From unknown Fri Jun 20 19:47:21 2025
X-Loop: help-debbugs@gnu.org
Subject: [bug#77968] [PATCH 0/1] gnu: openssh: Trust store items owned by guix-daemon.
Resent-From: Sergey Trofimov <sarg@sarg.org.ru>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Mon, 21 Apr 2025 17:52:01 +0000
Resent-Message-ID: <handler.77968.B.174525790114675@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 77968
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 77968@debbugs.gnu.org
Cc: Sergey Trofimov <sarg@sarg.org.ru>
X-Debbugs-Original-To: guix-patches@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.174525790114675
          (code B ref -1); Mon, 21 Apr 2025 17:52:01 +0000
Received: (at submit) by debbugs.gnu.org; 21 Apr 2025 17:51:41 +0000
Received: from localhost ([127.0.0.1]:38089 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1u6vIz-0003oc-1K
	for submit@debbugs.gnu.org; Mon, 21 Apr 2025 13:51:41 -0400
Received: from lists.gnu.org ([2001:470:142::17]:57928)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <sarg@sarg.org.ru>) id 1u6vIw-0003oK-9h
 for submit@debbugs.gnu.org; Mon, 21 Apr 2025 13:51:39 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <sarg@sarg.org.ru>) id 1u6vIp-0004JA-LA
 for guix-patches@gnu.org; Mon, 21 Apr 2025 13:51:31 -0400
Received: from mail-ej1-x632.google.com ([2a00:1450:4864:20::632])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <sarg@sarg.org.ru>) id 1u6vIm-0005SW-J7
 for guix-patches@gnu.org; Mon, 21 Apr 2025 13:51:31 -0400
Received: by mail-ej1-x632.google.com with SMTP id
 a640c23a62f3a-ac345bd8e13so615371166b.0
 for <guix-patches@gnu.org>; Mon, 21 Apr 2025 10:51:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=sarg.org.ru; s=google; t=1745257883; x=1745862683; darn=gnu.org;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=SVPyX4Xw5dPGyR7KS0mVKNU9lPW93ZYDIQ/XSUbweSQ=;
 b=qGLsir95YkUOt3cR/N0pjzClVicN6k2RBO7miw2+vX21Xs17aXQ+iroChyfXNPTYN3
 u2SrMCVQ9dEfnrpRdmX/s7/wpvpjDtvui4n0a1Vu/0gOkRnXmRc4PoxCRwdxZizr/PYj
 ZgMQ2NzrJ4HKyx0/DhlC/gDMaRIEVe63zvdYCfwT+tl2X+U35WQOKZYNh8GWNvCJN95y
 CPm/zrtZYafYirKE5YzIcJM74Br50QXB3IUGHHaarGQ0SeiwjGqlrr5mNYOgek2OjD8L
 M44mLCAUEOcNUVFGdWfNfJ+WYCMJcICLOCrAeVE65suCg6j7Lukac7zmQrLd35FXpnz7
 DhNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1745257883; x=1745862683;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=SVPyX4Xw5dPGyR7KS0mVKNU9lPW93ZYDIQ/XSUbweSQ=;
 b=e918pMLxownz2KOam8JBBCjr5r7G7kGqF6pYg0FbtRhsevpqJIgUKPdpuISCJ4ie44
 s0DlM5HoL9gsB2i4iE1evQPIEJvUFE84eHp+yMmitqedXNP4nxL8vsTKjDWNGSbpj0Ht
 mgbjio0R5g6UinpptHxauu+XBlM1IkofG8LKxE4b3HJOQeITRfwT49HWdRcDzIl7RIZP
 NmVN9vs0CsFGRXlFEWExlKwU/piUL1xxprJxiBfr/Z/6B0hhxxbBnfJwqbyBQPyH1yPz
 tpFWm3CNHN8Zrqpnd/RB87Ssm+RHEVFVwYv8yhdFDheDi36nLhny2eyFSU6tfMvc6FhO
 O7sA==
X-Gm-Message-State: AOJu0Yy3jeGhlKrR6Je8LRdL9tVThRm8P80BBC6mRXLYynN9j0a7b8hN
 06awzD/8qIVaGjMxQdLWXxrKd8PI6wYr6OFjME7oZlEgVWPOx4EZ6QTbyQGyQFzWZp0qghnqdQm
 kyDw=
X-Gm-Gg: ASbGncvoFxOpaLDA/4bxr98g9oEvQyrleCCkfmHfYkCPOvu5aFCvZH1fksxnsVDajMe
 EqYHR5U2Q2PJ/EFtKvVjdyg/wNC/EqItDwWm2iC/cBpDQHfUcOMsNXXpPDENJT2PORipijlLEOl
 Vu8/scbGC8PqNUoB5+dgAK1KtyugNH/rUb9Y6s+Dx2tXK/w+AD9AUbvsZZ/kCuBzZMMYZ+bnc8x
 TWJXePqGmodmPgxqwr8LMtyQkIaN7206ZA37Xpc2yILdwvKWDOjJSLqNFnJ66lUbUohxBZrsDm4
 EM2kL1uNgPlLjx1MBbD78t1ETZnsONG+Chh5vQ==
X-Google-Smtp-Source: AGHT+IH4YbURyzVly4VoauKjBtc8FXWLACcKjVY0a7tNBSzzKr3Snw6P72/q0Qhoh8m6VmWjVApw1A==
X-Received: by 2002:a17:907:fdc9:b0:acb:86f0:feda with SMTP id
 a640c23a62f3a-acb86f1017cmr855375866b.14.1745257882802; 
 Mon, 21 Apr 2025 10:51:22 -0700 (PDT)
Received: from localhost ([2a02:2454:a095:5600:a64e:31ff:fe38:fd6c])
 by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-acb6ec0b6fbsm546612966b.19.2025.04.21.10.51.21
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 21 Apr 2025 10:51:22 -0700 (PDT)
From: Sergey Trofimov <sarg@sarg.org.ru>
Date: Mon, 21 Apr 2025 19:51:18 +0200
Message-ID: <cover.1745257594.git.sarg@sarg.org.ru>
X-Mailer: git-send-email 2.49.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2a00:1450:4864:20::632;
 envelope-from=sarg@sarg.org.ru; helo=mail-ej1-x632.google.com
X-Spam_score_int: -16
X-Spam_score: -1.7
X-Spam_bar: -
X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_INVALID=0.1,
 DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.0 (+)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

