X-Loop: help-debbugs@HIDDEN
Subject: bug#78836: /var/empty permissions problems between sshd and nslcd
Resent-From: Yann Dupont <yann.dupont@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Thu, 19 Jun 2025 07:44:04 +0000
Resent-Message-ID: <handler.78836.B.175031901115862 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 78836
X-GNU-PR-Package: guix
X-GNU-PR-Keywords:
To: 78836 <at> debbugs.gnu.org
X-Debbugs-Original-To: bug-guix@HIDDEN
Received: via spool by submit <at> debbugs.gnu.org id=B.175031901115862
(code B ref -1); Thu, 19 Jun 2025 07:44:04 +0000
Received: (at submit) by debbugs.gnu.org; 19 Jun 2025 07:43:31 +0000
Received: from localhost ([127.0.0.1]:60286 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1uS9vm-00047i-BI
for submit <at> debbugs.gnu.org; Thu, 19 Jun 2025 03:43:30 -0400
Received: from lists.gnu.org ([2001:470:142::17]:51788)
by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.84_2) (envelope-from <yann.dupont@HIDDEN>)
id 1uS9vi-00045t-1D
for submit <at> debbugs.gnu.org; Thu, 19 Jun 2025 03:43:28 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <yann.dupont@HIDDEN>)
id 1uS9vc-0002TB-DR
for bug-guix@HIDDEN; Thu, 19 Jun 2025 03:43:20 -0400
Received: from smtptls1-cha.cpub.univ-nantes.fr ([193.52.103.113]
helo=smtp-tls.univ-nantes.fr)
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <yann.dupont@HIDDEN>)
id 1uS9vZ-0005gM-GI
for bug-guix@HIDDEN; Thu, 19 Jun 2025 03:43:20 -0400
Received: from localhost (localhost [127.0.0.1])
by smtp-tls.univ-nantes.fr (Postfix) with ESMTP id DC37F2043A
for <bug-guix@HIDDEN>; Thu, 19 Jun 2025 09:43:10 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=univ-nantes.fr;
s=mailv2; t=1750318990;
bh=eCCA9Zq8R71f8U8D0RZtTQn7mwGWA7kbQNbfOjYhPTw=;
h=Date:To:From:Subject:From;
b=GiI5NSGitEAY5qbzAkwj2utPARsapduTR5v7ZpgGU/4IoziffpvNoMHVgDLPhoRRs
xNk+ffn/VO3XIrvA8TtxY3BMAlJbWF4ZuyAQlU/7+MnhCb+4JoSgp5dxUdCh1Y0OVv
Dma6ql/zZlcbkm0jsBem5HpLVCxurWrl03fmgV/7cm70vQw/fRz0+Le4kfcoEoiY23
FTabAhvOneIa/HN0cy9F44103/O/OWsxG6m/pgYQ5g7Yi3unEo7SBQpxEC9aK1wArd
hnDaLDcQ8AsLNcBO4+k+1rPWmRvRmjMAiMDD4Fq5YAdSzweG8npAJMSVwqIzKwvXk8
Wx+SpQVDQleJg==
X-Virus-Scanned: Debian amavisd-new at smtptls1-lmb.cpub.univ-nantes.fr
Received: from smtp-tls.univ-nantes.fr ([127.0.0.1])
by localhost (smtptls1-cha.cpub.univ-nantes.fr [127.0.0.1]) (amavisd-new,
port 10024) with LMTP id LCNj2XRnxw6x for <bug-guix@HIDDEN>;
Thu, 19 Jun 2025 09:43:10 +0200 (CEST)
Received: from [IPV6:2001:660:7220:389:dd29:96a3:fa10:de95] (unknown
[IPv6:2001:660:7220:389:dd29:96a3:fa10:de95])
(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by smtp-tls.univ-nantes.fr (Postfix) with ESMTPSA id 859D220109
for <bug-guix@HIDDEN>; Thu, 19 Jun 2025 09:43:10 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=univ-nantes.fr;
s=mailv2; t=1750318990;
bh=eCCA9Zq8R71f8U8D0RZtTQn7mwGWA7kbQNbfOjYhPTw=;
h=Date:To:From:Subject:From;
b=GiI5NSGitEAY5qbzAkwj2utPARsapduTR5v7ZpgGU/4IoziffpvNoMHVgDLPhoRRs
xNk+ffn/VO3XIrvA8TtxY3BMAlJbWF4ZuyAQlU/7+MnhCb+4JoSgp5dxUdCh1Y0OVv
Dma6ql/zZlcbkm0jsBem5HpLVCxurWrl03fmgV/7cm70vQw/fRz0+Le4kfcoEoiY23
FTabAhvOneIa/HN0cy9F44103/O/OWsxG6m/pgYQ5g7Yi3unEo7SBQpxEC9aK1wArd
hnDaLDcQ8AsLNcBO4+k+1rPWmRvRmjMAiMDD4Fq5YAdSzweG8npAJMSVwqIzKwvXk8
Wx+SpQVDQleJg==
Content-Type: multipart/alternative;
boundary="------------zCe9HyMgvzUIcw0a0ovPcnjx"
Message-ID: <b5a0d45a-b589-46b3-89c9-8387adba740d@HIDDEN>
Date: Thu, 19 Jun 2025 09:43:04 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
From: Yann Dupont <yann.dupont@HIDDEN>
Received-SPF: pass client-ip=193.52.103.113;
envelope-from=yann.dupont@HIDDEN; helo=smtp-tls.univ-nantes.fr
