Received: (at 78836) by debbugs.gnu.org; 19 Jun 2025 11:19:56 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jun 19 07:19:56 2025 Received: from localhost ([127.0.0.1]:32953 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1uSDJD-0006BS-Ms for submit <at> debbugs.gnu.org; Thu, 19 Jun 2025 07:19:56 -0400 Received: from mail-wr1-x434.google.com ([2a00:1450:4864:20::434]:58568) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <sarg@HIDDEN>) id 1uSDJ9-00069z-GL for 78836 <at> debbugs.gnu.org; Thu, 19 Jun 2025 07:19:53 -0400 Received: by mail-wr1-x434.google.com with SMTP id ffacd0b85a97d-3a53359dea5so425312f8f.0 for <78836 <at> debbugs.gnu.org>; Thu, 19 Jun 2025 04:19:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sarg.org.ru; s=google; t=1750331985; x=1750936785; darn=debbugs.gnu.org; h=mime-version:message-id:date:user-agent:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=wi3goydK9oBl9IxZ1ftARn6Dd55khBjYEWkAqc22exQ=; b=pBScJtF5u8lV+YQwB6PfW1uV5V+uWSitUWTRuYm8SHADJawv0586cMWu/27dnNinpw U73O86BVv7IkzbnkzcyzfMzct3CUsebNvHAUp24Mgf78sa6W8vHr2yqmd6sKOjgwKgpq 5r7vxVgpfK+SO7aM/88a7/4lHf6AhmRwV+9ylbmv/dYHsytP8JU63HM73DeBlQycWIYH a1viztpaAqjJEUHOI0UzGYCrzzCEqilqd6oLmOYu6yzY+UKhFxy+MKYyDD6B9xZaffR5 utKISrYfQokenj8/pipfCUhKvOxoFHDzmlQqgTAHmahAqS2L+AMZ012P+fYOIAlKvCm/ 9sNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750331985; x=1750936785; h=mime-version:message-id:date:user-agent:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=wi3goydK9oBl9IxZ1ftARn6Dd55khBjYEWkAqc22exQ=; b=YnQ8mqJNYdYHDKtzAWLMiNseT6FnL6/E08q3A6ry0NLGNYwCZuX9l2dArOsIcY7OWg V4F/xpv0aARkrGQEgQiLtkGUmzPxkUefHEa7FRQ9QO8l2pG/kUjioeKaE8jSYeiVCAul fiElYYRDh46uggPyy+oeKoAfNcApk7gc8OcfgdGdKR/VQCKkhSFgyljSVhvc9yHvoikK 2YpKzh8nL7HpM2rj/vrerCIa0G9hbX55KsBGY9tlmcfq/BrjvNRg7MNqD+bp7QPI0F4x q3AQcHDyrPIqNOxUeMfDdDxzTWDOYr9EpxG/DwG+qWlIvzf6mfS/fDwpgxVfE4iGmw0o N4tQ== X-Gm-Message-State: AOJu0YwPwpqmBt5XZ6jQxPePiDV5nd/1FYbMg0Rb4yegN48qIqJd5NZv P+kcktnxKhp1SieJKlq/3RY48iDafCgLlzSSZM+Ha3VxigxVls7t0Qy8c9AennWqnfS8hlk0i1T HoODG8wY= X-Gm-Gg: ASbGnctVJ/DsAsTtKTAloQQmnVnj40B7B51sCJZaiaz1DzrixS/+mQUIzXiLKG4qUN5 XHnVBMiuoSnboyv5Q6OJcq+K2jT1XxqilriJg3KM+0YIY54lcbeLm2IIc4RXmr9+NP0dmARl41G I5zp00XmjywTrYSoMSQSxRziRarFUxygPU0batZhUswkuXym9CdQZ5B+ThO/2L6XERjlm1U4fY1 CRjbR7x4Ni0rlpwL/bUxRR14fgPh28salmMz9sxvldNKPzFMBXocUM+qZhCH+2JoQgdtcdJMHz6 RceIaPFZ5Uh2w/9967sZhsmS7F3YzogCSIhenOPNoFmuELraSLTk5xO2acs= X-Google-Smtp-Source: AGHT+IFA8j0WJJwZLUriWgDbaOmj8YmgTRt+agCRht6NAgBkV2FKMnYr2y/gXh6+9ztrG2XMuCIcIA== X-Received: by 2002:a5d:5885:0:b0:3a4:f6c4:355a with SMTP id ffacd0b85a97d-3a572e59b50mr17915804f8f.57.1750331984750; Thu, 19 Jun 2025 04:19:44 -0700 (PDT) Received: from localhost ([2a02:2454:a095:5600:a64e:31ff:fe38:fd6c]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3a568b28876sm19204519f8f.73.2025.06.19.04.19.