GNU bug report logs - #57217
home-openssh-service-type creates .ssh/config with wrong permissions

Previous Next

Package: guix;

Reported by: Elias Kueny <elias.kueny <at> posteo.net>

Date: Sun, 14 Aug 2022 22:03:02 UTC

Severity: important

Tags: notabug

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #10 received at 57217 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Elias Kueny <elias.kueny <at> posteo.net>
Cc: 57217 <at> debbugs.gnu.org
Subject: Re: bug#57217: home-openssh-service-type creates .ssh/config with
 wrong permissions
Date: Fri, 23 Sep 2022 09:13:47 +0200

Hi Elias,

Elias Kueny <elias.kueny <at> posteo.net> skribis:

> The files are created with too open permissions, so ssh refuses to run:
>
>  $ ssh xxx
>  Bad owner or permissions on ~/.ssh/config
>
>  $ ls -l .ssh
>  lrwxrwxrwx 1 user users 59 Aug 14 18:17 authorized_keys -> /gnu/store/y8g2d9kmlrhfna23r26cfgp5mr1sxl72-authorized_keys
>  lrwxrwxrwx 1 user users  52 Aug 14 18:17 config -> /gnu/store/dnnzwrz4hp1z6wnr76a6j57v95vyrbf3-ssh.conf

Here’s what I see in a container:

--8<---------------cut here---------------start------------->8---
$ ls -ld .ssh
drwx------ 2 ludo users 80 Sep 23 06:39 .ssh/
$ ls -l .ssh/config
lrwxrwxrwx 1 ludo users 52 Sep 23 06:39 .ssh/config -> /gnu/store/5lksmnx3mlyinlja2lhd84p0jkp06bg5-ssh.conf
$ ls -l $(readlink .ssh/config)
-r--r--r-- 1 65534 overflow 6219 Jan  1  1970 /gnu/store/5lksmnx3mlyinlja2lhd84p0jkp06bg5-ssh.conf
--8<---------------cut here---------------end--------------->8---

The relevant check in OpenSSH is this:

--8<---------------cut here---------------start------------->8---
      if (fstat(fileno(f), &sb) == -1)
              fatal("fstat %s: %s", filename, strerror(errno));
      if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
          (sb.st_mode & 022) != 0))
              fatal("Bad owner or permissions on %s", filename);
--8<---------------cut here---------------end--------------->8---

That is, if ~/.ssh/config is owned by root, it’s fine; and this is
exactly what happens outside the container:

--8<---------------cut here---------------start------------->8---
$ ls -l $(readlink ~/.ssh/config)
-r--r--r-- 1 root root 6219 Jan  1  1970 /gnu/store/5lksmnx3mlyinlja2lhd84p0jkp06bg5-ssh.conf
--8<---------------cut here---------------end--------------->8---

So ‘ssh’ works fine outside the container, but not inside.

To address the issue at hand, we would need to map UID 0 of the host as
UID 0 of the guest, but I’m not sure this can be done.

To be continued…

Ludo’.
This bug report was last modified 2 years and 229 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.