X-Spam_score_int: -10
X-Spam_score: -1.1
X-Spam_bar: -
X-Spam_report: (-1.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEXHASH_WORD=1,
HTML_MESSAGE=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,
RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.7 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.3 (/)
This is a multi-part message in MIME format.
--------------zCe9HyMgvzUIcw0a0ovPcnjx
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Hi everyone, the patch eab097c682ed31efd8668f46fce8de8f73b92849 causes
sshd to now use /var/empty as a chroot directory. sshd expects
/var/empty to belong to root and with reduced write permissions.
Unfortunately, when the nslcd service is also present on the system, it
creates a user whose home directory is also /var/empty, which in this
case belongs to the nslcd user.
In this case, sshd refuses to start.
I think the patch eab097c682ed31efd8668f46fce8de8f73b92849 is correct,
and that nslcd should be changed to create /var/empty with the directory
property set to root. But I don't know if there are any side effects to
worry about with nslcd ?
(I think the relevant code is in : services/authentication.scm), in
(|define %nslcd-accounts)
|
|...|
|(home-directory "/var/empty")|
--------------zCe9HyMgvzUIcw0a0ovPcnjx
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p _d-id="41484"><span _d-id="43179"
class="--l --r container-target"><span _d-id="43193"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">Hi</span>
<span _d-id="43197"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">everyone</span><span
_d-id="43200"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">,</span>
<span _d-id="43204"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">the</span>
<span _d-id="43208"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">patch</span>
<span _d-id="43212"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">eab097c682ed31efd8668f46fce8de8f73b92849</span>
<span _d-id="43216"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">causes</span>
<span _d-id="43220"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">sshd</span>
<span _d-id="43224"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">to</span>
<span _d-id="43228"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">now</span>
<span _d-id="43232"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">use</span>
<span _d-id="43236"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">/</span><span
_d-id="43239"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">var</span><span
_d-id="43242"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">/</span><span
_d-id="43245"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">empty</span>
<span _d-id="43249"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">as</span>
<span _d-id="43253"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">a</span>
<span _d-id="43257"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">chroot</span>
<span _d-id="43261"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">directory</span><span
_d-id="43264"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">.</span>
<span _d-id="43268"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">sshd</span>
<span _d-id="43272"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">expects</span>
<span _d-id="43276"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">/</span><span
_d-id="43279"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">var</span><span
_d-id="43282"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">/</span><span
_d-id="43285"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">empty</span>