After migration to rootless guix-daemon on Guix system, ssh started to refuse
operations with the error `Bad owner or permissions on /home/sarg/.ssh/config`.
The config is managed with `home-openssh-service-type` and is a symlink to
/gnu/store/...  The file was previously owned by root which is treated specially
in openssh source code.

As a solution I suggest to patch ssh to trust config files in /gnu/store/ As a
workaround users can for now use `ssh -F ~/.ssh/config` as this would skip
ownership checks.

Sergey Trofimov (1):
  gnu: openssh: Trust store items owned by guix-daemon.

 .../openssh-trust-guix-store-directory.patch  | 67 +++++++++++++------
 gnu/packages/ssh.scm                          |  2 +-
 2 files changed, 47 insertions(+), 22 deletions(-)


base-commit: 7a7eff34613c9b3357adf39813793f607c03629d
-- 
2.49.0





From unknown Fri Jun 20 19:47:21 2025
X-Loop: help-debbugs@gnu.org
Subject: [bug#77968] [PATCH 1/1] gnu: openssh: Trust store items owned by guix-daemon.
Resent-From: Sergey Trofimov <sarg@sarg.org.ru>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Mon, 21 Apr 2025 19:00:03 +0000
Resent-Message-ID: <handler.77968.B77968.174526195724079@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 77968
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 77968@debbugs.gnu.org
Cc: Sergey Trofimov <sarg@sarg.org.ru>
Received: via spool by 77968-submit@debbugs.gnu.org id=B77968.174526195724079
          (code B ref 77968); Mon, 21 Apr 2025 19:00:03 +0000
Received: (at 77968) by debbugs.gnu.org; 21 Apr 2025 18:59:17 +0000
Received: from localhost ([127.0.0.1]:38731 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1u6wMO-0006GH-9l
	for submit@debbugs.gnu.org; Mon, 21 Apr 2025 14:59:17 -0400
Received: from mail-ed1-x52d.google.com ([2a00:1450:4864:20::52d]:52715)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.84_2) (envelope-from <sarg@sarg.org.ru>) id 1u6wLS-0006E8-Dj
 for 77968@debbugs.gnu.org; Mon, 21 Apr 2025 14:58:20 -0400
Received: by mail-ed1-x52d.google.com with SMTP id
 4fb4d7f45d1cf-5e5e8274a74so6335076a12.1
 for <77968@debbugs.gnu.org>; Mon, 21 Apr 2025 11:58:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=sarg.org.ru; s=google; t=1745261892; x=1745866692; darn=debbugs.gnu.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=m28W3dPxPG5/onE8x7QUl3aSKkx2mo7AhuVN8TXiPIs=;
 b=mBvbjxqEIa38N+pcegBgARnVpKie10E9tQZPNTgZyk9Bb8EF+weIqFJXd+KUHfbhJh
