GNU bug report logs - #73166
'shell-authorized-directories' located in the wrong place?

Package: guix;

Reported by: Nicolas Graves <ngraves <at> ngraves.fr>

Date: Tue, 10 Sep 2024 11:32:02 UTC

Severity: normal

Tags: patch

Message #34 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Suhail Singh <suhailsingh247 <at> gmail.com>
To: Nicolas Graves <ngraves <at> ngraves.fr>
Cc: 73166 <at> debbugs.gnu.org, Saku Laesvuori <saku <at> laesvuori.fi>,
 Saku Laesvuori via Bug reports for GNU Guix <bug-guix <at> gnu.org>,
 Ludovic Courtès <ludo <at> gnu.org>,
 Andrew Tropin <andrew <at> trop.in>
Subject: Re: bug#73166: shell-autorized-directories
Date: Mon, 11 Nov 2024 20:46:10 -0500

Saku Laesvuori via Bug reports for GNU Guix <bug-guix <at> gnu.org> writes:

> Anyway, I am not opposed to this change. The only effects for my use
> cases are positive (nicer UI with the --allow flag). I just want to
> point out that I don't think this makes any attacks significantly
> harder.

FWIW, this summarizes my belief as well.  I do see some improvements in
convenience, but the threat model where this improves security (threat
actor has access to the repository, but the files are such that the
threat actor isn't able to modify their semantics without first
modifying the files) seems contrived.  Am I mistaken?

If not, while I don't have objections to the change (and do believe it
has some value), I do have reservations about claiming security
benefits.

-- 
Suhail

This bug report was last modified 186 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #73166 'shell-authorized-directories' located in the wrong place?

GNU bug report logs - #73166
'shell-authorized-directories' located in the wrong place?