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Jun 2025 04:19:44 -0700 (PDT) From: Sergey Trofimov <sarg@HIDDEN> To: Yann Dupont <yann.dupont@HIDDEN> Subject: Re: bug#78836: /var/empty permissions problems between sshd and nslcd In-Reply-To: <3f4f9d28-cfda-4689-8fc4-963d4f6360ac@HIDDEN> References: <b5a0d45a-b589-46b3-89c9-8387adba740d@HIDDEN> <877c18xg77.fsf@HIDDEN> <3f4f9d28-cfda-4689-8fc4-963d4f6360ac@HIDDEN> User-Agent: mu4e 1.12.11; emacs 31.0.50 Date: Thu, 19 Jun 2025 13:19:42 +0200 Message-ID: <871prgx9kh.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 78836 Cc: 78836 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Hi Yann Dupont <yann.dupont@HIDDEN> writes: > I don't know if this is relevant information, but we encounter this problem on disposable virtual machines, freshly generated by guix > system image for one-time use, we don't reconfigure on these machines. Maybe this function is not called in this specific case? > > I'll see if a reconfigure changes things, , but it's going to take some time, as our templates are a bit complex and divided into > several files that can't be found in /running/current-system/configuration.scm. You could simply run /run/current-system/activate and check if it fixes permissions.
bug-guix@HIDDEN:bug#78836; Package guix.
Full text available.Received: (at 78836) by debbugs.gnu.org; 19 Jun 2025 08:56:44 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jun 19 04:56:44 2025 Received: from localhost ([127.0.0.1]:60603 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1uSB4c-0007Zp-3d for submit <at> debbugs.gnu.org; Thu, 19 Jun 2025 04:56:44 -0400 Received: from mail-wr1-x42d.google.com ([2a00:1450:4864:20::42d]:61540) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <sarg@HIDDEN>) id 1uSB4W-0007Y7-Tc for 78836 <at> debbugs.gnu.org; Thu, 19 Jun 2025 04:56:39 -0400 Received: by mail-wr1-x42d.google.com with SMTP id ffacd0b85a97d-3a6cdc27438so237411f8f.2 for <78836 <at> debbugs.gnu.org>; Thu, 19 Jun 2025 01:56:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sarg.org.ru; s=google; t=1750323390; x=1750928190; darn=debbugs.gnu.org; h=mime-version:message-id:date:user-agent:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=rgkzbA+MkR055aZuF/c4VIIl6VQYMqGFDiCnVUOI8F4=; b=GKuf+JCB3ZRDR74XKfzhyv1ZUEC8Ysr9VtfqAZQ4CMpZ5oyQCJ4/uiLb8OpxSD342s zOkYz+sXTpx3qUJUQXkgjGJaDsUmszIMhGIdaxuYyLvcMdGJkd+clKPeHidY8chd7Z4U srK3tJ0rsCzUSYi1bdCKehtZ+/oQJQ7MRyJWQttJFBgdSqKK00f+QM5E3IKarY2xH6Ir 4KO+IyOb1EVGyXRdnB+FzY//OdNAnd8Zw5pvDLEy9fyXBFIBVzf+g3VywJ/mQv+hd4Yu F33B4aYXHjzMGiEXRthO8WPxZoBXx/ek1LWSXTKkCtQCXCMRnKY79o05znD2bMPmLAY6 RJiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750323390; x=1750928190; h=mime-version:message-id:date:user-agent:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=rgkzbA+MkR055aZuF/c4VIIl6VQYMqGFDiCnVUOI8F4=; b=aGNJBTXCbI/YgcbWZT+7iPMpbaZnnU6dLLTwm6CDk3znTm14RTmepgFADh+RHDvIvz 4BORLZmclPdNWc2VQt5WRMaSaN0vimeSSvvSGYGrVvk/n5pdd6MmUsKUZaaPCWyWDtE5 vq3dAPIuehvYTQnVC/5UDhkJs2tdCOe6PnSS9ZlEXPstrTE0wIUKzmLRbfYwoSvoLy4p