDDEN>,
 Saku Laesvuori <saku@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.4 (-)

Nicolas Graves <ngraves@HIDDEN> writes:

> My last message to Saku basically agreed to this ;)

Yes, my bad for only noticing that message after having sent mine.
Whoops.

> I'm actually willing to improve that patch series if you have better
> ideas/implementations, I was just building on what I know
> (direnv/.dir-locals.el).

As a direnv and .dir-locals.el user myself, I think there's some utility
in doing things similarly, at least till we come up with a threat model
on which we have some consensus and which motivates us to deviate from
the norm.

> Maybe we should only allow to automatically run when the manifest is
> able to build without network access in container mode.

I was under the impression that the build phase in guix is always
containerized and without network access.  Could you please elaborate on
this?

> Or include things like automatic git commit authentication on such
> allowed repositories.  But I'm not sure if they are convenient or easy
> to implement, or make sense.

While valuable, I believe if we do provide this, it should only be done
in a manner that the user is able to disable if/as needed.

-- 
Suhail

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 12 Nov 2024 14:51:23 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 12 09:51:23 2024
Received: from localhost ([127.0.0.1]:33063 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tAsEl-0002qz-G1
	for submit <at> debbugs.gnu.org; Tue, 12 Nov 2024 09:51:23 -0500
Received: from lists.gnu.org ([209.51.188.17]:40432)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <suhailsingh247@HIDDEN>) id 1tAsEj-0002ql-B4
 for submit <at> debbugs.gnu.org; Tue, 12 Nov 2024 09:51:22 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <suhailsingh247@HIDDEN>)
 id 1tAsEX-0004wi-Po
 for bug-guix@HIDDEN; Tue, 12 Nov 2024 09:51:10 -0500
Received: from mail-qk1-x744.google.com ([2607:f8b0:4864:20::744])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <suhailsingh247@HIDDEN>)
 id 1tAsES-00022s-2p; Tue, 12 Nov 2024 09:51:08 -0500
Received: by mail-qk1-x744.google.com with SMTP id
 af79cd13be357-7b1467af9dbso394874785a.0; 
 Tue, 12 Nov 2024 06:51:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1731423062; x=1732027862; darn=gnu.org;
 h=mime-version:user-agent:message-id:date:references:in-reply-to
 :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=0qt5QoO49jD1qsAJYrCwHYUQrPDq2QEqd1nlSWcYvZc=;
 b=WnMuEle0A1ABveIEiJ6aHXcU8D8K0OdgzXWlky5wtBuchxiVOXkbQkpLrvRo2Yhh5f
 ySVVhNAwxT3ZAaxcBCBuXH52jYP1nUzC3zGEz/LJszArEf3ETSCjDaHoaZzQSQqzAJTi
 B0+ueRBzo8HhCOIR3KfHpRzVO/ophHEocd4MckCdxX2lRxFm2vMPiX7wxZeIti6/9IOR
 TeN3C1SSyFQM7TCSxdvfiCCsBK3KTphJsAzyvPwqW34xAAtvP+AdF1dCHLOX71w58s+U
 RoMYp5bqS8/9O2CUK0w0SMKrld5G4uubYeHMRrKrbyIlzcMfseAwO6NCoF/hvn3gdnF9
 XBgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1731423062; x=1732027862;
 h=mime-version:user-agent:message-id:date:references:in-reply-to
 :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date
 :message-id:reply-to;
 bh=0qt5QoO49jD1qsAJYrCwHYUQrPDq2QEqd1nlSWcYvZc=;
 b=WbO0osefYHJkFxLZGlbSthP+oMN4b2HuIGGSxkHOPY/APO4tspH8FxkhgSMRc5UrNj
 xQmNQq9yZjIIhlB/lADqWaO9I1uDXX/LjAgeHHnrQsZ+gA76AaqQA8Bv5Csu6at/3XtY
 8S7m8juVPrudsfoyO2//YpzBUaRj85hecqYZYCJElWaEQypPlOTK6/sJkI/fwqgE2Kfb
 pXErklhMMsvGiC23DGkGc5wmnjlBQbvNAVCOpi2XwUz1hvpT1W6neeVNtVs5jtEPwRB+
 mZovsXzgzYBC4QSNoXtc3GJFbj2N+kUkBaG5OfKNg/T5efJ8OcL41rM/xzUInF6FGLUG
 ZtJw==
X-Forwarded-Encrypted: i=1;
 AJvYcCVC5FyDhjZggkBhEhrqMLtEeI5GvWoj4TUorKmLlE1w5alWiKuUrfAecoTrGsFN7GmeqwJquFdEKg==@gnu.org,
 AJvYcCX3HVuWumIc6GVKXuohwIod1TTF0ZkpyzJhyhJQ9I4KV8Uzp9eItVCplN2rIt2246pI3a7PXw==@gnu.org
X-Gm-Message-State: AOJu0Yzerx8EMUuU3NvGEbUW9/GWAMn5ppg3EavzcGsTVzn2O6fqbNoK
 oYeE/QSDL7R4CWZMmVQFuZbKFhs4JJh8e1/3Jag2plW+vIJtoQ/Y
X-Google-Smtp-Source: AGHT+IHF6++peeBXqELyJWbM/eMIgPtucF2IVtZCmZIqkLIH94PXLkozqwY/k7Vx1GR04DpKlH077g==
X-Received: by 2002:a05:620a:4047:b0:7a1:e4e4:3a9e with SMTP id
 af79cd13be357-7b34bb17b3bmr377623585a.21.1731423061796; 
 Tue, 12 Nov 2024 06:51:01 -0800 (PST)
Received: from gnus ([70.26.179.129]) by smtp.gmail.com with ESMTPSA id
 af79cd13be357-7b32ac2dbfasm594543585a.24.2024.11.12.06.51.00
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 12 Nov 2024 06:51:01 -0800 (PST)
From: Suhail Singh <suhailsingh247@HIDDEN>
To: Nicolas Graves <ngraves@HIDDEN>
Subject: Re: bug#73166: shell-autorized-directories
In-Reply-To: <87cyj06g97.fsf@HIDDEN> (Nicolas Graves's message of "Tue, 12
 Nov 2024 08:52:20 +0100")
References: <877cbjwxs4.fsf@HIDDEN> <87cyla7c0f.fsf@HIDDEN>
 <87mske8emf.fsf@HIDDEN> <874j4gpkbn.fsf@HIDDEN>
 <g7otyh2dfhpfj4qpvrg4mxe3pj3ftk6veajuqsl333pi42mpwm@6ptyp5vttqa2>
 <87bjyn1ga7.fsf@HIDDEN>
 <ewiboqbunbrh7ko3gztzbit56ijozomz2grgk4mhxuaudsjpcb@zelonmrn54os>
 <87ikstteal.fsf@HIDDEN> <87cyj06g97.fsf@HIDDEN>
Date: Tue, 12 Nov 2024 09:50:50 -0500
Message-ID: <87ttccmrp1.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=2607:f8b0:4864:20::744;
 envelope-from=suhailsingh247@HIDDEN; helo=mail-qk1-x744.google.com
X-Spam_score_int: -17
X-Spam_score: -1.8
X-Spam_bar: -
X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.1 (-)
X-Debbugs-Envelope-To: submit
Cc: Saku Laesvuori via Bug reports for GNU Guix <bug-guix@HIDDEN>,
 Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, 73166 <at> debbugs.gnu.org,
 Suhail Singh <suhailsingh247@HIDDEN>, Andrew Tropin <andrew@HIDDEN>,
 Saku Laesvuori <saku@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.1 (--)

Nicolas Graves <ngraves@HIDDEN> writes:

> My last message to Saku basically agreed to this ;)

Yes, my bad for only noticing that message after having sent mine.
Whoops.

> I'm actually willing to improve that patch series if you have better
> ideas/implementations, I was just building on what I know
> (direnv/.dir-locals.el).

As a direnv and .dir-locals.el user myself, I think there's some utility
in doing things similarly, at least till we come up with a threat model
on which we have some consensus and which motivates us to deviate from
the norm.

> Maybe we should only allow to automatically run when the manifest is
> able to build without network access in container mode.

I was under the impression that the build phase in guix is always
containerized and without network access.  Could you please elaborate on
this?

> Or include things like automatic git commit authentication on such
> allowed repositories.  But I'm not sure if they are convenient or easy
> to implement, or make sense.

While valuable, I believe if we do provide this, it should only be done
in a manner that the user is able to disable if/as needed.

-- 
Suhail

Message received at 73166 <at> debbugs.gnu.org:

Received: (at 73166) by debbugs.gnu.org; 12 Nov 2024 07:52:27 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 12 02:52:27 2024
Received: from localhost ([127.0.0.1]:60388 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tAlhK-0000bh-VP
	for submit <at> debbugs.gnu.org; Tue, 12 Nov 2024 02:52:27 -0500
Received: from 2.mo576.mail-out.ovh.net ([178.33.251.80]:33285)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ngraves@HIDDEN>) id 1tAlhI-0000bX-03
 for 73166 <at> debbugs.gnu.org; Tue, 12 Nov 2024 02:52:26 -0500
Received: from director7.ghost.mail-out.ovh.net (unknown [10.109.148.65])
 by mo576.mail-out.ovh.net (Postfix) with ESMTP id 4XndtG1zn4z1qtd
 for <73166 <at> debbugs.gnu.org>; Tue, 12 Nov 2024 07:52:22 +0000 (UTC)
Received: from ghost-submission-5b5ff79f4f-9nq76 (unknown [10.110.96.9])
 by director7.ghost.mail-out.ovh.net (Postfix) with ESMTPS id 5B7AF1FE5D;
 Tue, 12 Nov 2024 07:52:21 +0000 (UTC)
Received: from ngraves.fr ([37.59.142.95])
 by ghost-submission-5b5ff79f4f-9nq76 with ESMTPSA
 id xyShDzUJM2e9FAgA+30KDw
 (envelope-from <ngraves@HIDDEN>); Tue, 12 Nov 2024 07:52:21 +0000
Authentication-Results: garm.ovh; auth=pass
 (GARM-95G001cf346799-8382-43cb-ad70-102585a3cb21,
 0B7C747073764E4F408419E75FC43749CA20D107) smtp.auth=ngraves@HIDDEN
X-OVh-ClientIp: 90.92.117.144
From: Nicolas Graves <ngraves@HIDDEN>
To: Suhail Singh <suhailsingh247@HIDDEN>
Subject: Re: bug#73166: shell-autorized-directories
In-Reply-To: <87ikstteal.fsf@HIDDEN>
References: <877cbjwxs4.fsf@HIDDEN> <87cyla7c0f.fsf@HIDDEN>
 <87mske8emf.fsf@HIDDEN> <874j4gpkbn.fsf@HIDDEN>
 <g7otyh2dfhpfj4qpvrg4mxe3pj3ftk6veajuqsl333pi42mpwm@6ptyp5vttqa2>
 <87bjyn1ga7.fsf@HIDDEN>
 <ewiboqbunbrh7ko3gztzbit56ijozomz2grgk4mhxuaudsjpcb@zelonmrn54os>
 <87ikstteal.fsf@HIDDEN>
Date: Tue, 12 Nov 2024 08:52:20 +0100
Message-ID: <87cyj06g97.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Ovh-Tracer-Id: 663717997816177243
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: -100
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeefuddrudefgdduuddvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhephffvvefujghffffkgggtsehttdertddttddtnecuhfhrohhmpefpihgtohhlrghsucfirhgrvhgvshcuoehnghhrrghvvghssehnghhrrghvvghsrdhfrheqnecuggftrfgrthhtvghrnhepveekleeujedthefgffekleekhffhffetgfdvheekleeuhfehueeljedtjefhvdfgnecukfhppeduvdejrddtrddtrddupdeltddrledvrdduudejrddugeegpdefjedrheelrddugedvrdelheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeduvdejrddtrddtrddupdhmrghilhhfrhhomhepnhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrpdhnsggprhgtphhtthhopedupdhrtghpthhtohepjeefudeiieesuggvsggsuhhgshdrghhnuhdrohhrghdpoffvtefjohhsthepmhhoheejiegmpdhmohguvgepshhmthhpohhuth
DKIM-Signature: a=rsa-sha256; bh=1GACvlMDjsDnZLv0B4Q89wd3ypBQcBnbH1fUvzshivo=; 
 c=relaxed/relaxed; d=ngraves.fr; h=From;
 s=ovhmo4487190-selector1; t=1731397942; v=1;
 b=Dkmp2S7KCgYz8ENve7XTBwBmf5jFix6G89sZZnVJkAAmTBGF+Lh5KmJyFolE5y5OeZJVJLYu
 kYL0Bpb36yHHe+3n9ViKPJUzqMEmKDhoS5caC2DO/bMlGGuglhmZnG6irlRdifinc2oQ7Bo3yWV
 Nae0qzMkDM8zHUjypYFj0/Ct8szgoK/KqLvi382D76DdKLUZm5efb+qizHP2GQkgRqb2Zv37TVD
 msZDEaPE9lOKGDGuHB9Y6CaWo449Ge0ODyDtOGlhIy0Gurrzo0HXoJUNeMatIUywcN/fcVpA835
 eAxhsnX8iYmeuZy8xL4S56F/l8DMHVJUsPROV1RCTTVag==
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 73166
Cc: 73166 <at> debbugs.gnu.org, Saku Laesvuori <saku@HIDDEN>,
 Saku Laesvuori via Bug reports for GNU Guix <bug-guix@HIDDEN>,
 Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>,
 Andrew Tropin <andrew@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On 2024-11-11 20:46, Suhail Singh wrote:

> Saku Laesvuori via Bug reports for GNU Guix <bug-guix@HIDDEN> writes:
>
>> Anyway, I am not opposed to this change. The only effects for my use
>> cases are positive (nicer UI with the --allow flag). I just want to
>> point out that I don't think this makes any attacks significantly
>> harder.
>
> FWIW, this summarizes my belief as well.  I do see some improvements in
> convenience, but the threat model where this improves security (threat
> actor has access to the repository, but the files are such that the
> threat actor isn't able to modify their semantics without first
> modifying the files) seems contrived.  Am I mistaken?
>
> If not, while I don't have objections to the change (and do believe it
> has some value), I do have reservations about claiming security
> benefits.