<span _d-id="43289"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">to</span>
<span _d-id="43293"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">belong</span>
<span _d-id="43297"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">to</span>
<span _d-id="43301"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">root</span>
<span _d-id="43305"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">and</span>
<span _d-id="43309"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">with</span>
<span _d-id="43313"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">reduced</span>
<span _d-id="43317"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">write</span>
<span _d-id="43321"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">permissions</span><span
_d-id="43324"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">.</span></span></p>
<p _d-id="41485"><span _d-id="43181"
class="--l --r container-target">Unfortunately, when the nslcd
service is also present on the system, it creates a user whose
home directory is also /var/empty, which in this case belongs to
the nslcd user.</span></p>
<p _d-id="41487"><span _d-id="43183"
class="--l --r container-target">In this case, sshd refuses to
start.</span></p>
<p _d-id="41489"><span _d-id="43185"
class="--l --r container-target">I think the patch
eab097c682ed31efd8668f46fce8de8f73b92849 is correct, and that
nslcd should be changed to create /var/empty with the directory
property set to root.</span> <span _d-id="43189"
class="--l --r container-target"><span _d-id="43191"
class="--l --r bg-blue-50 text-unit-target">But I don't know
if there are any side effects to worry about with nslcd ?<br>
</span></span></p>
<p _d-id="41489"><span _d-id="43189"
class="--l --r container-target"><span _d-id="43191"
class="--l --r bg-blue-50 text-unit-target">(I think the
relevant code is in : </span></span>services/authentication.scm),
in (<code>define %nslcd-accounts)<br>
</code></p>
<p _d-id="41489"><code>...</code></p>
<p _d-id="41489"><code>(home-directory "/var/empty")</code></p>
</body>
</html>
--------------zCe9HyMgvzUIcw0a0ovPcnjx--
Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Type: text/plain; charset=utf-8 X-Loop: help-debbugs@HIDDEN From: help-debbugs@HIDDEN (GNU bug Tracking System) To: Yann Dupont <yann.dupont@HIDDEN> Subject: bug#78836: Acknowledgement (/var/empty permissions problems between sshd and nslcd) Message-ID: <handler.78836.B.175031901115862.ack <at> debbugs.gnu.org> References: <b5a0d45a-b589-46b3-89c9-8387adba740d@HIDDEN> X-Gnu-PR-Message: ack 78836 X-Gnu-PR-Package: guix Reply-To: 78836 <at> debbugs.gnu.org Date: Thu, 19 Jun 2025 07:44:05 +0000 Thank you for filing a new bug report with debbugs.gnu.org. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): bug-guix@HIDDEN If you wish to submit further information on this problem, please send it to 78836 <at> debbugs.gnu.org. Please do not send mail to help-debbugs@HIDDEN unless you wish to report a problem with the Bug-tracking system. --=20 78836: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D78836 GNU Bug Tracking System Contact help-debbugs@HIDDEN with problems
X-Loop: help-debbugs@HIDDEN
Subject: bug#78836: /var/empty permissions problems between sshd and nslcd
Resent-From: Sergey Trofimov <sarg@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Thu, 19 Jun 2025 08:57:02 +0000
Resent-Message-ID: <handler.78836.B78836.175032340429150 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 78836
X-GNU-PR-Package: guix
X-GNU-PR-Keywords:
To: Yann Dupont <yann.dupont@HIDDEN>