dGBFJoIMdosxaKjjC3AABVaCN4nLnoGe7g0K6OES+3Noi8HrWLB6ENrx3SD0X49IlHi9 9sHfdk00K0EfQxjvR/NiOku7jDSVfKIzc6BkXyb9t8UYH4Wmmp0/PTNodW8AWJSHQyZ0 UYrg== X-Gm-Message-State: AOJu0Yw/njI2ikI2b5BuLVc0M1rmWb9NZqA0F2X4KO6TTuHHEyipcey2 uO9uNHQHG265JYbvNwuRsNRW1x6Y5rAlkDzePg1ISv1UXmaOo2Y2czUZV8oI2jwQuDpgA6WUCzU 1ESm9ABw= X-Gm-Gg: ASbGncswExbGZYtK+xpWVH1gn1KNSuRWuFp9TkM30pFz0G9WW1yL/elpADD2j1N05/u quJc+q/FAzOSr2Dlf8hLRwVoNOEGo6gwfGmLZU5MqZ4W7uRheeYNhNEdy48br9r4a2SCCVD16Wt xxn18IhgVyJA6BgvLAholrqMMn/X+dcYUTYs+++axVp5x92f+QHEnAYzZbZy3CGANBhUQ/fWpcV GEpvMfEN41IS2YEi2Lo3yB2rOwTp+2guey+323a1t3FyTFz+mUCj2LgUHRzMAXHG0vv/xo6sBqS +dZAVm/rrosRd3I8MNp1PLkaGm5PT33Qh0h2FFaP2aZbysORQrxGs6EWiEw= X-Google-Smtp-Source: AGHT+IHyZ0NNpPp8/8s7oeXR85muC4Oj6rj/8xWX31JH/cWkABi9oFfaE1NDF2VZ1gK6N4alhahp9Q== X-Received: by 2002:a05:6000:65b:b0:3a5:88cf:479e with SMTP id ffacd0b85a97d-3a588cf4d3cmr8334192f8f.48.1750323390154; Thu, 19 Jun 2025 01:56:30 -0700 (PDT) Received: from localhost ([2a02:2454:a095:5600:a64e:31ff:fe38:fd6c]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3a589092d1asm6731763f8f.24.2025.06.19.01.56.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Jun 2025 01:56:29 -0700 (PDT) From: Sergey Trofimov <sarg@HIDDEN> To: Yann Dupont <yann.dupont@HIDDEN> Subject: Re: bug#78836: /var/empty permissions problems between sshd and nslcd In-Reply-To: <b5a0d45a-b589-46b3-89c9-8387adba740d@HIDDEN> References: <b5a0d45a-b589-46b3-89c9-8387adba740d@HIDDEN> User-Agent: mu4e 1.12.11; emacs 31.0.50 Date: Thu, 19 Jun 2025 10:56:28 +0200 Message-ID: <877c18xg77.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 78836 Cc: 78836 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Hi Yann, Yann Dupont <yann.dupont@HIDDEN> writes: > Hi everyone, the patch eab097c682ed31efd8668f46fce8de8f73b92849 causes sshd to now use /var/empty as a chroot directory. > sshd expects /var/empty to belong to root and with reduced write permissions. > > Unfortunately, when the nslcd service is also present on the system, it creates a user whose home directory is also /var/empty, which > in this case belongs to the nslcd user. > > In this case, sshd refuses to start. > > I think the patch eab097c682ed31efd8668f46fce8de8f73b92849 is correct, and that nslcd should be changed to create /var/empty > with the directory property set to root. But I don't know if there are any side effects to worry about with nslcd ? > > (I think the relevant code is in : services/authentication.scm), in (define %nslcd-accounts) > > ... > > (home-directory "/var/empty") Check activate-users+groups in (gnu build activation). It should've adjusted directory permissions and ownership on /var/empty. There are many more accounts having /var/empty as the home dir (e.g. guixbuilder, guix-daemon accounts). Looks quite suspicious that in your case the dir belongs to nslcd. Could you try to reconfigure the system and see if the permissions get fixed?
bug-guix@HIDDEN:bug#78836; Package guix.
Full text available.