My last message to Saku basically agreed to this ;)

I still think it improves it for my specific use-case and for the
addition of explicit user agreement to load code exterior to
manifest/guix.scm in the case this file is trusted but compromised.

But I agree the first message was probably too focussed on marginal
security improvements and we shouldn't sell a false promise that could
make people less careful.

I'm actually willing to improve that patch series if you have better
ideas/implementations, I was just building on what I know
(direnv/.dir-locals.el). Maybe we should only allow to automatically run
when the manifest is able to build without network access in container
mode. Or include things like automatic git commit authentication on such
allowed repositories.  But I'm not sure if they are convenient or easy
to implement, or make sense.

-- 
Best regards,
Nicolas Graves

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 12 Nov 2024 07:52:30 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Nov 12 02:52:30 2024
Received: from localhost ([127.0.0.1]:60392 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tAlhO-0000bx-Ct
	for submit <at> debbugs.gnu.org; Tue, 12 Nov 2024 02:52:30 -0500
Received: from lists.gnu.org ([209.51.188.17]:32768)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ngraves@HIDDEN>) id 1tAlhM-0000bq-PA
 for submit <at> debbugs.gnu.org; Tue, 12 Nov 2024 02:52:29 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ngraves@HIDDEN>)
 id 1tAlhM-0000jI-GV
 for bug-guix@HIDDEN; Tue, 12 Nov 2024 02:52:28 -0500
Received: from 7.mo576.mail-out.ovh.net ([46.105.50.32])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ngraves@HIDDEN>)
 id 1tAlhK-0005EN-3n
 for bug-guix@HIDDEN; Tue, 12 Nov 2024 02:52:28 -0500
Received: from director7.ghost.mail-out.ovh.net (unknown [10.108.2.78])
 by mo576.mail-out.ovh.net (Postfix) with ESMTP id 4XndtG3Zjjz1rRL
 for <bug-guix@HIDDEN>; Tue, 12 Nov 2024 07:52:22 +0000 (UTC)
Received: from ghost-submission-5b5ff79f4f-9nq76 (unknown [10.110.96.9])
 by director7.ghost.mail-out.ovh.net (Postfix) with ESMTPS id 5B7AF1FE5D;
 Tue, 12 Nov 2024 07:52:21 +0000 (UTC)
Received: from ngraves.fr ([37.59.142.95])
 by ghost-submission-5b5ff79f4f-9nq76 with ESMTPSA
 id xyShDzUJM2e9FAgA+30KDw
 (envelope-from <ngraves@HIDDEN>); Tue, 12 Nov 2024 07:52:21 +0000
Authentication-Results: garm.ovh; auth=pass
 (GARM-95G001cf346799-8382-43cb-ad70-102585a3cb21,
 0B7C747073764E4F408419E75FC43749CA20D107) smtp.auth=ngraves@HIDDEN
X-OVh-ClientIp: 90.92.117.144
From: Nicolas Graves <ngraves@HIDDEN>
To: Suhail Singh <suhailsingh247@HIDDEN>
Subject: Re: bug#73166: shell-autorized-directories
In-Reply-To: <87ikstteal.fsf@HIDDEN>
References: <877cbjwxs4.fsf@HIDDEN> <87cyla7c0f.fsf@HIDDEN>
 <87mske8emf.fsf@HIDDEN> <874j4gpkbn.fsf@HIDDEN>
 <g7otyh2dfhpfj4qpvrg4mxe3pj3ftk6veajuqsl333pi42mpwm@6ptyp5vttqa2>
 <87bjyn1ga7.fsf@HIDDEN>
 <ewiboqbunbrh7ko3gztzbit56ijozomz2grgk4mhxuaudsjpcb@zelonmrn54os>
 <87ikstteal.fsf@HIDDEN>
Date: Tue, 12 Nov 2024 08:52:20 +0100
Message-ID: <87cyj06g97.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Ovh-Tracer-Id: 663717997816177243
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: -100
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeefuddrudefgdduuddvucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhephffvvefujghffffkgggtsehttdertddttddtnecuhfhrohhmpefpihgtohhlrghsucfirhgrvhgvshcuoehnghhrrghvvghssehnghhrrghvvghsrdhfrheqnecuggftrfgrthhtvghrnhepveekleeujedthefgffekleekhffhffetgfdvheekleeuhfehueeljedtjefhvdfgnecukfhppeduvdejrddtrddtrddupdeltddrledvrdduudejrddugeegpdefjedrheelrddugedvrdelheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeduvdejrddtrddtrddupdhmrghilhhfrhhomhepnhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrpdhnsggprhgtphhtthhopedupdhrtghpthhtohepsghughdqghhuihigsehgnhhurdhorhhgpdfovfetjfhoshhtpehmohehjeeimgdpmhhouggvpehsmhhtphhouhht
DKIM-Signature: a=rsa-sha256; bh=1GACvlMDjsDnZLv0B4Q89wd3ypBQcBnbH1fUvzshivo=; 
 c=relaxed/relaxed; d=ngraves.fr; h=From;
 s=ovhmo4487190-selector1; t=1731397942; v=1;
 b=Dkmp2S7KCgYz8ENve7XTBwBmf5jFix6G89sZZnVJkAAmTBGF+Lh5KmJyFolE5y5OeZJVJLYu
 kYL0Bpb36yHHe+3n9ViKPJUzqMEmKDhoS5caC2DO/bMlGGuglhmZnG6irlRdifinc2oQ7Bo3yWV
 Nae0qzMkDM8zHUjypYFj0/Ct8szgoK/KqLvi382D76DdKLUZm5efb+qizHP2GQkgRqb2Zv37TVD
 msZDEaPE9lOKGDGuHB9Y6CaWo449Ge0ODyDtOGlhIy0Gurrzo0HXoJUNeMatIUywcN/fcVpA835
 eAxhsnX8iYmeuZy8xL4S56F/l8DMHVJUsPROV1RCTTVag==
Received-SPF: pass client-ip=46.105.50.32; envelope-from=ngraves@HIDDEN;
 helo=7.mo576.mail-out.ovh.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,
 RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
Cc: 73166 <at> debbugs.gnu.org, Saku Laesvuori <saku@HIDDEN>,
 Saku Laesvuori via Bug reports for GNU Guix <bug-guix@HIDDEN>,
 Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>,
 Andrew Tropin <andrew@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

On 2024-11-11 20:46, Suhail Singh wrote:

> Saku Laesvuori via Bug reports for GNU Guix <bug-guix@HIDDEN> writes:
>
>> Anyway, I am not opposed to this change. The only effects for my use
>> cases are positive (nicer UI with the --allow flag). I just want to
>> point out that I don't think this makes any attacks significantly
>> harder.
>
> FWIW, this summarizes my belief as well.  I do see some improvements in
> convenience, but the threat model where this improves security (threat
> actor has access to the repository, but the files are such that the
> threat actor isn't able to modify their semantics without first
> modifying the files) seems contrived.  Am I mistaken?
>
> If not, while I don't have objections to the change (and do believe it
> has some value), I do have reservations about claiming security
> benefits.

My last message to Saku basically agreed to this ;)

I still think it improves it for my specific use-case and for the
addition of explicit user agreement to load code exterior to
manifest/guix.scm in the case this file is trusted but compromised.

But I agree the first message was probably too focussed on marginal
security improvements and we shouldn't sell a false promise that could
make people less careful.

I'm actually willing to improve that patch series if you have better
ideas/implementations, I was just building on what I know
(direnv/.dir-locals.el). Maybe we should only allow to automatically run
when the manifest is able to build without network access in container
mode. Or include things like automatic git commit authentication on such
allowed repositories.  But I'm not sure if they are convenient or easy
to implement, or make sense.

-- 
Best regards,
Nicolas Graves

Message received at 73166 <at> debbugs.gnu.org:

Received: (at 73166) by debbugs.gnu.org; 12 Nov 2024 01:47:24 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Nov 11 20:47:24 2024
Received: from localhost ([127.0.0.1]:59818 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tAg04-0008SH-Ch
	for submit <at> debbugs.gnu.org; Mon, 11 Nov 2024 20:47:24 -0500
Received: from mail-qk1-f194.google.com ([209.85.222.194]:52726)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <suhailsingh247@HIDDEN>) id 1tAg02-0008SA-Pw
 for 73166 <at> debbugs.gnu.org; Mon, 11 Nov 2024 20:47:23 -0500
Received: by mail-qk1-f194.google.com with SMTP id
 af79cd13be357-7b150dc7bc0so364237785a.1
 for <73166 <at> debbugs.gnu.org>; Mon, 11 Nov 2024 17:47:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1731375982; x=1731980782; darn=debbugs.gnu.org;
 h=mime-version:user-agent:message-id:date:references:in-reply-to
 :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=T9vSMkgQ5FPz4RYC8+v6dUH36YcsozTup09xAjcCnlA=;
 b=JHe/YWZkvVN4Z0v4V30Ab38nGU9fKFrDG6ZglSAIU9Ku+5vCS7hSGYbq1vTpK0ZqEQ
 VP4jG/h7zVDt4ZHilaTQCN+wafPw1SbHoWSNzcSB1A/N4hMJFawRSMOXEsdP8ik5BRe6
 vlx6wmI8+i8JhNwo5MckBL2uWfrtQKciYNLzeU30+PdPDrjs1E3yig3QsLBObvxG1NUY
 c1B1z/nXN226srjbpma24I274yTISwunkpsZd94+IF5uufkVNMvZ4KHidkcqYOp+eXg5
 bTpIvD56gbDwRJUehJ+bMZCIotVH62yfcrc9oD+YSBOkr+hMAx2kLYqrRCP0G/obQHjB
 aq1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1731375982; x=1731980782;
 h=mime-version:user-agent:message-id:date:references:in-reply-to
 :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date
 :message-id:reply-to;
 bh=T9vSMkgQ5FPz4RYC8+v6dUH36YcsozTup09xAjcCnlA=;
 b=POqzjGQcv5nFf/ScGs4iH4voShi7qLjG65tvFj20/Dmu9nrdPO0J4SIdpsR/T5VAT6
 Chy4ASKTRttjufhfutFSDa8EALapnE2er//pBmcB3TpzH5wFxZ3D6G092uhSHUcn0YIh
 D6g1OJ3fqrNbf1eInR7SvNtTJLyc+agqKrX2H2b5TV2eh4D0L/UXHjj7GmJgnJmgZvHD
 u2b3MlYEi/7cpa3Yt3NJbhA27ZyLYz0A/Xdk5xbNuEk610/JYslK2aqMB6n8oFPCXTRw
 W/H+qcYStExhMZlZke6kMnPCMw6UWpaCKfFCthO4DVSKI0zeUtM2PcVQgyq6lkpVczRe
 KURw==
X-Forwarded-Encrypted: i=1;
 AJvYcCVnSO4+cyCrdI6Gpaw8/CHDMJZQV6J4j9GklGaYSt/2aW/6ouK1z3hYjhpvY9hOBXXlGyCF5w==@debbugs.gnu.org
X-Gm-Message-State: AOJu0YwDp7N56mKJ9FT8MtQb+dUfQgd1DIJNdJcK4KqKuSfLCLzt383K
 x8rlZBmvajNFORXLkJVvvWu6IOusX5N+Ox7Lrc402o4bvT0Mgjos
X-Google-Smtp-Source: AGHT+IGBeihaUqcmLPAKzTxRUp1DP+Hm3exSmKfiZktBLyGwM9dGnAGaKpd7u8a0ID6+YpOduX495Q==
X-Received: by 2002:a05:6214:4411:b0:6cb:ee0b:47ba with SMTP id
 6a1803df08f44-6d39e101bb6mr193478256d6.10.1731375982289; 
 Mon, 11 Nov 2024 17:46:22 -0800 (PST)
Received: from gnus ([174.92.178.190]) by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6d3961dfa0csm66164586d6.14.2024.11.11.17.46.20
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 11 Nov 2024 17:46:21 -0800 (PST)
From: Suhail Singh <suhailsingh247@HIDDEN>
To: Nicolas Graves <ngraves@HIDDEN>
Subject: Re: bug#73166: shell-autorized-directories
In-Reply-To: <ewiboqbunbrh7ko3gztzbit56ijozomz2grgk4mhxuaudsjpcb@zelonmrn54os>
 (Saku Laesvuori via Bug reports for's message of "Mon, 11 Nov 2024
 09:54:22 +0200")
References: <877cbjwxs4.fsf@HIDDEN> <87cyla7c0f.fsf@HIDDEN>
 <87mske8emf.fsf@HIDDEN> <874j4gpkbn.fsf@HIDDEN>
 <g7otyh2dfhpfj4qpvrg4mxe3pj3ftk6veajuqsl333pi42mpwm@6ptyp5vttqa2>
 <87bjyn1ga7.fsf@HIDDEN>
 <ewiboqbunbrh7ko3gztzbit56ijozomz2grgk4mhxuaudsjpcb@zelonmrn54os>
Date: Mon, 11 Nov 2024 20:46:10 -0500
Message-ID: <87ikstteal.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.4 (/)
X-Debbugs-Envelope-To: 73166
Cc: 73166 <at> debbugs.gnu.org, Saku Laesvuori <saku@HIDDEN>,
 Saku Laesvuori via Bug reports for GNU Guix <bug-guix@HIDDEN>,
 Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>,
 Andrew Tropin <andrew@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.4 (-)

Saku Laesvuori via Bug reports for GNU Guix <bug-guix@HIDDEN> writes:

> Anyway, I am not opposed to this change. The only effects for my use
> cases are positive (nicer UI with the --allow flag). I just want to
> point out that I don't think this makes any attacks significantly
> harder.