Cc: 78836 <at> debbugs.gnu.org
Received: via spool by 78836-submit <at> debbugs.gnu.org id=B78836.175032340429150
(code B ref 78836); Thu, 19 Jun 2025 08:57:02 +0000
Received: (at 78836) by debbugs.gnu.org; 19 Jun 2025 08:56:44 +0000
Received: from localhost ([127.0.0.1]:60603 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1uSB4c-0007Zp-3d
for submit <at> debbugs.gnu.org; Thu, 19 Jun 2025 04:56:44 -0400
Received: from mail-wr1-x42d.google.com ([2a00:1450:4864:20::42d]:61540)
by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
(Exim 4.84_2) (envelope-from <sarg@HIDDEN>) id 1uSB4W-0007Y7-Tc
for 78836 <at> debbugs.gnu.org; Thu, 19 Jun 2025 04:56:39 -0400
Received: by mail-wr1-x42d.google.com with SMTP id
ffacd0b85a97d-3a6cdc27438so237411f8f.2
for <78836 <at> debbugs.gnu.org>; Thu, 19 Jun 2025 01:56:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=sarg.org.ru; s=google; t=1750323390; x=1750928190; darn=debbugs.gnu.org;
h=mime-version:message-id:date:user-agent:references:in-reply-to
:subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=rgkzbA+MkR055aZuF/c4VIIl6VQYMqGFDiCnVUOI8F4=;
b=GKuf+JCB3ZRDR74XKfzhyv1ZUEC8Ysr9VtfqAZQ4CMpZ5oyQCJ4/uiLb8OpxSD342s
zOkYz+sXTpx3qUJUQXkgjGJaDsUmszIMhGIdaxuYyLvcMdGJkd+clKPeHidY8chd7Z4U
srK3tJ0rsCzUSYi1bdCKehtZ+/oQJQ7MRyJWQttJFBgdSqKK00f+QM5E3IKarY2xH6Ir
4KO+IyOb1EVGyXRdnB+FzY//OdNAnd8Zw5pvDLEy9fyXBFIBVzf+g3VywJ/mQv+hd4Yu
F33B4aYXHjzMGiEXRthO8WPxZoBXx/ek1LWSXTKkCtQCXCMRnKY79o05znD2bMPmLAY6
RJiA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1750323390; x=1750928190;
h=mime-version:message-id:date:user-agent:references:in-reply-to
:subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date
:message-id:reply-to;
bh=rgkzbA+MkR055aZuF/c4VIIl6VQYMqGFDiCnVUOI8F4=;
b=aGNJBTXCbI/YgcbWZT+7iPMpbaZnnU6dLLTwm6CDk3znTm14RTmepgFADh+RHDvIvz
4BORLZmclPdNWc2VQt5WRMaSaN0vimeSSvvSGYGrVvk/n5pdd6MmUsKUZaaPCWyWDtE5
vq3dAPIuehvYTQnVC/5UDhkJs2tdCOe6PnSS9ZlEXPstrTE0wIUKzmLRbfYwoSvoLy4p
dGBFJoIMdosxaKjjC3AABVaCN4nLnoGe7g0K6OES+3Noi8HrWLB6ENrx3SD0X49IlHi9
9sHfdk00K0EfQxjvR/NiOku7jDSVfKIzc6BkXyb9t8UYH4Wmmp0/PTNodW8AWJSHQyZ0
UYrg==
X-Gm-Message-State: AOJu0Yw/njI2ikI2b5BuLVc0M1rmWb9NZqA0F2X4KO6TTuHHEyipcey2
uO9uNHQHG265JYbvNwuRsNRW1x6Y5rAlkDzePg1ISv1UXmaOo2Y2czUZV8oI2jwQuDpgA6WUCzU
1ESm9ABw=
X-Gm-Gg: ASbGncswExbGZYtK+xpWVH1gn1KNSuRWuFp9TkM30pFz0G9WW1yL/elpADD2j1N05/u
quJc+q/FAzOSr2Dlf8hLRwVoNOEGo6gwfGmLZU5MqZ4W7uRheeYNhNEdy48br9r4a2SCCVD16Wt
xxn18IhgVyJA6BgvLAholrqMMn/X+dcYUTYs+++axVp5x92f+QHEnAYzZbZy3CGANBhUQ/fWpcV
GEpvMfEN41IS2YEi2Lo3yB2rOwTp+2guey+323a1t3FyTFz+mUCj2LgUHRzMAXHG0vv/xo6sBqS
+dZAVm/rrosRd3I8MNp1PLkaGm5PT33Qh0h2FFaP2aZbysORQrxGs6EWiEw=
X-Google-Smtp-Source: AGHT+IHyZ0NNpPp8/8s7oeXR85muC4Oj6rj/8xWX31JH/cWkABi9oFfaE1NDF2VZ1gK6N4alhahp9Q==
X-Received: by 2002:a05:6000:65b:b0:3a5:88cf:479e with SMTP id
ffacd0b85a97d-3a588cf4d3cmr8334192f8f.48.1750323390154;
Thu, 19 Jun 2025 01:56:30 -0700 (PDT)
Received: from localhost ([2a02:2454:a095:5600:a64e:31ff:fe38:fd6c])
by smtp.gmail.com with ESMTPSA id
ffacd0b85a97d-3a589092d1asm6731763f8f.24.2025.06.19.01.56.29
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 19 Jun 2025 01:56:29 -0700 (PDT)
From: Sergey Trofimov <sarg@HIDDEN>
In-Reply-To: <b5a0d45a-b589-46b3-89c9-8387adba740d@HIDDEN>
References: <b5a0d45a-b589-46b3-89c9-8387adba740d@HIDDEN>
User-Agent: mu4e 1.12.11; emacs 31.0.50
Date: Thu, 19 Jun 2025 10:56:28 +0200
Message-ID: <877c18xg77.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Hi Yann,
Yann Dupont <yann.dupont@HIDDEN> writes:
> Hi everyone, the patch eab097c682ed31efd8668f46fce8de8f73b92849 causes sshd to now use /var/empty as a chroot directory.