 Rm5SxLUq1RZsPMtElqiQGUz0eBHupK0V90uHeO0Hgn45g1Wx/W9KH06TBA5gA8J+U+tg
 CUurhkOImQSga/RsZsKN18be+bpDaJe7vlrywJh0WJiOE8qICgT+iR50mt7dsf0moxWm
 afen/+nH/G4NsMjM7W+DJgmV/HQfFgM3RPxgsCEFHKDJmZjSi71f5t0wRPlFPkFKfOpM
 hxyeGrFf8EXeleSSwmp/guj4AZXlA1TwsceKeb1/Z3gKiJGIC1T75GS8qQ4IVlu91DEe
 Nn+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1745261892; x=1745866692;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=m28W3dPxPG5/onE8x7QUl3aSKkx2mo7AhuVN8TXiPIs=;
 b=N3+ujmlpKaOxZ6Q4D3UYYGvhBeG85IlZqoFH1JvPiCDPuHU1Dx2PxcsvTpAeIuv58s
 /8E8eRvDXEfFNhYqkhECinNKDDx27rTdJMGsb+NsEooELQ/KPnCV9/fdHCeVtI1ue5S/
 mjWwLPwsJ6bQOj5ilICmli+nV3PLMEQG1Tjy819CZ5TtmgpMDSTMpx+Fle2MCIdTpMMv
 fMgPGXijZpCgJRgDvub3BC8EFUiMHf2IsCoPIWplbT6EiM7/+gLQKnq5lK6pwtrFagPb
 UVuZiE8ElsJcxsC03YAcX1UadfZZR+aysA73JWf0HAdje/D38v7oGtbP3i/l/N2DbZga
 ElhQ==
X-Gm-Message-State: AOJu0Yzau6U1ZRXSMnb2US0tud+pQSMh7Z1SBtF1GzcHa7gIpXTkBR/V
 U3G5S9iyvGdfHGG4qEr4a0e6pCSSOq1O0nevjHHLAshAgg8cHJs5VCnWGVzwHYHseo8ivGkiP5N
 soA4=
X-Gm-Gg: ASbGnct3POWvAi/BO7P/D8SIRPGZED5MXi0QDbv6b9V2t/RW+yPQjus8y55b25obJcy
 4jJI/ARp73xavn3+JMPimNIF20EeIjgqMWmQIFMqc21hZXrlA7Eni441OBAGrvuJDQ3fWF71Gsv
 ENtK1Xnn7r5nG1xgS+GYO4y5g4D+Bt9sNuRh/bObIi57guCTZcjYckiehEWYyDkacZJvDfg5kuZ
 PuVX++tPnk/AFo0RwgBx7EquHwik+oclXDFyKMvHCMu/KnKQeWrju46x+24WJwRcvcNK988+o17
 T/A0roMEoHGmXA03EmId5TgiIzkBP2J+tLb3BSrlHRPldTBP
X-Google-Smtp-Source: AGHT+IGA7XO9wZE+jubYtdOHFiynzZtaku9R0lJDkwDVMDaXpr92UghUa6gJJZK8CeI+O8heOMs+hA==
X-Received: by 2002:a05:6402:5111:b0:5f5:6c8d:de7f with SMTP id
 4fb4d7f45d1cf-5f628524acbmr9779588a12.9.1745261891674; 
 Mon, 21 Apr 2025 11:58:11 -0700 (PDT)
Received: from localhost ([2a02:2454:a095:5600:a64e:31ff:fe38:fd6c])
 by smtp.gmail.com with ESMTPSA id
 4fb4d7f45d1cf-5f6258340f4sm4856057a12.55.2025.04.21.11.58.10
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 21 Apr 2025 11:58:10 -0700 (PDT)
From: Sergey Trofimov <sarg@sarg.org.ru>
Date: Mon, 21 Apr 2025 19:58:25 +0200
Message-ID: <fd32b783daa44aee2953aee61d32cf5bc597fef2.1745257594.git.sarg@sarg.org.ru>
X-Mailer: git-send-email 2.49.0
In-Reply-To: <cover.1745257594.git.sarg@sarg.org.ru>
References: <cover.1745257594.git.sarg@sarg.org.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

* gnu/packages/patches/openssh-trust-guix-store-directory.patch
(openssh): Adjust to trust files in guix store owned by guix-daemon.
* gnu/packages/ssh.scm (openssh): Append ending slash when substituting
STORE_DIRECTORY.