FWIW, this summarizes my belief as well.  I do see some improvements in
convenience, but the threat model where this improves security (threat
actor has access to the repository, but the files are such that the
threat actor isn't able to modify their semantics without first
modifying the files) seems contrived.  Am I mistaken?

If not, while I don't have objections to the change (and do believe it
has some value), I do have reservations about claiming security
benefits.

-- 
Suhail

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 12 Nov 2024 01:46:33 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Nov 11 20:46:33 2024
Received: from localhost ([127.0.0.1]:59814 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tAfzE-0008QS-Tn
	for submit <at> debbugs.gnu.org; Mon, 11 Nov 2024 20:46:33 -0500
Received: from lists.gnu.org ([209.51.188.17]:39270)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <suhailsingh247@HIDDEN>) id 1tAfzA-0008QG-5d
 for submit <at> debbugs.gnu.org; Mon, 11 Nov 2024 20:46:28 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <suhailsingh247@HIDDEN>)
 id 1tAfz9-0003QR-Va
 for bug-guix@HIDDEN; Mon, 11 Nov 2024 20:46:27 -0500
Received: from mail-qk1-x742.google.com ([2607:f8b0:4864:20::742])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <suhailsingh247@HIDDEN>)
 id 1tAfz8-0001Ri-Mj; Mon, 11 Nov 2024 20:46:27 -0500
Received: by mail-qk1-x742.google.com with SMTP id
 af79cd13be357-7b1601e853eso338702685a.2; 
 Mon, 11 Nov 2024 17:46:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1731375982; x=1731980782; darn=gnu.org;
 h=mime-version:user-agent:message-id:date:references:in-reply-to
 :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=T9vSMkgQ5FPz4RYC8+v6dUH36YcsozTup09xAjcCnlA=;
 b=hUtpxsFNLGaHnox0OezBnsPKzkLv8qNZtPlJizdxNFYh/Bqp6XhnAHpapqN2FD0JRO
 lnwkoVRFFJtgbD6ZFXtmMv6b7kcbSTiC84ezTNFIMLGFWR6+lQzHYpkhmj4kxAFkty39
 eClYt44l8lIEHR1xA4bdt3HIHJCOz+0mWQ3u6KxVkepXW1TfuXaDFRHMOybWiwY49hQe
 DulZJzO3ISDqswQXyWoD0LFX/03bsVio4j1K2LEz+94HvciBVD6SDHr6LVgxU6MCCNYS
 NE9G08QUuJEnbrYfi4Q64WzL2wSww1dro6grtRkQlDq6W3kQhc2RyD1/Nxc8ABfuj4hx
 Gy4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1731375982; x=1731980782;
 h=mime-version:user-agent:message-id:date:references:in-reply-to
 :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date
 :message-id:reply-to;
 bh=T9vSMkgQ5FPz4RYC8+v6dUH36YcsozTup09xAjcCnlA=;
 b=GVU41ow0Nn0eJRSbEVP2FQgiVrv/rN9tNPkPtb9Ao5G/S8pQV29BBsRTyY0KZ74rVl
 dkwxzmXF5ssGKM0pOVd0N2PyLuA/utav86mZp4ongJ6uo1feRHaRJNnqS0ymDyuQA1Bj
 Unsg7StvY77Uof+tjhc+bvIAjBQE2i8klmXvQWD7n4EVHA1L3N00X+eJzrDhuV4YhNMu
 UbyuGcvce51BLUcVSgpxyVbJ5lQFx2YE2dAKSUj18mb8+TWuV19RgvUS1VyPI9I3M1Cl
 3k9W7d5TeRQ/otL7GGCWmvdkpGzWdBn1/5kwsITtm/QeVWZHjpLkCzTbywBReAJxF3K1
 UH9w==
X-Forwarded-Encrypted: i=1;
 AJvYcCUf0KQRI4/PYmCCTmkDjY2WBG3i2Oks6X+h/XFUWF28iSryNKujBLSwsc2Cy5xTCLZ5igZy@HIDDEN
X-Gm-Message-State: AOJu0YwN/iyGI3BSlR1PIIl+Scb6wAouw/kEOFk8mNV7FU7/PjYodpEN
 rmnB+Dcskxt61h8WqfIym6/NvOiiaDpqYb1ELlikjxVhm/jqf0kaBh4YbIL6
X-Google-Smtp-Source: AGHT+IGBeihaUqcmLPAKzTxRUp1DP+Hm3exSmKfiZktBLyGwM9dGnAGaKpd7u8a0ID6+YpOduX495Q==
X-Received: by 2002:a05:6214:4411:b0:6cb:ee0b:47ba with SMTP id
 6a1803df08f44-6d39e101bb6mr193478256d6.10.1731375982289; 
 Mon, 11 Nov 2024 17:46:22 -0800 (PST)
Received: from gnus ([174.92.178.190]) by smtp.gmail.com with ESMTPSA id
 6a1803df08f44-6d3961dfa0csm66164586d6.14.2024.11.11.17.46.20
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 11 Nov 2024 17:46:21 -0800 (PST)
From: Suhail Singh <suhailsingh247@HIDDEN>
To: Nicolas Graves <ngraves@HIDDEN>
Subject: Re: bug#73166: shell-autorized-directories
In-Reply-To: <ewiboqbunbrh7ko3gztzbit56ijozomz2grgk4mhxuaudsjpcb@zelonmrn54os>
 (Saku Laesvuori via Bug reports for's message of "Mon, 11 Nov 2024
 09:54:22 +0200")
References: <877cbjwxs4.fsf@HIDDEN> <87cyla7c0f.fsf@HIDDEN>
 <87mske8emf.fsf@HIDDEN> <874j4gpkbn.fsf@HIDDEN>
 <g7otyh2dfhpfj4qpvrg4mxe3pj3ftk6veajuqsl333pi42mpwm@6ptyp5vttqa2>
 <87bjyn1ga7.fsf@HIDDEN>
 <ewiboqbunbrh7ko3gztzbit56ijozomz2grgk4mhxuaudsjpcb@zelonmrn54os>
Date: Mon, 11 Nov 2024 20:46:10 -0500
Message-ID: <87ikstteal.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=2607:f8b0:4864:20::742;
 envelope-from=suhailsingh247@HIDDEN; helo=mail-qk1-x742.google.com
X-Spam_score_int: -17
X-Spam_score: -1.8
X-Spam_bar: -
X-Spam_report: (-1.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.1 (-)
X-Debbugs-Envelope-To: submit
Cc: 73166 <at> debbugs.gnu.org, Saku Laesvuori <saku@HIDDEN>,
 Saku Laesvuori via Bug reports for GNU Guix <bug-guix@HIDDEN>,
 Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>,
 Andrew Tropin <andrew@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.1 (--)

Saku Laesvuori via Bug reports for GNU Guix <bug-guix@HIDDEN> writes:

> Anyway, I am not opposed to this change. The only effects for my use
> cases are positive (nicer UI with the --allow flag). I just want to
> point out that I don't think this makes any attacks significantly
> harder.

FWIW, this summarizes my belief as well.  I do see some improvements in
convenience, but the threat model where this improves security (threat
actor has access to the repository, but the files are such that the
threat actor isn't able to modify their semantics without first
modifying the files) seems contrived.  Am I mistaken?

If not, while I don't have objections to the change (and do believe it
has some value), I do have reservations about claiming security
benefits.

-- 
Suhail

Message received at 73166 <at> debbugs.gnu.org:

Received: (at 73166) by debbugs.gnu.org; 11 Nov 2024 10:40:22 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Nov 11 05:40:22 2024
Received: from localhost ([127.0.0.1]:58399 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tARqI-00016V-1x
	for submit <at> debbugs.gnu.org; Mon, 11 Nov 2024 05:40:22 -0500
Received: from 6.mo575.mail-out.ovh.net ([46.105.63.100]:42767)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ngraves@HIDDEN>) id 1tARqE-000167-Fl
 for 73166 <at> debbugs.gnu.org; Mon, 11 Nov 2024 05:40:20 -0500
Received: from director5.ghost.mail-out.ovh.net (unknown [10.109.148.65])
 by mo575.mail-out.ovh.net (Postfix) with ESMTP id 4Xn5fS4rwzz1ktm
 for <73166 <at> debbugs.gnu.org>; Mon, 11 Nov 2024 10:40:16 +0000 (UTC)
Received: from ghost-submission-5b5ff79f4f-rkg52 (unknown [10.111.174.115])
 by director5.ghost.mail-out.ovh.net (Postfix) with ESMTPS id B62251FD66;
 Mon, 11 Nov 2024 10:40:15 +0000 (UTC)
Received: from ngraves.fr ([37.59.142.96])
 by ghost-submission-5b5ff79f4f-rkg52 with ESMTPSA
 id aJZCOQ7fMWeaXQAAgboB6Q
 (envelope-from <ngraves@HIDDEN>); Mon, 11 Nov 2024 10:40:15 +0000
Authentication-Results: garm.ovh; auth=pass
 (GARM-96R00177035913-2fb8-4a60-837b-bc08c1ba41a4,
 E78387A624BFA7BF6E2855E060885FD238E6A798) smtp.auth=ngraves@HIDDEN
X-OVh-ClientIp: 90.92.117.144
From: Nicolas Graves <ngraves@HIDDEN>
To: Saku Laesvuori <saku@HIDDEN>
Subject: Re: bug#73166: shell-autorized-directories
In-Reply-To: <ewiboqbunbrh7ko3gztzbit56ijozomz2grgk4mhxuaudsjpcb@zelonmrn54os>
References: <877cbjwxs4.fsf@HIDDEN> <87cyla7c0f.fsf@HIDDEN>
 <87mske8emf.fsf@HIDDEN> <874j4gpkbn.fsf@HIDDEN>
 <g7otyh2dfhpfj4qpvrg4mxe3pj3ftk6veajuqsl333pi42mpwm@6ptyp5vttqa2>
 <87bjyn1ga7.fsf@HIDDEN>
 <ewiboqbunbrh7ko3gztzbit56ijozomz2grgk4mhxuaudsjpcb@zelonmrn54os>
Date: Mon, 11 Nov 2024 11:40:14 +0100
Message-ID: <87zfm65a0h.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Ovh-Tracer-Id: 16073347070542013019
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: -100
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeefuddruddvgddukecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhvfevufgjfhffkfggtgesthdtredttddttdenucfhrhhomheppfhitgholhgrshcuifhrrghvvghsuceonhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrqeenucggtffrrghtthgvrhhnpeffkedvjefhgfevffdutdeivdetleehudevtdevheeghfeutdejffdvjeefffevgeenucffohhmrghinhepshhrrdhhthenucfkphepuddvjedrtddrtddruddpledtrdelvddruddujedrudeggedpfeejrdehledrudegvddrleeinecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepuddvjedrtddrtddruddpmhgrihhlfhhrohhmpehnghhrrghvvghssehnghhrrghvvghsrdhfrhdpnhgspghrtghpthhtohepuddprhgtphhtthhopeejfeduieeiseguvggssghughhsrdhgnhhurdhorhhgpdfovfetjfhoshhtpehmohehjeehmgdpmhhouggvpehsmhhtphhouhht
DKIM-Signature: a=rsa-sha256; bh=VFklCLd31HGjuuGIkN6RfaxqtMRbrbsiR2zv0DHCstU=; 
 c=relaxed/relaxed; d=ngraves.fr; h=From;
 s=ovhmo4487190-selector1; t=1731321617; v=1;
 b=sahgbUCEuVfA32b4cvWD7Xj3qGHDjJxNZx00nvrd+Vvy52OeFuYJzkKoUHvO6i/Kj9lJOEpd
 EYn4XhvVYcbckp1+QDsCDAtuIv57D2qD0IEHqzVv3d7NQ/Hrg6maMmgCPeT1rrV4wpOblw0pQFZ
 FiaI+P/27CkLmSDhq2iGBgFIf05bXGV5EQgVoIu2y9A+H94pIYOiVH5HiqF4h4l2dynsDVXdrMc
 KmDB9LLTN1ZcjLnKwE5mAVyz1mtfquCaxHH1/57naz0E1ozn/BykcdCHTJTQgnUnPzMwEtNUE/e
 i3O8E0cQn8cq5mfU78vGqAbPh/KgRosuaF0n1vJM9rknw==
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 73166
Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, 73166 <at> debbugs.gnu.org,
 Andrew Tropin <andrew@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On 2024-11-11 09:54, Saku Laesvuori wrote:

> Is it common to source other files from direnv or do people normally
> just set environment variables and run programs from system PATH? If
> sourcing other files is very rare with direnv and very common with guix
> shell, comparing the security models is not as useful. I have never used
> direnv, so I don't know. Maybe it is also often used to source
> semitrusted files.

