GNU bug report logs - #39819
guix-service-type authorized keys are not honored when /etc/guix/acl exists

Previous Next

Package: guix;

Reported by: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Date: Fri, 28 Feb 2020 04:31:02 UTC

Severity: important

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Subject: bug#39819: closed (Re: bug#39819: [PATCH 1/2] services: guix:
 Make /etc/guix/acl really declarative by default.)
Date: Sat, 24 Oct 2020 23:09:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#39819: guix-service-type authorized keys are not honored when /etc/guix/acl exists

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 39819 <at> debbugs.gnu.org.

-- 
39819: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=39819
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org>
To: 39819-done <at> debbugs.gnu.org
Cc: guix-devel <at> gnu.org
Subject: Re: bug#39819: [PATCH 1/2] services: guix: Make /etc/guix/acl
 really declarative by default.
Date: Sun, 25 Oct 2020 01:08:52 +0200

[Message part 3 (text/plain, inline)]
Hello!

I went ahead and pushed this as c6ef627c97e5e6a94688baf20892ae3429f86897
with the changes below, accounting for Vagrant’s comment and for the
fact that childhurds rely on the non-declarative behavior (which hadn’t
occurred to me before), as well as fixing other typos.

Let me know if anything is amiss!

Thanks,
Ludo’.


[Message part 4 (text/x-patch, inline)]
diff --git a/doc/guix.texi b/doc/guix.texi
index 021d430c39..efb4ea1c47 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -14690,14 +14690,14 @@ Whether to authorize the substitute keys listed in
 @code{authorized-keys}---by default that of @code{@value{SUBSTITUTE-SERVER}}
 (@pxref{Substitutes}).
 
-When @code{authorize-keys?} is true, @file{/etc/guix/acl} cannot be
+When @code{authorize-key?} is true, @file{/etc/guix/acl} cannot be
 changed by invoking @command{guix archive --authorize}.  You must
 instead adjust @code{guix-configuration} as you wish and reconfigure the
 system.  This ensures that your operating system configuration file is
 self-contained.
 
 @quotation Note
-When booting or reconfiguring to a system where @code{authorize-keys?}
+When booting or reconfiguring to a system where @code{authorize-key?}
 is true, the existing @file{/etc/guix/acl} file is backed up as
 @file{/etc/guix/acl.bak} if it was determined to be a manually modified
 file.  This is to facilitate migration from earlier versions, which
@@ -14717,7 +14717,7 @@ Whether to use substitutes.
 @item @code{substitute-urls} (default: @code{%default-substitute-urls})
 The list of URLs where to look for substitutes by default.
 
-Support you would like to fetch substitutes from @code{guix.example.org}
+Suppose you would like to fetch substitutes from @code{guix.example.org}
 in addition to @code{@value{SUBSTITUTE-SERVER}}.  You will need to do
 two things: (1) add @code{guix.example.org} to @code{substitute-urls},
 and (2) authorize its signing key, having done appropriate checks
diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm
index edd0b644f5..eaf0bbde43 100644
--- a/gnu/services/virtualization.scm
+++ b/gnu/services/virtualization.scm
@@ -875,7 +875,16 @@ that will be listening to receive secret keys on port 1004, TCP."
                          (permit-root-login #t)
                          (allow-empty-passwords? #t)
                          (password-authentication? #t)))
-               %base-services/hurd))))
+
+               ;; By default, the secret service introduces a pre-initialized
+               ;; /etc/guix/acl file in the childhurd.  Thus, clear
+               ;; 'authorize-key?' so that it's not overridden at activation
+               ;; time.
+               (modify-services %base-services/hurd
+                 (guix-service-type config =>
+                                    (guix-configuration
+                                     (inherit config)
+                                     (authorize-key? #f))))))))
 
 (define-record-type* <hurd-vm-configuration>
   hurd-vm-configuration make-hurd-vm-configuration

[Message part 5 (message/rfc822, inline)]
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: bug-guix <bug-guix <at> gnu.org>
Subject: guix-service-type authorized keys are not honored when /etc/guix/acl
 exists
Date: Thu, 27 Feb 2020 23:30:33 -0500

Hello,

I spent the evening debugging why my authorized keys for the
guix-service-type wouldn't appear under /etc/guix/acl upon
reconfiguration (and 'guix offload test' would be unhelpfully reporting
"guix offload: error: program
`/gnu/store/n9633hls7097236l4j8i1aiv5bppyf0q-guix-1.0.1-13.50299ad/bin/guix'
failed with exit code 1", see issue <https://bugs.gnu.org/34786>).

It turns out that the guix-activation script that is supposed to add the authorized keys does this:

--8<---------------cut here---------------start------------->8---
   (unless (file-exists? "/etc/guix/acl")
     (mkdir-p "/etc/guix")
     (copy-file #+default-acl "/etc/guix/acl")
     (chmod "/etc/guix/acl" #o600)))))
--8<---------------cut here---------------end--------------->8---

i.e., it doesn't do anything if a /etc/guix/acl file already exists.
This means that the only time it ought to do anything is the first time
the system was reconfigured (or perhaps, init?).

I would have expected the keys declared in my operating system
configuration to be used along those with /etc/guix/acl, or added to it.

Maxim
This bug report was last modified 4 years and 212 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.