Received: (at submit) by debbugs.gnu.org; 19 Jun 2025 07:43:31 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jun 19 03:43:31 2025
Received: from localhost ([127.0.0.1]:60286 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1uS9vm-00047i-BI
for submit <at> debbugs.gnu.org; Thu, 19 Jun 2025 03:43:30 -0400
Received: from lists.gnu.org ([2001:470:142::17]:51788)
by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.84_2) (envelope-from <yann.dupont@HIDDEN>)
id 1uS9vi-00045t-1D
for submit <at> debbugs.gnu.org; Thu, 19 Jun 2025 03:43:28 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <yann.dupont@HIDDEN>)
id 1uS9vc-0002TB-DR
for bug-guix@HIDDEN; Thu, 19 Jun 2025 03:43:20 -0400
Received: from smtptls1-cha.cpub.univ-nantes.fr ([193.52.103.113]
helo=smtp-tls.univ-nantes.fr)
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <yann.dupont@HIDDEN>)
id 1uS9vZ-0005gM-GI
for bug-guix@HIDDEN; Thu, 19 Jun 2025 03:43:20 -0400
Received: from localhost (localhost [127.0.0.1])
by smtp-tls.univ-nantes.fr (Postfix) with ESMTP id DC37F2043A
for <bug-guix@HIDDEN>; Thu, 19 Jun 2025 09:43:10 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=univ-nantes.fr;
s=mailv2; t=1750318990;
bh=eCCA9Zq8R71f8U8D0RZtTQn7mwGWA7kbQNbfOjYhPTw=;
h=Date:To:From:Subject:From;
b=GiI5NSGitEAY5qbzAkwj2utPARsapduTR5v7ZpgGU/4IoziffpvNoMHVgDLPhoRRs
xNk+ffn/VO3XIrvA8TtxY3BMAlJbWF4ZuyAQlU/7+MnhCb+4JoSgp5dxUdCh1Y0OVv
Dma6ql/zZlcbkm0jsBem5HpLVCxurWrl03fmgV/7cm70vQw/fRz0+Le4kfcoEoiY23
FTabAhvOneIa/HN0cy9F44103/O/OWsxG6m/pgYQ5g7Yi3unEo7SBQpxEC9aK1wArd
hnDaLDcQ8AsLNcBO4+k+1rPWmRvRmjMAiMDD4Fq5YAdSzweG8npAJMSVwqIzKwvXk8
Wx+SpQVDQleJg==
X-Virus-Scanned: Debian amavisd-new at smtptls1-lmb.cpub.univ-nantes.fr
Received: from smtp-tls.univ-nantes.fr ([127.0.0.1])
by localhost (smtptls1-cha.cpub.univ-nantes.fr [127.0.0.1]) (amavisd-new,
port 10024) with LMTP id LCNj2XRnxw6x for <bug-guix@HIDDEN>;
Thu, 19 Jun 2025 09:43:10 +0200 (CEST)
Received: from [IPV6:2001:660:7220:389:dd29:96a3:fa10:de95] (unknown
[IPv6:2001:660:7220:389:dd29:96a3:fa10:de95])
(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by smtp-tls.univ-nantes.fr (Postfix) with ESMTPSA id 859D220109
for <bug-guix@HIDDEN>; Thu, 19 Jun 2025 09:43:10 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=univ-nantes.fr;
s=mailv2; t=1750318990;
bh=eCCA9Zq8R71f8U8D0RZtTQn7mwGWA7kbQNbfOjYhPTw=;
h=Date:To:From:Subject:From;
b=GiI5NSGitEAY5qbzAkwj2utPARsapduTR5v7ZpgGU/4IoziffpvNoMHVgDLPhoRRs
xNk+ffn/VO3XIrvA8TtxY3BMAlJbWF4ZuyAQlU/7+MnhCb+4JoSgp5dxUdCh1Y0OVv
Dma6ql/zZlcbkm0jsBem5HpLVCxurWrl03fmgV/7cm70vQw/fRz0+Le4kfcoEoiY23
FTabAhvOneIa/HN0cy9F44103/O/OWsxG6m/pgYQ5g7Yi3unEo7SBQpxEC9aK1wArd
hnDaLDcQ8AsLNcBO4+k+1rPWmRvRmjMAiMDD4Fq5YAdSzweG8npAJMSVwqIzKwvXk8
Wx+SpQVDQleJg==
Content-Type: multipart/alternative;
boundary="------------zCe9HyMgvzUIcw0a0ovPcnjx"
Message-ID: <b5a0d45a-b589-46b3-89c9-8387adba740d@HIDDEN>
Date: Thu, 19 Jun 2025 09:43:04 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: bug-guix@HIDDEN
From: Yann Dupont <yann.dupont@HIDDEN>
Subject: /var/empty permissions problems between sshd and nslcd
Received-SPF: pass client-ip=193.52.103.113;
envelope-from=yann.dupont@HIDDEN; helo=smtp-tls.univ-nantes.fr
X-Spam_score_int: -10
X-Spam_score: -1.1
X-Spam_bar: -
X-Spam_report: (-1.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEXHASH_WORD=1,
HTML_MESSAGE=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,
RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.7 (/)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.3 (/)
This is a multi-part message in MIME format.
