GNU bug report logs - #26717
Avoid references to the store in authorized_keys

Previous Next

Package: guix-patches;

Reported by: Clément Lassieur <clement <at> lassieur.org>

Date: Sun, 30 Apr 2017 16:32:02 UTC

Severity: normal

Done: Clément Lassieur <clement <at> lassieur.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 26717 in the body.
You can then email your comments to 26717 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#26717; Package guix-patches. (Sun, 30 Apr 2017 16:32:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Clément Lassieur <clement <at> lassieur.org>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Sun, 30 Apr 2017 16:32:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Clément Lassieur <clement <at> lassieur.org>
To: guix-patches <at> gnu.org
Subject: Avoid references to the store in authorized_keys
Date: Sun, 30 Apr 2017 18:30:57 +0200

Note that if gitolite is already installed, one has to remove the
references from authorized_keys manually first, because otherwise the
old (bugged) gitolite will be used instead of the one in the PATH, and
authorized_keys will never be updated.
Information forwarded to guix-patches <at> gnu.org:
bug#26717; Package guix-patches. (Sun, 30 Apr 2017 16:34:02 GMT) Full text and rfc822 format available.

Message #8 received at 26717 <at> debbugs.gnu.org (full text, mbox):

From: Clément Lassieur <clement <at> lassieur.org>
To: 26717 <at> debbugs.gnu.org
Subject: [PATCH] gnu: gitolite: Avoid references to the store in
 authorized_keys.
Date: Sun, 30 Apr 2017 18:32:44 +0200

* gnu/packages/version-control.scm (gitolite)[arguments]: Substitute
'$glshell' with 'gitolite-shell' in ssh-authkeys.
---
 gnu/packages/version-control.scm | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index e0770dc58..1cad0f285 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -628,7 +628,13 @@ also walk each side of a merge and test those changes individually.")
                         ;; invokes Perl.
                         (substitute* (find-files "." ".*")
                           ((" perl -")
-                           (string-append " " perl " -"))))))
+                           (string-append " " perl " -")))
+
+                        ;; Avoid references to the store in authorized_keys.
+                        ;; This works because gitolite-shell is in the PATH.
+                        (substitute* "src/triggers/post-compile/ssh-authkeys"
+                          (("\\$glshell \\$user")
+                           "gitolite-shell $user")))))
                   (replace 'install
                     (lambda* (#:key outputs #:allow-other-keys)
                       (let* ((output (assoc-ref outputs "out"))
-- 
2.12.2
Information forwarded to guix-patches <at> gnu.org:
bug#26717; Package guix-patches. (Sun, 30 Apr 2017 19:32:02 GMT) Full text and rfc822 format available.

Message #11 received at 26717 <at> debbugs.gnu.org (full text, mbox):

From: ng0 <contact.ng0 <at> cryptolab.net>
To: Clément Lassieur <clement <at> lassieur.org>
Cc: 26717 <at> debbugs.gnu.org
Subject: Re: bug#26717: [PATCH] gnu: gitolite: Avoid references to the store
 in authorized_keys.
Date: Sun, 30 Apr 2017 19:31:17 +0000

Clément Lassieur transcribed 1.3K bytes:
> * gnu/packages/version-control.scm (gitolite)[arguments]: Substitute
> '$glshell' with 'gitolite-shell' in ssh-authkeys.
> ---
>  gnu/packages/version-control.scm | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
> index e0770dc58..1cad0f285 100644
> --- a/gnu/packages/version-control.scm
> +++ b/gnu/packages/version-control.scm
> @@ -628,7 +628,13 @@ also walk each side of a merge and test those changes individually.")
>                          ;; invokes Perl.
>                          (substitute* (find-files "." ".*")
>                            ((" perl -")
> -                           (string-append " " perl " -"))))))
> +                           (string-append " " perl " -")))
> +
> +                        ;; Avoid references to the store in authorized_keys.
> +                        ;; This works because gitolite-shell is in the PATH.
> +                        (substitute* "src/triggers/post-compile/ssh-authkeys"
> +                          (("\\$glshell \\$user")
> +                           "gitolite-shell $user")))))
>                    (replace 'install
>                      (lambda* (#:key outputs #:allow-other-keys)
>                        (let* ((output (assoc-ref outputs "out"))
> -- 
> 2.12.2
> 
> 
> 
> 

This looks good. I have yet to test it. Do you think we could fix the hook files of gitolite like this too?
-- 
https://pragmatique.xyz
PGP: https://people.pragmatique.xyz/ng0/
Information forwarded to guix-patches <at> gnu.org:
bug#26717; Package guix-patches. (Sun, 30 Apr 2017 21:59:02 GMT) Full text and rfc822 format available.

Message #14 received at 26717 <at> debbugs.gnu.org (full text, mbox):

From: Clément Lassieur <clement <at> lassieur.org>
To: ng0 <contact.ng0 <at> cryptolab.net>
Cc: Marius Bakke <mbakke <at> fastmail.com>, 26717 <at> debbugs.gnu.org
Subject: Re: bug#26717: [PATCH] gnu: gitolite: Avoid references to the store
 in authorized_keys.
Date: Sun, 30 Apr 2017 23:57:58 +0200

ng0 <contact.ng0 <at> cryptolab.net> writes:

> Clément Lassieur transcribed 1.3K bytes:
>> * gnu/packages/version-control.scm (gitolite)[arguments]: Substitute
>> '$glshell' with 'gitolite-shell' in ssh-authkeys.
>> ---
>>  gnu/packages/version-control.scm | 8 +++++++-
>>  1 file changed, 7 insertions(+), 1 deletion(-)
>> 
>> diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
>> index e0770dc58..1cad0f285 100644
>> --- a/gnu/packages/version-control.scm
>> +++ b/gnu/packages/version-control.scm
>> @@ -628,7 +628,13 @@ also walk each side of a merge and test those changes individually.")
>>                          ;; invokes Perl.
>>                          (substitute* (find-files "." ".*")
>>                            ((" perl -")
>> -                           (string-append " " perl " -"))))))
>> +                           (string-append " " perl " -")))
>> +
>> +                        ;; Avoid references to the store in authorized_keys.
>> +                        ;; This works because gitolite-shell is in the PATH.
>> +                        (substitute* "src/triggers/post-compile/ssh-authkeys"
>> +                          (("\\$glshell \\$user")
>> +                           "gitolite-shell $user")))))
>>                    (replace 'install
>>                      (lambda* (#:key outputs #:allow-other-keys)
>>                        (let* ((output (assoc-ref outputs "out"))
>> -- 
>> 2.12.2
>> 
>> 
>> 
>> 
>
> This looks good. I have yet to test it. Do you think we could fix the hook files of gitolite like this too?

Well, I don't think so because the mechanism used in hooks is different:
the reference to the store is in the shebang and shebangs need absolute
paths, they don't look at PATH.  We could use 'env' though, as suggested
by Marius here:
http://lists.gnu.org/archive/html/guix-patches/2017-03/msg00339.html.
As in:

    #!/run/current-system/profile/bin/env perl

Assuming /run/current-system/profile/bin/env exists on all possible
setups.  WDYT?
Reply sent to Clément Lassieur <clement <at> lassieur.org>:
You have taken responsibility. (Wed, 03 May 2017 19:48:02 GMT) Full text and rfc822 format available.
Notification sent to Clément Lassieur <clement <at> lassieur.org>:
bug acknowledged by developer. (Wed, 03 May 2017 19:48:03 GMT) Full text and rfc822 format available.

Message #19 received at 26717-done <at> debbugs.gnu.org (full text, mbox):

From: Clément Lassieur <clement <at> lassieur.org>
To: ng0 <contact.ng0 <at> cryptolab.net>
Cc: 26717-done <at> debbugs.gnu.org
Subject: Re: bug#26717: [PATCH] gnu: gitolite: Avoid references to the store
 in authorized_keys.
Date: Wed, 03 May 2017 21:47:26 +0200

ng0 <contact.ng0 <at> cryptolab.net> writes:

> Clément Lassieur transcribed 1.3K bytes:
>> * gnu/packages/version-control.scm (gitolite)[arguments]: Substitute
>> '$glshell' with 'gitolite-shell' in ssh-authkeys.
>> ---
>>  gnu/packages/version-control.scm | 8 +++++++-
>>  1 file changed, 7 insertions(+), 1 deletion(-)
>> 
>> diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
>> index e0770dc58..1cad0f285 100644
>> --- a/gnu/packages/version-control.scm
>> +++ b/gnu/packages/version-control.scm
>> @@ -628,7 +628,13 @@ also walk each side of a merge and test those changes individually.")
>>                          ;; invokes Perl.
>>                          (substitute* (find-files "." ".*")
>>                            ((" perl -")
>> -                           (string-append " " perl " -"))))))
>> +                           (string-append " " perl " -")))
>> +
>> +                        ;; Avoid references to the store in authorized_keys.
>> +                        ;; This works because gitolite-shell is in the PATH.
>> +                        (substitute* "src/triggers/post-compile/ssh-authkeys"
>> +                          (("\\$glshell \\$user")
>> +                           "gitolite-shell $user")))))
>>                    (replace 'install
>>                      (lambda* (#:key outputs #:allow-other-keys)
>>                        (let* ((output (assoc-ref outputs "out"))
>> -- 
>> 2.12.2
>> 
>> 
>> 
>> 
>
> This looks good. I have yet to test it. Do you think we could fix the hook files of gitolite like this too?

Thank you :)  I pushed it.
Information forwarded to guix-patches <at> gnu.org:
bug#26717; Package guix-patches. (Thu, 04 May 2017 08:51:01 GMT) Full text and rfc822 format available.

Message #22 received at 26717 <at> debbugs.gnu.org (full text, mbox):

From: Clément Lassieur <clement <at> lassieur.org>
To: ng0 <contact.ng0 <at> cryptolab.net>
Cc: Marius Bakke <mbakke <at> fastmail.com>, 26717 <at> debbugs.gnu.org
Subject: Re: bug#26717: [PATCH] gnu: gitolite: Avoid references to the store
 in authorized_keys.
Date: Thu, 04 May 2017 10:50:17 +0200

Clément Lassieur <clement <at> lassieur.org> writes:

> ng0 <contact.ng0 <at> cryptolab.net> writes:
>> This looks good. I have yet to test it. Do you think we could fix the hook files of gitolite like this too?
>
> Well, I don't think so because the mechanism used in hooks is different:
> the reference to the store is in the shebang and shebangs need absolute
> paths, they don't look at PATH.  We could use 'env' though, as suggested
> by Marius here:
> http://lists.gnu.org/archive/html/guix-patches/2017-03/msg00339.html.
> As in:
>
>     #!/run/current-system/profile/bin/env perl
>
> Assuming /run/current-system/profile/bin/env exists on all possible
> setups.  WDYT?

This won't work on a non-GuixSD OS.  I can't find a simple solution.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 01 Jun 2017 11:24:04 GMT) Full text and rfc822 format available.
This bug report was last modified 8 years and 102 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.