Change-Id: I3bd01f8b9d6406e3b886eea8f4b8c265a51cc72f
---
 .../openssh-trust-guix-store-directory.patch  | 67 +++++++++++++------
 gnu/packages/ssh.scm                          |  2 +-
 2 files changed, 47 insertions(+), 22 deletions(-)

diff --git a/gnu/packages/patches/openssh-trust-guix-store-directory.patch b/gnu/packages/patches/openssh-trust-guix-store-directory.patch
index b3a9c1bdfce..d190740f100 100644
--- a/gnu/packages/patches/openssh-trust-guix-store-directory.patch
+++ b/gnu/packages/patches/openssh-trust-guix-store-directory.patch
@@ -3,20 +3,20 @@ From: Alexey Abramov <levenson@mmer.org>
 Date: Fri, 22 Apr 2022 11:32:15 +0200
 Subject: [PATCH] Trust guix store directory
 
-To be able to execute binaries defined in OpenSSH configuration, we
-need to tell OpenSSH that we can trust Guix store objects. safe_path
-procedure takes a canonical path and for each component, walking
-upwards, checks ownership and permissions constrains which are: must
-be owned by root, not writable by group or others.
+To be able to execute binaries defined in OpenSSH configuration, we need to
+tell OpenSSH that we can trust Guix store objects. safe_path procedure is
+patched to assume files in Guix store to be safe. Additionally configuration
+file placed in Guix store is assumed to be safe to load.
 ---
- misc.c | 5 +++++
- 1 file changed, 5 insertions(+)
+ misc.c     | 6 ++++++
+ readconf.c | 7 ++++---
+ 2 files changed, 10 insertions(+), 3 deletions(-)
 
 diff --git a/misc.c b/misc.c
-index 0134d69..7131d5e 100644
+index dd0bd032a..6b866464c 100644
 --- a/misc.c
 +++ b/misc.c
-@@ -2146,6 +2146,7 @@ int
+@@ -2254,6 +2254,7 @@ int
  safe_path(const char *name, struct stat *stp, const char *pw_dir,
      uid_t uid, char *err, size_t errlen)
  {
@@ -24,17 +24,42 @@ index 0134d69..7131d5e 100644
  	char buf[PATH_MAX], homedir[PATH_MAX];
  	char *cp;
  	int comparehome = 0;
-@@ -2178,6 +2179,10 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
- 		}
- 		strlcpy(buf, cp, sizeof(buf));
- 
-+		/* If we are past the Guix store then we can stop */
-+		if (strcmp(guix_store, buf) == 0)
-+			break;
+@@ -2271,6 +2272,11 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
+ 		snprintf(err, errlen, "%s is not a regular file", buf);
+ 		return -1;
+ 	}
++	// the file is trusted when it is located in guix store
++	if (strncmp(buf, guix_store, strlen(guix_store)) == 0) {
++		return 0;
++	}
 +
- 		if (stat(buf, &st) == -1 ||
- 		    (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
- 		    (st.st_mode & 022) != 0) {
+ 	if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) ||
+ 	    (stp->st_mode & 022) != 0) {
+ 		snprintf(err, errlen, "bad ownership or modes for file %s",
+diff --git a/readconf.c b/readconf.c
+index 7cbe7d2c2..40a5f1ace 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -2566,6 +2566,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
+ {
+ 	FILE *f;
+ 	char *line = NULL;
++	char errmsg[512];
+ 	size_t linesize = 0;
+ 	int linenum;
+ 	int bad_options = 0;
+@@ -2581,9 +2582,9 @@ read_config_file_depth(const char *filename, struct passwd *pw,
+ 
+ 		if (fstat(fileno(f), &sb) == -1)
+ 			fatal("fstat %s: %s", filename, strerror(errno));
+-		if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
+-		    (sb.st_mode & 022) != 0))
+-			fatal("Bad owner or permissions on %s", filename);
++		if (safe_path(filename, &sb, pw->pw_dir, pw->pw_uid, errmsg, sizeof(errmsg)) != 0) {
++			fatal(errmsg);
++		}
+ 	}
+ 
+ 	debug("Reading configuration data %.200s", filename);
 -- 
-2.34.0
-
+2.49.0
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index 877d129e918..9e0684e26c8 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -262,7 +262,7 @@ (define-public openssh
            (lambda _
              (substitute* "misc.c"
                (("@STORE_DIRECTORY@")
-                (string-append "\"" (%store-directory) "\"")))))
+                (string-append "\"" (%store-directory) "/\"")))))
          (add-before 'check 'patch-tests
            (lambda _
              (substitute* "regress/test-exec.sh"
-- 
2.49.0