In the Nix/Guix space, I guess it's pretty common.  At least I do use it
this way (if I need environment variables for emacs or git to behave as
intended in a project for instance).  Outside these projects it makes
less sense, but I think it's where it's most used.

One example from my resources directory which requires some env
variables for a git hook to run properly :

export PYTHON="$(cd /tmp && guix shell python-wrapper python-tree-sitter python-pygit2 tree-sitter-bibtex -- which python)"
export PYTHONPATH="$(echo $PYTHON | cut -d/ -f-4)/lib/python$( $PYTHON -V | cut -d' ' -f2 | cut -d. -f-2 )/site-packages"
export TREE_SITTER_BIBTEX_PATH="$(echo $PYTHON | cut -d/ -f-4)/lib/tree-sitter/libtree-sitter-bibtex.so"

>> I guess there are two use-cases :
>> 1) scheme development with guix.scm loading local changes: Indeed this
>> change is not really improving security, but neither is it harmful.
>
> This case is a bit broader than just scheme but yes, the change does not
> really have an impact here. The projects I refered to are mostly written
> in Haskell. I load the package definitions from other files to
> guix.scm/manifest.scm just to make the repositories work cleanly as Guix
> channels.
>
>> 2) custom manifest.scm in non-scheme projects (my use-case): Often in
>> this case you would only change your manifest.scm, and it indeed
>> increases security (the alternative would have been to automatically add
>> the -m manifest.scm option but I'm not feeling secure with this
>> alternative).
>> More on my use-case: https://lists.sr.ht/~abcdw/rde-devel/patches/54944
>
> Yes, but only slightly, I think. Because loading code from other files
> is normal with guix manifests (see above), an attacker would first
> refactor the repository into a guix channel to introduce loading from
> another file in a non-suspicious way and only after that include the
> malicious code.

Agreed.  Though the user has to accept the introduction of loading from
another file though, this is what is better in this system IMO.  In my
use-case, transforming into a guix channel wouldn't make sense.

> Anyway, I am not opposed to this change. The only effects for my use
> cases are positive (nicer UI with the --allow flag). I just want to
> point out that I don't think this makes any attacks significantly
> harder.

Agreed on the significantly.  Let's just not give a false security
guarantee in the commit/news/manual, the user still has to be careful.

-- 
Best regards,
Nicolas Graves

Message received at 73166 <at> debbugs.gnu.org:

Received: (at 73166) by debbugs.gnu.org; 11 Nov 2024 07:54:44 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Nov 11 02:54:44 2024
Received: from localhost ([127.0.0.1]:58066 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tAPFz-00023T-7n
	for submit <at> debbugs.gnu.org; Mon, 11 Nov 2024 02:54:43 -0500
Received: from vmi571514.contaboserver.net ([75.119.130.101]:52388
 helo=mail.laesvuori.fi) by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <saku@HIDDEN>) id 1tAPFp-00023D-Iu
 for 73166 <at> debbugs.gnu.org; Mon, 11 Nov 2024 02:54:39 -0500
Received: from X-kone (host-137-163-31-182.edu.hel.fi [137.163.31.182])
 by mail.laesvuori.fi (Postfix) with ESMTPSA id 5E270340816;
 Mon, 11 Nov 2024 08:54:35 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=laesvuori.fi; s=mail;
 t=1731311676; bh=4wE36jkvamv6LfQ04/qIs7VeCwKN+Mey9q8qCWS1XgA=;
 h=Date:From:To:Cc:Subject:References:In-Reply-To;
 b=hJZnEtb2DBHyrY0hVYPl5xuhvDDplFlI7jJDf3Ii7fMDiwdiMq1mWSm7t3Jkef9Z7
 7SiydzJtmx26p98a3+u547VuH66Bc9/+cmDtaDZJunr/oBn2WcVE4sE2aNV6Pt5kxX
 ccRHNaS4DQcFbRj222fqPCBHwHz3DhPsRnZHZJ/Q=
Date: Mon, 11 Nov 2024 09:54:22 +0200
From: Saku Laesvuori <saku@HIDDEN>
To: Nicolas Graves <ngraves@HIDDEN>
Subject: Re: bug#73166: shell-autorized-directories
Message-ID: <ewiboqbunbrh7ko3gztzbit56ijozomz2grgk4mhxuaudsjpcb@zelonmrn54os>
References: <877cbjwxs4.fsf@HIDDEN> <87cyla7c0f.fsf@HIDDEN>
 <87mske8emf.fsf@HIDDEN> <874j4gpkbn.fsf@HIDDEN>
 <g7otyh2dfhpfj4qpvrg4mxe3pj3ftk6veajuqsl333pi42mpwm@6ptyp5vttqa2>
 <87bjyn1ga7.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="6d7pcsj6sfniiuah"
Content-Disposition: inline
In-Reply-To: <87bjyn1ga7.fsf@HIDDEN>
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 73166
Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, 73166 <at> debbugs.gnu.org,
 Andrew Tropin <andrew@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


--6d7pcsj6sfniiuah
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

> > I do agree that it seems more convenient to run `guix shell --allow`
> > than copy a rather long line from the hint and run it to append a line
> > to shell-authorized-directories.
> >
> > Authorizing files instead of directories does not seem that great of an
> > idea to me. I doubt it really improves security that much. For example,
> > all my projects have a .guix/modules/xxx-package.scm file that contains
> > the package definition and guix.scm just loads it from that file.
> > Malicious code could be added here without touching the guix.scm file at
> > all, so the file-based authorization would not notice it.
> >
> > So this would only increase security when guix.scm does not refer to any
> > other files in the untrusted directory. Here it might get quite annoying
> > to re-authorize the directory every time every time someone changes the
> > version number.
>=20
> Thanks for your feedback Saku.
>=20
> Indeed, it only increases security for revisions of guix.scm and
> manifest.scm, not the repository as a whole.  But I think it's the exact
> same problematic for tools like direnv (same approach as here) or even
> emacs .dir-locals.el (which checks the last modified time of this file
> IIRC).  They can't vouch for the whole repository, but they can
> guarantee that the user explicitely accepted to run a guix.scm or
> manifest.scm (respectively a .envrc or .dir-locals.el) that depends on
> other files in the repo (that was not a guarantee previously, you could
> accept to run a manifest.scm before it depends on files in the repo).

Is it common to source other files from direnv or do people normally
just set environment variables and run programs from system PATH? If
sourcing other files is very rare with direnv and very common with guix
shell, comparing the security models is not as useful. I have never used
direnv, so I don't know. Maybe it is also often used to source
semitrusted files.

> I guess there are two use-cases :
> 1) scheme development with guix.scm loading local changes: Indeed this
> change is not really improving security, but neither is it harmful.

This case is a bit broader than just scheme but yes, the change does not
really have an impact here. The projects I refered to are mostly written
in Haskell. I load the package definitions from other files to
guix.scm/manifest.scm just to make the repositories work cleanly as Guix
channels.

> 2) custom manifest.scm in non-scheme projects (my use-case): Often in
> this case you would only change your manifest.scm, and it indeed
> increases security (the alternative would have been to automatically add
> the -m manifest.scm option but I'm not feeling secure with this
> alternative).
> More on my use-case: https://lists.sr.ht/~abcdw/rde-devel/patches/54944

Yes, but only slightly, I think. Because loading code from other files
is normal with guix manifests (see above), an attacker would first
refactor the repository into a guix channel to introduce loading from
another file in a non-suspicious way and only after that include the
malicious code.

> > Thus it seems that file-based authorization will only catch
> > false-positives. At least I would refactor my repository to a guix
> > channel and load the packaged from there with guix.scm to bypass this
> > security mechanism before adding any malicious code.
> >
> > Hashing the entire untrusted directory could work, but I'm not sure
> > would that have acceptable performance in larger cases.
>=20
> Another option could be to add the expected output path of the guix
> shell invocation in the hash?  This could be simpler than hashing the
> whole directory.

That would only secure the shell environment, but the manifest could
still contain something like=20

```scheme
(system* "rm -rf $HOME")
(specifications->manifest (list "hello"))
```

where the environment is safe but loading it causes bad side
effects.

> Although I'm not sure this is convenient for neither use-cases.
> Validation with guix shell --allow for every code change is not
> convenient.

That too.

Anyway, I am not opposed to this change. The only effects for my use
cases are positive (nicer UI with the --allow flag). I just want to
point out that I don't think this makes any attacks significantly
harder.

- Saku

--6d7pcsj6sfniiuah
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEoMkZR3NPB29fCOn/JX0oSiodOjIFAmcxuC0ACgkQJX0oSiod
OjLCPBAAmI/c62onOvtXTug6b3UHiN6Z5H7cYgHb6GbnNTLPjgQfiXzP0pBV5QlF
an22vynCp+g52y5WVGNylBCRDklgYyJZQGwkl0Dpp1MWjnrl2LzMFD8+QpVlqVqQ
ZaVlB2nzceQ4eUnAFcgf+XWlW/1kDUI+HGpvJVvioddVvyJtJ0ki/zxSaUWvlzVI
A+6M0WyNiYPegEdI7RRAYb7q0DndNwN0xBSgL1jvyvFySd1SAb+a0QXreRH7P9a7
TVtfxNyfOzSWgL46PyFmcIy9/XJmCPz27plAq8bf2hEywL2FbbL2U0iwCim3Mg/t
oCeQZFbVVVI1ku2WlMurjPQc4pUjr/z+/tAWztW++qPcR3dbg7ZaXBNeH+5J1PMm
gzqzLiZCK2bJhtceCj3XXfyJ0FRjdkkYX3FUxZvz0MW9dQDoKCIcpRKu2TxHnG4a
eSG7kGSIAFgt10oFd7JcUhgc/K74MGYNKYmfEvS3U5fteoiPFWuUJclVmXJYYXkR
PVl51Ac5Kp8t66JaxaO2T98R5x85yWNpMZ4Q9zA90k3+aOJBAvJ7q5fUwytJ5nXy
h7CNXbLnh9mEdTgLv+/GZy3eDuJmd4rVb4zpSGBqyheS7UhTV5N+WAnMi17GyTSv
dslGY44ofaohaol7xxu/Voz4uoHQJXGa/549MZwfYPytRXFco/k=
=4w/O
-----END PGP SIGNATURE-----

--6d7pcsj6sfniiuah--

Message received at 73166 <at> debbugs.gnu.org:

Received: (at 73166) by debbugs.gnu.org; 10 Nov 2024 11:26:17 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Nov 10 06:26:17 2024
Received: from localhost ([127.0.0.1]:55928 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tA65A-0004tU-N2
	for submit <at> debbugs.gnu.org; Sun, 10 Nov 2024 06:26:17 -0500
Received: from 3.mo581.mail-out.ovh.net ([46.105.34.113]:60705)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ngraves@HIDDEN>) id 1tA657-0004tJ-5M
 for 73166 <at> debbugs.gnu.org; Sun, 10 Nov 2024 06:26:15 -0500
Received: from director4.ghost.mail-out.ovh.net (unknown [10.109.176.51])
 by mo581.mail-out.ovh.net (Postfix) with ESMTP id 4XmVjv4dpqz1Dy6
 for <73166 <at> debbugs.gnu.org>; Sun, 10 Nov 2024 11:26:11 +0000 (UTC)
Received: from ghost-submission-5b5ff79f4f-h2cr2 (unknown [10.110.168.82])
 by director4.ghost.mail-out.ovh.net (Postfix) with ESMTPS id C47D71FE2F;
 Sun, 10 Nov 2024 11:26:09 +0000 (UTC)
Received: from ngraves.fr ([37.59.142.95])
 by ghost-submission-5b5ff79f4f-h2cr2 with ESMTPSA
 id warTLVGYMGcVvgEA9j2TDQ
 (envelope-from <ngraves@HIDDEN>); Sun, 10 Nov 2024 11:26:09 +0000
Authentication-Results: garm.ovh; auth=pass
 (GARM-95G0017a880a05-1311-426c-9cf1-545c990ff89a,
 106B6570FB1C98951D40112EDA30616E69F2CA75) smtp.auth=ngraves@HIDDEN
X-OVh-ClientIp: 90.92.117.144
From: Nicolas Graves <ngraves@HIDDEN>
To: Saku Laesvuori <saku@HIDDEN>
Subject: Re: bug#73166: shell-autorized-directories
In-Reply-To: <g7otyh2dfhpfj4qpvrg4mxe3pj3ftk6veajuqsl333pi42mpwm@6ptyp5vttqa2>
References: <877cbjwxs4.fsf@HIDDEN> <87cyla7c0f.fsf@HIDDEN>
 <87mske8emf.fsf@HIDDEN> <874j4gpkbn.fsf@HIDDEN>
 <g7otyh2dfhpfj4qpvrg4mxe3pj3ftk6veajuqsl333pi42mpwm@6ptyp5vttqa2>
Date: Sun, 10 Nov 2024 12:26:08 +0100
Message-ID: <87bjyn1ga7.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Ovh-Tracer-Id: 10976116718503912027
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: -100
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeefuddruddtgddviecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhvfevufgjfhffkfggtgesthdtredttddttdenucfhrhhomheppfhitgholhgrshcuifhrrghvvghsuceonhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrqeenucggtffrrghtthgvrhhnpeffkedvjefhgfevffdutdeivdetleehudevtdevheeghfeutdejffdvjeefffevgeenucffohhmrghinhepshhrrdhhthenucfkphepuddvjedrtddrtddruddpledtrdelvddruddujedrudeggedpfeejrdehledrudegvddrleehnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepuddvjedrtddrtddruddpmhgrihhlfhhrohhmpehnghhrrghvvghssehnghhrrghvvghsrdhfrhdpnhgspghrtghpthhtohepuddprhgtphhtthhopeejfeduieeiseguvggssghughhsrdhgnhhurdhorhhgpdfovfetjfhoshhtpehmohehkedumgdpmhhouggvpehsmhhtphhouhht
DKIM-Signature: a=rsa-sha256; bh=58Nd5FFsvShXFKy0eB0fesTZjfqxIaLXBm6darh96Ko=; 
 c=relaxed/relaxed; d=ngraves.fr; h=From;
 s=ovhmo4487190-selector1; t=1731237971; v=1;
 b=V11O+uySQf76uGO9x+dgmmAjNxhD3xWYjnnbpGrCQVXWq0mg2TVslkK8aHe0IhS2nIlPPwz9
 wKaBciNzfENYuyLCoLP71rKf9TtK08OyA6ZdWOJwENFe21oro8ZV/ORSpYBOhe1NcQ82wDzodBv
 YNAV3QVA9IRbzfwTYq3doPV7DyqVaOTzWuQtWcR/p23kAlhhcs+mJ/d2290DrSO9ktyIPvou2W5
 IM9RZi2PilWSjT+zqOLK46nA+51ikI0C302Q/bkRQkSYMLMS65vkrvvLKM54NJD/t8czkXqdP0N
 hVyViNVHOjTBXWhLvKLCR6cyaOP3/f6wLfaBAu3hk51Kg==
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 73166
Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, 73166 <at> debbugs.gnu.org,
 Andrew Tropin <andrew@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On 2024-11-10 11:58, Saku Laesvuori wrote:

>
> I do agree that it seems more convenient to run `guix shell --allow`
> than copy a rather long line from the hint and run it to append a line
> to shell-authorized-directories.
>
> Authorizing files instead of directories does not seem that great of an
> idea to me. I doubt it really improves security that much. For example,
> all my projects have a .guix/modules/xxx-package.scm file that contains
> the package definition and guix.scm just loads it from that file.
> Malicious code could be added here without touching the guix.scm file at
> all, so the file-based authorization would not notice it.
>
> So this would only increase security when guix.scm does not refer to any
> other files in the untrusted directory. Here it might get quite annoying
> to re-authorize the directory every time every time someone changes the
> version number.

Thanks for your feedback Saku.

Indeed, it only increases security for revisions of guix.scm and
manifest.scm, not the repository as a whole.  But I think it's the exact
same problematic for tools like direnv (same approach as here) or even
emacs .dir-locals.el (which checks the last modified time of this file
IIRC).  They can't vouch for the whole repository, but they can
guarantee that the user explicitely accepted to run a guix.scm or
manifest.scm (respectively a .envrc or .dir-locals.el) that depends on
other files in the repo (that was not a guarantee previously, you could
accept to run a manifest.scm before it depends on files in the repo).

I guess there are two use-cases :
1) scheme development with guix.scm loading local changes: Indeed this
change is not really improving security, but neither is it harmful.
2) custom manifest.scm in non-scheme projects (my use-case): Often in
this case you would only change your manifest.scm, and it indeed
increases security (the alternative would have been to automatically add
the -m manifest.scm option but I'm not feeling secure with this
alternative).
More on my use-case: https://lists.sr.ht/~abcdw/rde-devel/patches/54944

> Thus it seems that file-based authorization will only catch
> false-positives. At least I would refactor my repository to a guix
> channel and load the packaged from there with guix.scm to bypass this
> security mechanism before adding any malicious code.
>
> Hashing the entire untrusted directory could work, but I'm not sure
> would that have acceptable performance in larger cases.

Another option could be to add the expected output path of the guix
shell invocation in the hash?  This could be simpler than hashing the
whole directory.

Although I'm not sure this is convenient for neither use-cases.
Validation with guix shell --allow for every code change is not
convenient.

-- 
Best regards,
Nicolas Graves

Message received at 73166 <at> debbugs.gnu.org:

Received: (at 73166) by debbugs.gnu.org; 10 Nov 2024 09:58:43 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Nov 10 04:58:43 2024
Received: from localhost ([127.0.0.1]:55605 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1tA4iR-0000YG-37
	for submit <at> debbugs.gnu.org; Sun, 10 Nov 2024 04:58:43 -0500
Received: from vmi571514.contaboserver.net ([75.119.130.101]:52972
 helo=mail.laesvuori.fi) by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <saku@HIDDEN>) id 1tA4iO-0000Y7-45
 for 73166 <at> debbugs.gnu.org; Sun, 10 Nov 2024 04:58:42 -0500
Received: from X-kone (82-203-160-153.bb.dnainternet.fi [82.203.160.153])
 by mail.laesvuori.fi (Postfix) with ESMTPSA id 19C84340816;
 Sun, 10 Nov 2024 10:58:44 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=laesvuori.fi; s=mail;
 t=1731232724; bh=ysIR0k8SDlD4OtJlWhO2kddpi5IJV6wmijVqOp6sqjc=;
 h=Date:From:To:Cc:Subject:References:In-Reply-To;
 b=G9dfMkFD1IzYroEvUazt7oGhU6jd4+KilmQltVajPbf8FvR3LoZ2/f3RCSRXhJl/b
 d5ZOa+fPnefzJBX7QqRJfX93XwsE0WQ+yq0YODxESBVklujFQo4tIPCOycheJ6L+PW
 2DjD6W7o//0RTuu13JVlJ1yq2oMuMwy/GduOMklA=
Date: Sun, 10 Nov 2024 11:58:24 +0200
From: Saku Laesvuori <saku@HIDDEN>
To: Nicolas Graves <ngraves@HIDDEN>
Subject: Re: bug#73166: shell-autorized-directories
Message-ID: <g7otyh2dfhpfj4qpvrg4mxe3pj3ftk6veajuqsl333pi42mpwm@6ptyp5vttqa2>
References: <877cbjwxs4.fsf@HIDDEN> <87cyla7c0f.fsf@HIDDEN>
 <87mske8emf.fsf@HIDDEN> <874j4gpkbn.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="spfmpna2c2oihjdz"
Content-Disposition: inline
In-Reply-To: <874j4gpkbn.fsf@HIDDEN>
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 73166
Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, 73166 <at> debbugs.gnu.org,
 Andrew Tropin <andrew@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


--spfmpna2c2oihjdz
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Nov 09, 2024 at 03:12:44PM +0100, Nicolas Graves wrote:
> On 2024-09-11 16:11, Nicolas Graves wrote:
>=20
> >> That option would add a line to =E2=80=98shell-autorized-directories=
=E2=80=99?
> >
> > Yes. Actually I would like to develop a little more after thinking about
> > that.
> >
> > Let's say you git pull code from a guix-shell-authorized repo and the=
=20
> > pull includes some potentially harmful / dangerous code.
> >
> > The assumption of direnv is that the user has to allow the code to run
> > again in this case, putting more emphasis on security. This is not the
> > case in Guix, IIRC. I think it should be done in Guix too.=20
> >
> > Implementing that kind of additional security will indeed need such an
> > option, for this will need to actually include the hash of the file of
> > something like that.
> >
> > It's actually quite simple in direnv, they take a sha256 hash of the
> > absolute filename + the content of the file.
> > (See
> > https://github.com/nicolas-graves/python-direnv/blob/f8f0967a9772f0775f=
fe75a68d868c75076f5af4/direnv.py#L36)
> > That hash makes a simple file-based database where a file is allowed ba=
sed
> > not only on its location but on its location+content.
> >
> > We could have two options to interact with such a database :
> > --allow
> > --revoke
>=20
> Here's a working draft for some code for that.  This is currently able
> to properly allow or deny my direnv-validated directories.  With a
> proper direnv rename, we can almost already replace
> authorized-shell-directory? function.
>=20
> I feel like this is a far more secure and convenient way to manage
> autorized-directories for guix shell.  WDYT ?

I do agree that it seems more convenient to run `guix shell --allow`
than copy a rather long line from the hint and run it to append a line
to shell-authorized-directories.

Authorizing files instead of directories does not seem that great of an
idea to me. I doubt it really improves security that much. For example,
all my projects have a .guix/modules/xxx-package.scm file that contains
the package definition and guix.scm just loads it from that file.
Malicious code could be added here without touching the guix.scm file at
all, so the file-based authorization would not notice it.

So this would only increase security when guix.scm does not refer to any
other files in the untrusted directory. Here it might get quite annoying
to re-authorize the directory every time every time someone changes the
version number.

Thus it seems that file-based authorization will only catch
false-positives. At least I would refactor my repository to a guix
channel and load the packaged from there with guix.scm to bypass this
security mechanism before adding any malicious code.

Hashing the entire untrusted directory could work, but I'm not sure
would that have acceptable performance in larger cases.

- Saku

--spfmpna2c2oihjdz
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEoMkZR3NPB29fCOn/JX0oSiodOjIFAmcwg8AACgkQJX0oSiod
OjIHzhAAwjrkBxDFPTEbaVngmetQP3bKzWS86U1va/IcYwYm6FlP2T47HjauwBxV
rjyxOrRcjyrPr1QwTL/HLDKNFrxyfSaU4wRJ9JsCx9HwQsfpdiNxLjqdzx1ZUlbl
ZdW87tHjxVxa5EVYDU6UG4jMCdsDvZC3aCYBVgPOEYRJJZxSVN2BP4cWWzmNueEh
QAKjFsXi8scOCE/WxZHY/QI6SfQ77K8bPQRnNIDF4GBbKKCd8R2zEBF4EZ/9tOMg
gVTuetfhS3d6BmMmAlnd39VTA2drcnKSxh1CSZe3J3mlJWFtJr1LeIwoXB9/KY5L
ixoVQvVYIYFGZiGJuxyr6zS/8uxpUKYu8ohKR04bKWJNx0CmOxBdElhMWaSItK+z
ULGETuSFpGNnhOcgSaqP98qJwds4Iqu4ndhvwRqopxEfZ7C3eLgnj80qwglitzq0
wEHGp6eYO3xuA8W1+NJ9lltYp/SlgLzcbsx1xpd2oMsfAs1EYJwtNCd3NvfTdVcE
kDUhYN5hJPLcWEvpN6zKhLyV2kETcd4JRPNvxDNopMTscsLWwm4Dy6Px0739K/5+
jrtk06H81feXZFOMXBoubPdaCy0xLr76aP2dpXjNo13E/JC1oM5La5vTN8Ouc2P4
hrzBV+qjAXrWwZ8bSzm6RekMCMZkmydJt7zcZ/5cKy7p0oU6PBo=
=ji1e
-----END PGP SIGNATURE-----

--spfmpna2c2oihjdz--

Message received at 73166 <at> debbugs.gnu.org:

Received: (at 73166) by debbugs.gnu.org; 9 Nov 2024 21:34:04 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Nov 09 16:34:04 2024
Received: from localhost ([127.0.0.1]:54675 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1t9t5n-0000c2-6w
	for submit <at> debbugs.gnu.org; Sat, 09 Nov 2024 16:34:04 -0500
Received: from 4.mo575.mail-out.ovh.net ([46.105.59.63]:37457)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ngraves@HIDDEN>) id 1t9t5h-0000bX-OG
 for 73166 <at> debbugs.gnu.org; Sat, 09 Nov 2024 16:34:01 -0500
Received: from director4.ghost.mail-out.ovh.net (unknown [10.108.17.93])
 by mo575.mail-out.ovh.net (Postfix) with ESMTP id 4Xm8Fb66Lhz1MPL
 for <73166 <at> debbugs.gnu.org>; Sat,  9 Nov 2024 21:33:55 +0000 (UTC)
Received: from ghost-submission-5b5ff79f4f-lpfn6 (unknown [10.110.118.120])
 by director4.ghost.mail-out.ovh.net (Postfix) with ESMTPS id D8BC31FD6F;
 Sat,  9 Nov 2024 21:33:54 +0000 (UTC)
Received: from ngraves.fr ([37.59.142.100])
 by ghost-submission-5b5ff79f4f-lpfn6 with ESMTPSA
 id CIbZFELVL2d7EgAAYM1KBw
 (envelope-from <ngraves@HIDDEN>); Sat, 09 Nov 2024 21:33:54 +0000
Authentication-Results: garm.ovh; auth=pass
 (GARM-100R003ec689b9a-43fa-4601-bb5e-5216a8109be4,
 4106C6A41C0FD9D2FFAF9DE435E3143907C498F8) smtp.auth=ngraves@HIDDEN
X-OVh-ClientIp: 90.92.117.144
From: Nicolas Graves <ngraves@HIDDEN>
To: 73166 <at> debbugs.gnu.org
Subject: [PATCH] shell: Rewrite authorized directories management.
Date: Sat,  9 Nov 2024 22:33:42 +0100
Message-ID: <20241109213346.5261-1-ngraves@HIDDEN>
X-Mailer: git-send-email 2.46.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Ovh-Tracer-Id: 15367126356368155362
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeefuddrtdekgdduhedtucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpefhvfevufffkffogggtgfesthekredtredtjeenucfhrhhomheppfhitgholhgrshcuifhrrghvvghsuceonhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrqeenucggtffrrghtthgvrhhnpefgjefgjeelveeugeegteetjeeutefgjedvgefhtedttefftefhvdeuffevleejtdenucffohhmrghinhepgigughgpuggrthgrpghhohhmvgdrlhhotggrlhenucfkphepuddvjedrtddrtddruddpledtrdelvddruddujedrudeggedpfeejrdehledrudegvddruddttdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeduvdejrddtrddtrddupdhmrghilhhfrhhomhepnhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrpdhnsggprhgtphhtthhopedupdhrtghpthhtohepjeefudeiieesuggvsggsuhhgshdrghhnuhdrohhrghdpoffvtefjohhsthepmhhoheejhegmpdhmohguvgepshhmthhpohhuth
DKIM-Signature: a=rsa-sha256; bh=3s/v85V+NbiSHWof+RCTETu1XaRzMzTPvZHJVU99YrE=; 
 c=relaxed/relaxed; d=ngraves.fr; h=From;
 s=ovhmo4487190-selector1; t=1731188035; v=1;
 b=EKDiVmHkAi1lh86YW8DXjsIiHigqS0o6txbJ9Xwqz4Qfb0AZXVyymyHEVzqgemndMG+3mTK1
 +z3rrCc0kqh/o/oL9lAQ+Is0iGrOtxFiynm81juAKFOujVWjpwwYT35Wb8Vb5yBDNw1rd9X0e6H
 ifoaQnTSmC6Hb4B+uEtxNwbP0po8+2UNnJB7UNLKAfRKtLk+zGTxedEQJbIwwC1C9KilfIz0lG7
 zDzCCIEHCfQEZK4xPxBbEfzCu36NJzhOF3fBgQ/l6WdyWmLH0je5wGtcIlEgG57FlPn4ljK61GN
 +WZVs7mglHfTcXXyc6YjCeePDVHk9nXgZt1H27vRp8Xiw==
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 73166
Cc: ludo@HIDDEN, Nicolas Graves <ngraves@HIDDEN>, andrew@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Let's say you pull code with a malicious change in guix.scm or
manifest.scm from a repo authorized by guix shell.  guix shell would
continue to trust it.  This commit rewrites the way guix shell allow
model works, by taking inspiration (literaly doing the exact same
thing) on direnv security model.