--------------zCe9HyMgvzUIcw0a0ovPcnjx
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Hi everyone, the patch eab097c682ed31efd8668f46fce8de8f73b92849 causes
sshd to now use /var/empty as a chroot directory. sshd expects
/var/empty to belong to root and with reduced write permissions.
Unfortunately, when the nslcd service is also present on the system, it
creates a user whose home directory is also /var/empty, which in this
case belongs to the nslcd user.
In this case, sshd refuses to start.
I think the patch eab097c682ed31efd8668f46fce8de8f73b92849 is correct,
and that nslcd should be changed to create /var/empty with the directory
property set to root. But I don't know if there are any side effects to
worry about with nslcd ?
(I think the relevant code is in : services/authentication.scm), in
(|define %nslcd-accounts)
|
|...|
|(home-directory "/var/empty")|
--------------zCe9HyMgvzUIcw0a0ovPcnjx
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p _d-id="41484"><span _d-id="43179"
class="--l --r container-target"><span _d-id="43193"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">Hi</span>
<span _d-id="43197"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">everyone</span><span
_d-id="43200"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">,</span>
<span _d-id="43204"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">the</span>
<span _d-id="43208"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">patch</span>
<span _d-id="43212"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">eab097c682ed31efd8668f46fce8de8f73b92849</span>
<span _d-id="43216"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">causes</span>
<span _d-id="43220"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">sshd</span>
<span _d-id="43224"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">to</span>
<span _d-id="43228"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">now</span>
<span _d-id="43232"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">use</span>
<span _d-id="43236"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">/</span><span
_d-id="43239"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">var</span><span
_d-id="43242"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">/</span><span
_d-id="43245"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">empty</span>
<span _d-id="43249"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">as</span>
<span _d-id="43253"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">a</span>
<span _d-id="43257"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">chroot</span>
<span _d-id="43261"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">directory</span><span
_d-id="43264"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">.</span>
<span _d-id="43268"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">sshd</span>
<span _d-id="43272"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">expects</span>
<span _d-id="43276"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">/</span><span
_d-id="43279"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">var</span><span
_d-id="43282"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">/</span><span
_d-id="43285"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">empty</span>
<span _d-id="43289"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">to</span>
<span _d-id="43293"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">belong</span>
<span _d-id="43297"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">to</span>
<span _d-id="43301"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">root</span>
<span _d-id="43305"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">and</span>
<span _d-id="43309"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">with</span>
<span _d-id="43313"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">reduced</span>
<span _d-id="43317"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">write</span>
<span _d-id="43321"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">permissions</span><span
_d-id="43324"
class="--l --r hover:bg-blue-100 hover:dark:bg-blue-600">.</span></span></p>
<p _d-id="41485"><span _d-id="43181"
class="--l --r container-target">Unfortunately, when the nslcd
service is also present on the system, it creates a user whose
home directory is also /var/empty, which in this case belongs to
the nslcd user.</span></p>
<p _d-id="41487"><span _d-id="43183"
class="--l --r container-target">In this case, sshd refuses to
start.</span></p>
<p _d-id="41489"><span _d-id="43185"
class="--l --r container-target">I think the patch
eab097c682ed31efd8668f46fce8de8f73b92849 is correct, and that
nslcd should be changed to create /var/empty with the directory
property set to root.</span> <span _d-id="43189"
class="--l --r container-target"><span _d-id="43191"
class="--l --r bg-blue-50 text-unit-target">But I don't know
if there are any side effects to worry about with nslcd ?<br>
</span></span></p>
<p _d-id="41489"><span _d-id="43189"
class="--l --r container-target"><span _d-id="43191"
class="--l --r bg-blue-50 text-unit-target">(I think the
relevant code is in : </span></span>services/authentication.scm),
in (<code>define %nslcd-accounts)<br>
</code></p>
<p _d-id="41489"><code>...</code></p>
<p _d-id="41489"><code>(home-directory "/var/empty")</code></p>
</body>
</html>
--------------zCe9HyMgvzUIcw0a0ovPcnjx--
Yann Dupont <yann.dupont@HIDDEN>:bug-guix@HIDDEN.
Full text available.bug-guix@HIDDEN:bug#78836; Package guix.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.