> sshd expects /var/empty to belong to root and with reduced write permissions.
>
> Unfortunately, when the nslcd service is also present on the system, it creates a user whose home directory is also /var/empty, which
> in this case belongs to the nslcd user.
>
> In this case, sshd refuses to start.
>
> I think the patch eab097c682ed31efd8668f46fce8de8f73b92849 is correct, and that nslcd should be changed to create /var/empty
> with the directory property set to root. But I don't know if there are any side effects to worry about with nslcd ?
>
> (I think the relevant code is in : services/authentication.scm), in (define %nslcd-accounts)
>
> ...
>
> (home-directory "/var/empty")
Check activate-users+groups in (gnu build activation). It should've
adjusted directory permissions and ownership on /var/empty. There are
many more accounts having /var/empty as the home dir (e.g. guixbuilder,
guix-daemon accounts). Looks quite suspicious that in your case the dir
belongs to nslcd. Could you try to reconfigure the system and see if the
permissions get fixed?
X-Loop: help-debbugs@HIDDEN
Subject: bug#78836: /var/empty permissions problems between sshd and nslcd
Resent-From: Sergey Trofimov <sarg@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Thu, 19 Jun 2025 11:20:03 +0000
Resent-Message-ID: <handler.78836.B78836.175033199623780 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 78836
X-GNU-PR-Package: guix
X-GNU-PR-Keywords:
To: Yann Dupont <yann.dupont@HIDDEN>
Cc: 78836 <at> debbugs.gnu.org
Received: via spool by 78836-submit <at> debbugs.gnu.org id=B78836.175033199623780
(code B ref 78836); Thu, 19 Jun 2025 11:20:03 +0000
Received: (at 78836) by debbugs.gnu.org; 19 Jun 2025 11:19:56 +0000
Received: from localhost ([127.0.0.1]:32953 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1uSDJD-0006BS-Ms
for submit <at> debbugs.gnu.org; Thu, 19 Jun 2025 07:19:56 -0400
Received: from mail-wr1-x434.google.com ([2a00:1450:4864:20::434]:58568)
by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
(Exim 4.84_2) (envelope-from <sarg@HIDDEN>) id 1uSDJ9-00069z-GL
for 78836 <at> debbugs.gnu.org; Thu, 19 Jun 2025 07:19:53 -0400
Received: by mail-wr1-x434.google.com with SMTP id
ffacd0b85a97d-3a53359dea5so425312f8f.0
for <78836 <at> debbugs.gnu.org>; Thu, 19 Jun 2025 04:19:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=sarg.org.ru; s=google; t=1750331985; x=1750936785; darn=debbugs.gnu.org;
h=mime-version:message-id:date:user-agent:references:in-reply-to
:subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=wi3goydK9oBl9IxZ1ftARn6Dd55khBjYEWkAqc22exQ=;
b=pBScJtF5u8lV+YQwB6PfW1uV5V+uWSitUWTRuYm8SHADJawv0586cMWu/27dnNinpw
U73O86BVv7IkzbnkzcyzfMzct3CUsebNvHAUp24Mgf78sa6W8vHr2yqmd6sKOjgwKgpq
5r7vxVgpfK+SO7aM/88a7/4lHf6AhmRwV+9ylbmv/dYHsytP8JU63HM73DeBlQycWIYH