It adds the options
  guix shell --allow
  guix shell --deny

Previous allowed directories will be lost, but will continue to work
with guix time-machine.

* guix/utils.scm (data-directory): Add variable.
* guix/scripts/shell.scm
(show-help, %options, auto-detect-manifest): Add options --allow and
--deny.
(shell-file-hash, shell-permission, database-do!): Add variables.
(authorized-directory-file): Remove variable.
(authorized-shell-directory): Rewrite and rename procedure...
(authorized-shell-file): ...to this variable.
(guix-shell): Properly dispatch allow and deny options.
* tests/guix-shell.scm : Adapt tests.
---
 guix/scripts/shell.scm | 140 +++++++++++++++++++++++++++++------------
 guix/utils.scm         |   4 ++
 tests/guix-shell.sh    |   5 +-
 3 files changed, 106 insertions(+), 43 deletions(-)

diff --git a/guix/scripts/shell.scm b/guix/scripts/shell.scm
index d23362a15d..85794745d4 100644
--- a/guix/scripts/shell.scm
+++ b/guix/scripts/shell.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2021-2024 Ludovic Courtès <ludo@HIDDEN>
 ;;; Copyright © 2023 Janneke Nieuwenhuizen <janneke@HIDDEN>
+;;; Copyright © 2024 Nicolas Graves <ngraves@HIDDEN>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -39,7 +40,7 @@ (define-module (guix scripts shell)
   #:autoload   (ice-9 rdelim) (read-line)
   #:autoload   (guix base32) (bytevector->base32-string)
   #:autoload   (rnrs bytevectors) (string->utf8)
-  #:autoload   (guix utils) (config-directory cache-directory)
+  #:autoload   (guix utils) (cache-directory data-directory)
   #:autoload   (guix describe) (current-channels)
   #:autoload   (guix channels) (channel-commit)
   #:autoload   (gcrypt hash) (sha256)
@@ -47,6 +48,9 @@ (define-module (guix scripts shell)
   #:use-module (guix cache)
   #:use-module ((ice-9 ftw) #:select (scandir))
   #:autoload   (ice-9 pretty-print) (pretty-print)
+  #:autoload   (ice-9 textual-ports) (get-string-all)
+  #:autoload   (gcrypt hash) (port-sha256)
+  #:autoload   (guix rpm) (bytevector->hex-string)
   #:autoload   (gnu packages) (cache-is-authoritative?
                                package-unique-version-prefix
                                specification->package
@@ -75,6 +79,10 @@ (define (show-help)
   (display (G_ "
   -F, --emulate-fhs      for containers, emulate the Filesystem Hierarchy
                          Standard (FHS)"))
+  (display (G_ "
+      --allow            allow automatic loading of 'guix.scm' and 'manifest.scm'"))
+  (display (G_ "
+      --deny             revoke automatic loading of 'guix.scm' and 'manifest.scm'"))
 
   (show-environment-options-help)
   (newline)
@@ -149,7 +157,13 @@ (define %options
 
               (option '(#\F "emulate-fhs") #f #f
                       (lambda (opt name arg result)
-                        (alist-cons 'emulate-fhs? #t result))))
+                        (alist-cons 'emulate-fhs? #t result)))
+              (option '("allow") #f #f
+                      (lambda (opt name arg result)
+                        (alist-cons 'allow "allow" result)))
+              (option '("deny") #f #f
+                      (lambda (opt name arg result)
+                        (alist-cons 'deny "deny" result))))
         (filter-map (lambda (opt)
                       (and (not (any (lambda (name)
                                        (member name to-remove))
@@ -189,6 +203,68 @@ (define (handle-argument arg result)
           (("--") opts)
           (("--" command ...) (alist-cons 'exec command opts))))))))
 
+(define (shell-file-hash file)
+  "Returns a unique hash for FILE."
+  (let* ((abs-path (canonicalize-path file))
+         (content (call-with-input-file abs-path get-string-all)))
+    (call-with-input-string (string-append abs-path "\n" content)
+      (compose bytevector->hex-string port-sha256))))
+
+(define (shell-permission path)
+  "Returns the current permission of file at PATH ('allow, 'deny or 'unknown)
+and its file-hash."
+  (define (is-valid? file-path)
+    (and (file-exists? file-path)
+         (string=? (string-trim-right
+                    (call-with-input-file file-path get-string-all))
+                   (canonicalize-path path))))
+  (catch 'system-error
+    (lambda ()
+      (let* ((file-hash (shell-file-hash path))
+             (database (string-append (data-directory) "/shell/")))
+        (cond
+         ((is-valid? (string-append database "deny/" file-hash))
+          (values 'deny file-hash))
+         ((is-valid? (string-append database "allow/" file-hash))
+          (values 'allow file-hash))
+         (else
+          (values 'unknown file-hash)))))
+    (const (values #f #f))))
+
+(define (database-do! target-type path)
+  "Allows or revokes (depending on TARGET-TYPE value) guix shell automatic
+loading for the file at PATH."
+  (let ((type file-hash (shell-permission path))
+        (origin-type (match target-type
+                       ('allow 'deny)
+                       ('deny  'allow)))
+        (database (string-append (data-directory) "/shell/")))
+    (unless (file-exists? (string-append database "/allow/"))
+      (mkdir-p (string-append database "/allow/"))
+      (mkdir-p (string-append database "/deny/")))
+    (match type
+      ((? (cut eq? origin-type <>))
+       (let ((old-file (string-append
+                        database (symbol->string origin-type) "/" file-hash)))
+         (copy-file
+          old-file
+          (string-append database (symbol->string target-type) "/" file-hash))
+         (delete-file old-file)
+         (match target-type
+           ('allow (info (G_ "'~a' allowed!~%") path))
+           ('deny (info (G_ "'~a' denied!~%") path)))))
+      ((? (cut eq? target-type <>))
+       (match target-type
+         ('allow (info (G_ "'~a' is already allowed!~%") path))
+         ('deny (info (G_ "'~a' is already denied!~%") path))))
+      ('unknown
+       (call-with-output-file
+           (string-append database (symbol->string target-type) "/" file-hash)
+         (cut display (canonicalize-path path) <>))
+       (match target-type
+         ('allow (info (G_ "'~a' allowed!~%") path))
+         ('deny (info (G_ "'~a' denied!~%") path)))))))
+
 (define (find-file-in-parent-directories candidates)
   "Find one of CANDIDATES in the current directory or one of its ancestors."
   (define start (getcwd))
@@ -205,39 +281,9 @@ (define device (stat:dev (stat start)))
                (and (not (string=? directory "/"))
                     (loop (dirname directory)))))))) ;lexical ".." resolution
 
-(define (authorized-directory-file)
-  "Return the name of the file listing directories for which 'guix shell' may
-automatically load 'guix.scm' or 'manifest.scm' files."
-  (string-append (config-directory) "/shell-authorized-directories"))
-
-(define (authorized-shell-directory? directory)
-  "Return true if DIRECTORY is among the authorized directories for automatic
-loading.  The list of authorized directories is read from
-'authorized-directory-file'; each line must be either: an absolute file name,
-a hash-prefixed comment, or a blank line."
-  (catch 'system-error
-    (lambda ()
-      (call-with-input-file (authorized-directory-file)
-        (lambda (port)
-          (let loop ()
-            (match (read-line port)
-              ((? eof-object?) #f)
-              ((= string-trim line)
-               (cond ((string-prefix? "#" line)   ;comment
-                      (loop))
-                     ((string-prefix? "/" line)   ;absolute file name
-                      (or (string=? line directory)
-                          (loop)))
-                     ((string-null? (string-trim-right line)) ;blank line
-                      (loop))
-                     (else                        ;bogus line
-                      (let ((loc (location (port-filename port)
-                                           (port-line port)
-                                           (port-column port))))
-                        (warning loc (G_ "ignoring invalid file name: '~a'~%")
-                                 line)
-                        (loop))))))))))
-    (const #f)))
+(define (authorized-shell-file? file)
+  "Return true if FILE is among the authorized files for automatic loading."
+  (and=> (shell-permission file) (cut eq? 'allow <>)))
 
 (define (options-with-caching opts)
   "If OPTS contains only options that allow us to compute a cache key,
@@ -292,6 +338,8 @@ (define disallow-implicit-load?
 
   (if (or (not interactive?)
           disallow-implicit-load?
+          (assoc-ref opts 'allow)
+          (assoc-ref opts 'deny)
           (options-contain-payload? opts))
       opts
       (match (find-file-in-parent-directories '("manifest.scm" "guix.scm"))
@@ -299,7 +347,7 @@ (define disallow-implicit-load?
          (warning (G_ "no packages specified; creating an empty environment~%"))
          opts)
         (file
-         (if (authorized-shell-directory? (dirname file))
+         (if (authorized-shell-file? file)
              (begin
                (info (G_ "loading environment from '~a'...~%") file)
                (match (basename file)
@@ -314,11 +362,9 @@ (define disallow-implicit-load?
 directory, like so:
 
 @example
-echo ~a >> ~a
+guix shell --allow
 @end example\n")
-                             file
-                             (dirname file)
-                             (authorized-directory-file))
+                             file)
                (exit 1)))))))
 
 
@@ -596,4 +642,16 @@ (define interactive?
 