a1viztpaAqjJEUHOI0UzGYCrzzCEqilqd6oLmOYu6yzY+UKhFxy+MKYyDD6B9xZaffR5
utKISrYfQokenj8/pipfCUhKvOxoFHDzmlQqgTAHmahAqS2L+AMZ012P+fYOIAlKvCm/
9sNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1750331985; x=1750936785;
h=mime-version:message-id:date:user-agent:references:in-reply-to
:subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date
:message-id:reply-to;
bh=wi3goydK9oBl9IxZ1ftARn6Dd55khBjYEWkAqc22exQ=;
b=YnQ8mqJNYdYHDKtzAWLMiNseT6FnL6/E08q3A6ry0NLGNYwCZuX9l2dArOsIcY7OWg
V4F/xpv0aARkrGQEgQiLtkGUmzPxkUefHEa7FRQ9QO8l2pG/kUjioeKaE8jSYeiVCAul
fiElYYRDh46uggPyy+oeKoAfNcApk7gc8OcfgdGdKR/VQCKkhSFgyljSVhvc9yHvoikK
2YpKzh8nL7HpM2rj/vrerCIa0G9hbX55KsBGY9tlmcfq/BrjvNRg7MNqD+bp7QPI0F4x
q3AQcHDyrPIqNOxUeMfDdDxzTWDOYr9EpxG/DwG+qWlIvzf6mfS/fDwpgxVfE4iGmw0o
N4tQ==
X-Gm-Message-State: AOJu0YwPwpqmBt5XZ6jQxPePiDV5nd/1FYbMg0Rb4yegN48qIqJd5NZv
P+kcktnxKhp1SieJKlq/3RY48iDafCgLlzSSZM+Ha3VxigxVls7t0Qy8c9AennWqnfS8hlk0i1T
HoODG8wY=
X-Gm-Gg: ASbGnctVJ/DsAsTtKTAloQQmnVnj40B7B51sCJZaiaz1DzrixS/+mQUIzXiLKG4qUN5
XHnVBMiuoSnboyv5Q6OJcq+K2jT1XxqilriJg3KM+0YIY54lcbeLm2IIc4RXmr9+NP0dmARl41G
I5zp00XmjywTrYSoMSQSxRziRarFUxygPU0batZhUswkuXym9CdQZ5B+ThO/2L6XERjlm1U4fY1
CRjbR7x4Ni0rlpwL/bUxRR14fgPh28salmMz9sxvldNKPzFMBXocUM+qZhCH+2JoQgdtcdJMHz6
RceIaPFZ5Uh2w/9967sZhsmS7F3YzogCSIhenOPNoFmuELraSLTk5xO2acs=
X-Google-Smtp-Source: AGHT+IFA8j0WJJwZLUriWgDbaOmj8YmgTRt+agCRht6NAgBkV2FKMnYr2y/gXh6+9ztrG2XMuCIcIA==
X-Received: by 2002:a5d:5885:0:b0:3a4:f6c4:355a with SMTP id
ffacd0b85a97d-3a572e59b50mr17915804f8f.57.1750331984750;
Thu, 19 Jun 2025 04:19:44 -0700 (PDT)
Received: from localhost ([2a02:2454:a095:5600:a64e:31ff:fe38:fd6c])
by smtp.gmail.com with ESMTPSA id
ffacd0b85a97d-3a568b28876sm19204519f8f.73.2025.06.19.04.19.43
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 19 Jun 2025 04:19:44 -0700 (PDT)
From: Sergey Trofimov <sarg@HIDDEN>
In-Reply-To: <3f4f9d28-cfda-4689-8fc4-963d4f6360ac@HIDDEN>
References: <b5a0d45a-b589-46b3-89c9-8387adba740d@HIDDEN>
<877c18xg77.fsf@HIDDEN>
<3f4f9d28-cfda-4689-8fc4-963d4f6360ac@HIDDEN>
User-Agent: mu4e 1.12.11; emacs 31.0.50
Date: Thu, 19 Jun 2025 13:19:42 +0200
Message-ID: <871prgx9kh.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Hi
Yann Dupont <yann.dupont@HIDDEN> writes:
> I don't know if this is relevant information, but we encounter this problem on disposable virtual machines, freshly generated by guix
> system image for one-time use, we don't reconfigure on these machines. Maybe this function is not called in this specific case?
>
> I'll see if a reconfigure changes things, , but it's going to take some time, as our templates are a bit complex and divided into
> several files that can't be found in /running/current-system/configuration.scm.
You could simply run /run/current-system/activate and check if it fixes permissions.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.