     (if (assoc-ref opts 'export-manifest?)
         (export-manifest opts (current-output-port))
-        (guix-environment* opts))))
+        (match (or (assoc-ref opts 'allow) (assoc-ref opts 'deny))
+          (#f
+           (guix-environment* opts))
+          (command
+           (match (or (assoc-ref opts 'manifest)
+                      (find-file-in-parent-directories
+                       '("manifest.scm" "guix.scm")))
+             (#f
+              (report-error
+               (G_ "no 'manifest.scm' or 'guix.scm' file to ~a~%") command)
+              (exit 1))
+             (file
+              (database-do! (string->symbol command) file))))))))
diff --git a/guix/utils.scm b/guix/utils.scm
index f161cb4ef3..51af0435e5 100644
--- a/guix/utils.scm
+++ b/guix/utils.scm
@@ -141,6 +141,7 @@ (define-module (guix utils)
 
             config-directory
             cache-directory
+            data-directory
 
             readlink*
             go-to-location
@@ -1049,6 +1050,9 @@ (define config-directory
 (define cache-directory
   (cut xdg-directory "XDG_CACHE_HOME" "/.cache" <...>))
 
+(define data-directory
+  (cut xdg-directory "XDG_DATA_HOME" "/.local/share" <...>))
+
 (define (readlink* file)
   "Call 'readlink' until the result is not a symlink."
   (define %max-symlink-depth 50)
diff --git a/tests/guix-shell.sh b/tests/guix-shell.sh
index b2f820bf26..0606febd91 100644
--- a/tests/guix-shell.sh
+++ b/tests/guix-shell.sh
@@ -60,7 +60,7 @@ grep "not authorized" "$tmpdir/stderr"
 rm "$tmpdir/stderr"
 
 # Authorize the directory.
-echo "$(realpath "$tmpdir")" > "$configdir/guix/shell-authorized-directories"
+(cd "$tmpdir"; guix shell --allow)
 
 # Ignoring 'manifest.scm' and 'guix.scm' in non-interactive use.
 (cd "$tmpdir"; guix shell --bootstrap -- true)
@@ -78,6 +78,7 @@ cat > "$tmpdir/fake-shell.sh" <<EOF
 exec echo "\$GUIX_ENVIRONMENT"
 EOF
 chmod +x "$tmpdir/fake-shell.sh"
+(cd "$tmpdir"; SHELL="$(realpath fake-shell.sh)" guix shell --allow)
 profile1="$(cd "$tmpdir"; SHELL="$(realpath fake-shell.sh)" guix shell --bootstrap)"
 profile2="$(guix shell --bootstrap guile-bootstrap -- "$SHELL" -c 'echo $GUIX_ENVIRONMENT')"
 test -n "$profile1"
@@ -157,7 +158,7 @@ then
 
     # Honoring the local 'guix.scm' file.
     echo '(@ (guix tests) gnu-make-for-tests)' > "$tmpdir/guix.scm"
-    (cd "$tmpdir"; guix shell --bootstrap --search-paths --pure > "b")
+    (cd "$tmpdir"; guix shell --allow; guix shell --bootstrap --search-paths --pure > "b")
     cmp "$tmpdir/a" "$tmpdir/b"
     rm "$tmpdir/guix.scm"
 fi
-- 
2.46.0

Message received at 73166 <at> debbugs.gnu.org:

Received: (at 73166) by debbugs.gnu.org; 9 Nov 2024 14:12:52 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Nov 09 09:12:52 2024
Received: from localhost ([127.0.0.1]:53940 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1t9mCq-00066l-3F
	for submit <at> debbugs.gnu.org; Sat, 09 Nov 2024 09:12:52 -0500
Received: from 14.mo584.mail-out.ovh.net ([46.105.40.29]:38253)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ngraves@HIDDEN>) id 1t9mCm-00066a-Dv
 for 73166 <at> debbugs.gnu.org; Sat, 09 Nov 2024 09:12:51 -0500
Received: from director7.ghost.mail-out.ovh.net (unknown [10.108.25.63])
 by mo584.mail-out.ovh.net (Postfix) with ESMTP id 4XlySZ41LRz1JL7
 for <73166 <at> debbugs.gnu.org>; Sat,  9 Nov 2024 14:12:46 +0000 (UTC)
Received: from ghost-submission-5b5ff79f4f-cwmv9 (unknown [10.110.118.5])
 by director7.ghost.mail-out.ovh.net (Postfix) with ESMTPS id D35311FD97;
 Sat,  9 Nov 2024 14:12:44 +0000 (UTC)
Received: from ngraves.fr ([37.59.142.110])
 by ghost-submission-5b5ff79f4f-cwmv9 with ESMTPSA
 id qE0tLNxtL2diqwAA3q0DiQ
 (envelope-from <ngraves@HIDDEN>); Sat, 09 Nov 2024 14:12:44 +0000
Authentication-Results: garm.ovh; auth=pass
 (GARM-110S0047ea12c67-0633-4e51-ab65-7330948f986b,
 4106C6A41C0FD9D2FFAF9DE435E3143907C498F8) smtp.auth=ngraves@HIDDEN
X-OVh-ClientIp: 90.92.117.144
From: Nicolas Graves <ngraves@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: bug#73166: shell-autorized-directories
In-Reply-To: <87mske8emf.fsf@HIDDEN>
References: <877cbjwxs4.fsf@HIDDEN> <87cyla7c0f.fsf@HIDDEN>
 <87mske8emf.fsf@HIDDEN>
Date: Sat, 09 Nov 2024 15:12:44 +0100
Message-ID: <874j4gpkbn.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Ovh-Tracer-Id: 7916765198171038299
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: -100
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeefuddrtdekgdeiudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhvfevufgjfhffkfggtgfgsehtqhertddttdejnecuhfhrohhmpefpihgtohhlrghsucfirhgrvhgvshcuoehnghhrrghvvghssehnghhrrghvvghsrdhfrheqnecuggftrfgrthhtvghrnhepueejueetffffueefudelhfehieffffevtdehgfetgfehkeduudefjeejheekudevnecuffhomhgrihhnpehgihhthhhusgdrtghomhdpughirhgvnhhvrdhphidpshhrrdhhthdphhhomhgvrdhlohgtrghlnecukfhppeduvdejrddtrddtrddupdeltddrledvrdduudejrddugeegpdefjedrheelrddugedvrdduuddtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepuddvjedrtddrtddruddpmhgrihhlfhhrohhmpehnghhrrghvvghssehnghhrrghvvghsrdhfrhdpnhgspghrtghpthhtohepuddprhgtphhtthhopeejfeduieeiseguvggssghughhsrdhgnhhurdhorhhgpdfovfetjfhoshhtpehmohehkeegmgdpmhhouggvpehsmhhtphhouhht
DKIM-Signature: a=rsa-sha256; bh=cNurtGbE/et41Z2/Tk+1Ua67Jh/MVfyaiYtbx+8Bi1o=; 
 c=relaxed/relaxed; d=ngraves.fr; h=From;
 s=ovhmo4487190-selector1; t=1731161566; v=1;
 b=MDqPRlERyMtEfbz/HcU+n85/ZFg1IOEpRCUO3dfoAlw9lFtdNA/RA4/72A0Mm4oFcakd4NrG
 31bUe6gsO+OUlOB1BLi9dCYX0x34I+ZgQidmcdKWbY5+1pr4fFV13TuH/MHKEbJ5moEJ2S2Hz6v
 9skQysNW4ZgtXx0zPggmNm/9JHiupKj4T+hKHQfj065yWy39hboIK9bO7cTT3wAJBJpCmSzVINj
 8u5NfmfiLcrzdy9TErFwqR2ABFjlvOtXSgqcHn0+Q0Ghu05Bv20v6bfku3rRFIboXvzZZGAgd01
 Oaq/RJdu+e4AjJE7Lo4cNQXQY2qcsg+2NYWg/CzfFuWdg==
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 73166
Cc: 73166 <at> debbugs.gnu.org, Andrew Tropin <andrew@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On 2024-09-11 16:11, Nicolas Graves wrote:

>> That option would add a line to =E2=80=98shell-autorized-directories=E2=
=80=99?
>
> Yes. Actually I would like to develop a little more after thinking about
> that.
>
> Let's say you git pull code from a guix-shell-authorized repo and the=20
> pull includes some potentially harmful / dangerous code.
>
> The assumption of direnv is that the user has to allow the code to run
> again in this case, putting more emphasis on security. This is not the
> case in Guix, IIRC. I think it should be done in Guix too.=20
>
> Implementing that kind of additional security will indeed need such an
> option, for this will need to actually include the hash of the file of
> something like that.
>
> It's actually quite simple in direnv, they take a sha256 hash of the
> absolute filename + the content of the file.
> (See
> https://github.com/nicolas-graves/python-direnv/blob/f8f0967a9772f0775ffe=
75a68d868c75076f5af4/direnv.py#L36)
> That hash makes a simple file-based database where a file is allowed based
> not only on its location but on its location+content.
>
> We could have two options to interact with such a database :
> --allow
> --revoke

Here's a working draft for some code for that.  This is currently able
to properly allow or deny my direnv-validated directories.  With a
proper direnv rename, we can almost already replace
authorized-shell-directory? function.

I feel like this is a far more secure and convenient way to manage
autorized-directories for guix shell.  WDYT ?

@Andrew you might also be interested in that given your focus on
per-directory complete dev environments.  Originally I thought of this
while thinking about how unsecure patch 3 of=20
https://lists.sr.ht/~abcdw/rde-devel/patches/54944 was.

I'll probably continue to work on that to bring it to a full reviewable
patch, some input would be greatly appreciated in the meantime!


(use-modules
 (gcrypt hash)
 (guix rpm) ; for bytevector->hex-string
 (guix serialization)
 (srfi srfi-1)
 (srfi srfi-11)
 (srfi srfi-26)
 (srfi srfi-71)
 (ice-9 match)
 (ice-9 textual-ports))

(define (direnv-file-hash path)
  (let* ((abs-path (canonicalize-path path))
         (content (call-with-input-file abs-path get-string-all)))
    (call-with-input-string (string-append abs-path "\n" content)
      (cut (compose bytevector->hex-string port-sha256) <>))))

(define (xdg-data-home)
  (or (getenv "XDG_DATA_HOME")
      (string-append (getenv "HOME") "/.local/share")))

(define (permissions path)
  (define (is-valid? file-path)
    (and (file-exists? file-path)
         (string=3D? (string-trim-right
                    (call-with-input-file file-path get-string-all))
                   (canonicalize-path path))))

  (let* ((file-hash (direnv-file-hash path))
         (database-path (string-append (xdg-data-home) "/direnv/")))
    (cond
     ((is-valid? (string-append database-path "deny/" file-hash))
      (values 'deny file-hash))
     ((is-valid? (string-append database-path "allow/" file-hash))
      (values 'allow file-hash))
     (else
      (values 'unknown file-hash)))))

(define (is-allowed? path)
  (eq? 'allow (permissions path)))

(define (is-denied? path)
  (eq? 'deny (permissions path)))

(define (allow-or-deny! path target-type origin-type)
  (let ((type file-hash (permissions path))
        (data-home (string-append (xdg-data-home) "/direnv/")))
    (match type
      (origin-type
       (rename-file
        (string-append data-home (symbol->string origin-type) "/" file-hash)
        (string-append data-home (symbol->string target-type) "/" file-hash=
)))
      (target-type
       (warn "not necessary"))  ;TODO do that properly
      ('unknown
       (call-with-output-file
           (string-append data-home (symbol->string target-type) "/" file-h=
ash)
         (cut display (canonicalize-path path) <>))))))

(define (allow! path)
  (allow-or-deny! path 'allow 'deny))

(define (deny! path)
  (allow-or-deny! path 'deny 'allow))

--=20
Best regards,
Nicolas Graves

Message received at 73166 <at> debbugs.gnu.org:

Received: (at 73166) by debbugs.gnu.org; 11 Sep 2024 14:11:21 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 11 10:11:21 2024
Received: from localhost ([127.0.0.1]:39300 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1soO40-0004iK-Kn
	for submit <at> debbugs.gnu.org; Wed, 11 Sep 2024 10:11:20 -0400
Received: from 8.mo576.mail-out.ovh.net ([46.105.56.233]:56259)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ngraves@HIDDEN>) id 1soO3v-0004i8-BS
 for 73166 <at> debbugs.gnu.org; Wed, 11 Sep 2024 10:11:18 -0400
Received: from director7.ghost.mail-out.ovh.net (unknown [10.109.176.96])
 by mo576.mail-out.ovh.net (Postfix) with ESMTP id 4X3jCs6Q6lz2F7L
 for <73166 <at> debbugs.gnu.org>; Wed, 11 Sep 2024 14:11:05 +0000 (UTC)
Received: from ghost-submission-55b549bf7b-7wcfh (unknown [10.110.164.244])
 by director7.ghost.mail-out.ovh.net (Postfix) with ESMTPS id 00CB21FD49;
 Wed, 11 Sep 2024 14:11:04 +0000 (UTC)
Received: from ngraves.fr ([37.59.142.102])
 by ghost-submission-55b549bf7b-7wcfh with ESMTPSA
 id drIsLfik4Wb+TgEAV0okSg
 (envelope-from <ngraves@HIDDEN>); Wed, 11 Sep 2024 14:11:04 +0000
Authentication-Results: garm.ovh; auth=pass
 (GARM-102R004020f25c8-889e-4333-b72a-12a0d6fa13b2,
 3BA020881A3E4CC041D2F965B5081ED9310D984A) smtp.auth=ngraves@HIDDEN
X-OVh-ClientIp: 86.246.19.221
From: Nicolas Graves <ngraves@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: bug#73166: shell-autorized-directories
In-Reply-To: <87cyla7c0f.fsf@HIDDEN>
References: <877cbjwxs4.fsf@HIDDEN> <87cyla7c0f.fsf@HIDDEN>
Date: Wed, 11 Sep 2024 16:11:04 +0200
Message-ID: <87mske8emf.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Ovh-Tracer-Id: 11887532692836180709
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: -100
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeeftddrudejuddgjeduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhephffvvefujghffffkgggtgfesthhqredttddtjeenucfhrhhomheppfhitgholhgrshcuifhrrghvvghsuceonhhgrhgrvhgvshesnhhgrhgrvhgvshdrfhhrqeenucggtffrrghtthgvrhhnpefhjeetveekfedvudevudevveejjeetheduteevgeekkedvgedtfeduteehueehhfenucffohhmrghinhepghhithhhuhgsrdgtohhmpdguihhrvghnvhdrphihnecukfhppeduvdejrddtrddtrddupdekiedrvdegiedrudelrddvvddupdefjedrheelrddugedvrddutddvnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepuddvjedrtddrtddruddpmhgrihhlfhhrohhmpehnghhrrghvvghssehnghhrrghvvghsrdhfrhdpnhgspghrtghpthhtohepuddprhgtphhtthhopeejfeduieeiseguvggssghughhsrdhgnhhurdhorhhgpdfovfetjfhoshhtpehmohehjeeipdhmohguvgepshhmthhpohhuth
DKIM-Signature: a=rsa-sha256; bh=cCuwNPULRkgv1VY4icojPNosBKbKbkSj9SMFsvib7Go=; 
 c=relaxed/relaxed; d=ngraves.fr; h=From;
 s=ovhmo4487190-selector1; t=1726063866; v=1;
 b=hQOMPZrYHaqIF3fubSegoAMH2KDM3fl2UI4aMkR9RSFDyIMu2xrM8fLay9Sb+ZxupmLUsZRw
 bURdHstz9Dn2q8DX1Gi2+KM433hIOrFWqFzAkDgLcR3AZkWzYuh6Fz6N/PkUimyeufsKRIpEEub
 4Nth8Ot85qVJwTyisqG5sO1JQG1ufN7yYjSuHsGs1guzPj4mipwx0gSifi//GIYXNGIRJuWimuT
 71PfV1IyfPB5gzzo1G5olrfeFs98qHY8lIKuUBMPQX3J+0QKJfQ7A7PZyyu1ESgsv9INYFLLl7s
 oUs3yXC7L8zceIccv+Z9RlUPeMf4Iyef0pHb9TFMLG0MQ==
X-Spam-Score: 2.8 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  On 2024-09-11 11:52, Ludovic Courtès wrote: > Hi, > > Nicolas
    Graves <ngraves@HIDDEN> skribis: > > Is it that clear-cut? It can be
   viewed as config rather than state too, > no? Possibly, though I'm not sure
    which use-case will make more sense using this file as config rather than
    state. 
 
 Content analysis details:   (2.8 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  1.3 RCVD_IN_VALIDITY_RPBL  RBL: Relay in Validity RPBL,
                             https://senderscore.org/blocklistlookup/
                             [46.105.56.233 listed in bl.score.senderscore.com]
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
                              no trust
                             [46.105.56.233 listed in list.dnswl.org]
  0.0 RCVD_IN_MSPIKE_H3      RBL: Good reputation (+3)
                             [46.105.56.233 listed in wl.mailspike.net]
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  1.6 SUBJ_LACKS_WORDS       Subject is not short yet lacks words
  0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
X-Debbugs-Envelope-To: 73166
Cc: 73166 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 1.8 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  On 2024-09-11 11:52, Ludovic Courtès wrote: > Hi, > > Nicolas
    Graves <ngraves@HIDDEN> skribis: > > Is it that clear-cut? It can be
   viewed as config rather than state too, > no? Possibly, though I'm not sure
    which use-case will make more sense using this file as config rather than
    state. 
 
 Content analysis details:   (1.8 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 RCVD_IN_MSPIKE_H3      RBL: Good reputation (+3)
                             [46.105.56.233 listed in wl.mailspike.net]
  1.3 RCVD_IN_VALIDITY_RPBL  RBL: Relay in Validity RPBL,
                             https://senderscore.org/blocklistlookup/
                             [46.105.56.233 listed in bl.score.senderscore.com]
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
                              no trust
                             [46.105.56.233 listed in list.dnswl.org]
 -0.0 SPF_PASS               SPF: sender matches SPF record
  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
  1.6 SUBJ_LACKS_WORDS       Subject is not short yet lacks words
  0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
 -1.0 MAILING_LIST_MULTI     Multiple indicators imply a widely-seen list
                             manager

On 2024-09-11 11:52, Ludovic Court=C3=A8s wrote:

> Hi,
>
> Nicolas Graves <ngraves@HIDDEN> skribis:
>
> Is it that clear-cut?  It can be viewed as config rather than state too,
> no?

Possibly, though I'm not sure which use-case will make more sense using
this file as config rather than state.

In my use-case I tried to have an as-much-as-possible immutable home
config, and since I don't think it makes sense to run a guix home
reconfiguration after `echo X > ~/wherever/guix-shell-authorized-directorie=
s`,
I had to make a uggly trick/exception for this file.

>
>> WDYT? Should we implement this change? The tricky thing might be the
>> migration for those files.
>
> Right, migration in itself is difficult.  Not to mention that we=E2=80=99=
d have
> to account for people who use =E2=80=98time-machine=E2=80=99 to run a pre=
-migration
> shell.

Question is, is that worth it ? Probably not for only file relocation,
but I now think we need more, see next answer.

>
>> Maybe we should also add a --allow argument to guix shell to make it
>> easier to add files.
>
> That option would add a line to =E2=80=98shell-autorized-directories=E2=
=80=99?

Yes. Actually I would like to develop a little more after thinking about
that.

Let's say you git pull code from a guix-shell-authorized repo and the=20
pull includes some potentially harmful / dangerous code.

The assumption of direnv is that the user has to allow the code to run
again in this case, putting more emphasis on security. This is not the
case in Guix, IIRC. I think it should be done in Guix too.=20

Implementing that kind of additional security will indeed need such an
option, for this will need to actually include the hash of the file of
something like that.

It's actually quite simple in direnv, they take a sha256 hash of the
absolute filename + the content of the file.
(See
https://github.com/nicolas-graves/python-direnv/blob/f8f0967a9772f0775ffe75=
a68d868c75076f5af4/direnv.py#L36)
That hash makes a simple file-based database where a file is allowed based
not only on its location but on its location+content.

We could have two options to interact with such a database :
--allow
--revoke

>
> Thanks,
> Ludo=E2=80=99.

--=20
Best regards,
Nicolas Graves

Message received at 73166 <at> debbugs.gnu.org:

Received: (at 73166) by debbugs.gnu.org; 11 Sep 2024 09:55:24 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Sep 11 05:55:24 2024
Received: from localhost ([127.0.0.1]:37803 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1soK4K-0008A5-DK
	for submit <at> debbugs.gnu.org; Wed, 11 Sep 2024 05:55:24 -0400
Received: from eggs.gnu.org ([209.51.188.92]:57258)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1soK4I-00089r-PJ
 for 73166 <at> debbugs.gnu.org; Wed, 11 Sep 2024 05:55:23 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1soK21-0007XR-6p; Wed, 11 Sep 2024 05:53:01 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=PIJ7o3iaG1ydfMTejMplSNXcXN0VP3ytsV+LBeA9nfk=; b=fgmm27Q/34TiP1ABJsSY
 NaVVq4iOzuu2Pf0HWuGQuhOAe0/BPNOQfBg6/UP/cFVJlyPkbtJmVgQtf0d+8I+9qFDhrpZ26LzFW
 aSlwR6pOHE2h8fKicBQWpPI7xOZRmbOgp54eywnhAy7cwSpDZaHKD46tsG8tb4WeDhit57fBSflYd
 MH2ZJMtTRzeog6ci03kJVbTVWiay7AS282ozHWtgFb6I9HOyUktpiLa6z+hqWArpiMhOPFrjMmR0L
 Pj8lw3te1MCMMvKx66T8BqA8gDd8j1CV0cdTvTyD2+6yWKF/QWmnq7Rmapv260f8lDfEIqlSM/qYB
 UoMvSDp49D0LkQ==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Nicolas Graves <ngraves@HIDDEN>
Subject: Re: bug#73166: shell-autorized-directories
In-Reply-To: <877cbjwxs4.fsf@HIDDEN> (Nicolas Graves's message of "Tue, 10
 Sep 2024 13:31:07 +0200")
References: <877cbjwxs4.fsf@HIDDEN>
Date: Wed, 11 Sep 2024 11:52:48 +0200
Message-ID: <87cyla7c0f.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.8 (/)
X-Debbugs-Envelope-To: 73166
Cc: 73166 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.8 (-)

Hi,

Nicolas Graves <ngraves@HIDDEN> skribis:

> According to current uses of the XDG base dirs specification, I think
> guix shell-autorized-directories is in the wrong place, and should
> instead be in $XDG_STATE_HOME/guix/
>
> direnv uses $XDG_STATE_HOME too to store authorized directories, and it
> also makes more sense in the context of immutable configs

Is it that clear-cut?  It can be viewed as config rather than state too,
no?

> WDYT? Should we implement this change? The tricky thing might be the
> migration for those files.

Right, migration in itself is difficult.  Not to mention that we=E2=80=99d =
have
to account for people who use =E2=80=98time-machine=E2=80=99 to run a pre-m=
igration
shell.

> Maybe we should also add a --allow argument to guix shell to make it
> easier to add files.

That option would add a line to =E2=80=98shell-autorized-directories=E2=80=
=99?

Thanks,
Ludo=E2=80=99.

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 10 Sep 2024 11:31:26 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Sep 10 07:31:26 2024
Received: from localhost ([127.0.0.1]:34926 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1snz5i-0005wp-GH
	for submit <at> debbugs.gnu.org; Tue, 10 Sep 2024 07:31:26 -0400
Received: from lists.gnu.org ([209.51.188.17]:53154)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ngraves@HIDDEN>) id 1snz5g-0005wh-SR
 for submit <at> debbugs.gnu.org; Tue, 10 Sep 2024 07:31:25 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ngraves@HIDDEN>)
 id 1snz5a-0001pY-LQ
 for bug-guix@HIDDEN; Tue, 10 Sep 2024 07:31:19 -0400
Received: from 7.mo582.mail-out.ovh.net ([46.105.59.196])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ngraves@HIDDEN>)
 id 1snz5Y-0003oN-Bc
 for bug-guix@HIDDEN; Tue, 10 Sep 2024 07:31:18 -0400
Received: from director7.ghost.mail-out.ovh.net (unknown [10.108.2.253])
 by mo582.mail-out.ovh.net (Postfix) with ESMTP id 4X31jn0B0Bz1P2y
 for <bug-guix@HIDDEN>; Tue, 10 Sep 2024 11:31:08 +0000 (UTC)
Received: from ghost-submission-55b549bf7b-qstfj (unknown [10.110.164.113])
 by director7.ghost.mail-out.ovh.net (Postfix) with ESMTPS id 1BFD71FED6
 for <bug-guix@HIDDEN>; Tue, 10 Sep 2024 11:31:07 +0000 (UTC)
Received: from ngraves.fr ([37.59.142.110])
 by ghost-submission-55b549bf7b-qstfj with ESMTPSA
 id nc0zKPst4Ga/XhIAaG50Kw (envelope-from <ngraves@HIDDEN>)
 for <bug-guix@HIDDEN>; Tue, 10 Sep 2024 11:31:07 +0000
Authentication-Results: garm.ovh; auth=pass
 (GARM-110S00410025226-c7fe-41f0-805d-240af44aa71e,
 976DF2D209D219C6DCDCDF2BDA9CD06B7A33E122) smtp.auth=ngraves@HIDDEN
X-OVh-ClientIp: 86.246.19.221
From: Nicolas Graves <ngraves@HIDDEN>
To: bug-guix@HIDDEN
Subject: shell-autorized-directories
Date: Tue, 10 Sep 2024 13:31:07 +0200
Message-ID: <877cbjwxs4.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Ovh-Tracer-Id: 3313523426521899696
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeeftddrudeiledgfeelucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucenucfjughrpefhvffufffkgggtsehttdertddttddtnecuhfhrohhmpefpihgtohhlrghsucfirhgrvhgvshcuoehnghhrrghvvghssehnghhrrghvvghsrdhfrheqnecuggftrfgrthhtvghrnhepueejleeileejfffhleetjedtleejheevudffleevgfdufeekhefgvddvveegveefnecukfhppeduvdejrddtrddtrddupdekiedrvdegiedrudelrddvvddupdefjedrheelrddugedvrdduuddtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepuddvjedrtddrtddruddpmhgrihhlfhhrohhmpehnghhrrghvvghssehnghhrrghvvghsrdhfrhdpnhgspghrtghpthhtohepuddprhgtphhtthhopegsuhhgqdhguhhigiesghhnuhdrohhrghdpoffvtefjohhsthepmhhoheekvddpmhhouggvpehsmhhtphhouhht
DKIM-Signature: a=rsa-sha256; bh=m8WNcLhkuTOFq6nyFHzeFk53XpXjuhYd0dtHmg7tRN0=; 
 c=relaxed/relaxed; d=ngraves.fr; h=From;
 s=ovhmo4487190-selector1; t=1725967869; v=1;
 b=B2M3KezZSdHsXZAfvxXR6KRkA9ZVFCSH/SiMjBep5v7e74xW2+ZNey1nChY/4reyPP+RPIOW
 G4LHswGPCwMH5F3EO3VBb8GhAsJyM9LyHLj+Qn0/kaxClLKHUwEqs+VmPw/SmHXMbRD2P9Mb7Fx
 nx30hkkBhcRmpKA+84pDrzTin/nU1c0/JSyK85y6eYoWruLs3zZqB3dRoMa1L/BWjdtD1tvs9XX
 Danxr6dt1QYyl5ATF1ACEHt7S3VF35Q4EYbSDhPB9JnL32MfJ+6luwas7kCctzBrG6R9Vk13fQt
 jLIzGY0wMY8LtEsIIARHXNblmE7dOV2HW9q+fzjlzrGZA==
Received-SPF: pass client-ip=46.105.59.196; envelope-from=ngraves@HIDDEN;
 helo=7.mo582.mail-out.ovh.net
X-Spam_score_int: -8
X-Spam_score: -0.9
X-Spam_bar: /
X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 SUBJ_LACKS_WORDS=1.161 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.2 (/)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.8 (/)


According to current uses of the XDG base dirs specification, I think
guix shell-autorized-directories is in the wrong place, and should
instead be in $XDG_STATE_HOME/guix/

direnv uses $XDG_STATE_HOME too to store authorized directories, and it
also makes more sense in the context of immutable configs

WDYT? Should we implement this change? The tricky thing might be the
migration for those files. Maybe we should also add a --allow argument
to guix shell to make it easier to add files.

-- 
Best regards,
Nicolas Graves