From unknown Fri Jun 20 19:47:21 2025
X-Loop: help-debbugs@gnu.org
Subject: [bug#77968] [PATCH v1] gnu: openssh: Adapt for root-less guix store.
References: <cover.1745257594.git.sarg@sarg.org.ru>
In-Reply-To: <cover.1745257594.git.sarg@sarg.org.ru>
Resent-From: Sergey Trofimov <sarg@sarg.org.ru>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: sarg@sarg.org.ru, guix-patches@gnu.org
Resent-Date: Wed, 23 Apr 2025 14:14:04 +0000
Resent-Message-ID: <handler.77968.B77968.174541761130179@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 77968
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 77968@debbugs.gnu.org
Cc: Sergey Trofimov <sarg@sarg.org.ru>, Sergey Trofimov <sarg@sarg.org.ru>
X-Debbugs-Original-Xcc: Sergey Trofimov <sarg@sarg.org.ru>
Received: via spool by 77968-submit@debbugs.gnu.org id=B77968.174541761130179
          (code B ref 77968); Wed, 23 Apr 2025 14:14:04 +0000
Received: (at 77968) by debbugs.gnu.org; 23 Apr 2025 14:13:31 +0000
Received: from localhost ([127.0.0.1]:58154 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1u7aqv-0007qR-AE
	for submit@debbugs.gnu.org; Wed, 23 Apr 2025 10:13:30 -0400
Received: from mail-ed1-x536.google.com ([2a00:1450:4864:20::536]:58636)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.84_2) (envelope-from <sarg@sarg.org.ru>) id 1u7aqo-0007oI-Dp
 for 77968@debbugs.gnu.org; Wed, 23 Apr 2025 10:13:26 -0400
Received: by mail-ed1-x536.google.com with SMTP id
 4fb4d7f45d1cf-5e8be1c6ff8so11669894a12.1
 for <77968@debbugs.gnu.org>; Wed, 23 Apr 2025 07:13:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=sarg.org.ru; s=google; t=1745417596; x=1746022396; darn=debbugs.gnu.org;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=UHePvj8IKTcbzSwSTo845mfz7fvBW79NuXUPYHFFFoc=;
 b=UBQa67gH94Jmqh4ky+ns7OTtrZU6BGW6eljtZUeLofK1++UXNa5VVYhyCobr5P4qb8
 tUoj+WeouCY2OZCOGqbf2ffgYxWoCmttLFuUl0p8t6DwfK1Zn5yoQnVQq5W1pRsMrqqb
 4mz1BiyO043BKBRsDVfqhXc0v/5WxU6KzglPitVD04Au3pxO5dWgAqLFs8gyeC+nV0DV
 8pKa3Y1oEM0xPKTJUkniEgKzYxAtTrshmWdk20Zy9PALqlaAneM4Bhscmhb1XbQj1PlK
 cN1e5jeR2pULdxP8LWVkOXmp/CbBbWLF69LsCbwk6MpQ8gpRoMNzpfd5ou0Aq+wge41P
 FBKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1745417596; x=1746022396;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=UHePvj8IKTcbzSwSTo845mfz7fvBW79NuXUPYHFFFoc=;
 b=Llr4M4mNUjRABQTQeUmm4Q9R+FtHRie66lj+ngrXbXQLPFexhJ3vmrDc4edKVKj/4z
 MrmV/AV9afy99QS2M2abIshWQ3TmbKYRbzJne9LXHlbxuQfiIhYGZAPM0iottS6hm29y
 L2ENDAlfKSbB4bSUz8G/7+fyD5P5IRdacmdAx7pMF89RIDxOD4gj73ahOQzgCztPDMV7
 ONb6NM7jZnP90gu+eaD6WTLlP3yNBnpaHczRRsnIaqel7dBgaLsCLL5v/W+ma32dmlIZ
 47k1DTg81RUS+2LRY7mklkhmSR3EjaqKCbo1A6PCOHPA2XMfXFfSa9k8KssgvlXvt4c3
 jH5g==
X-Gm-Message-State: AOJu0YzU9C3woL5M81uzD5PRU3g1MtOlsDDVxR5reFmQBNcC2s1yyCGP
 G37ISNshqSc6tuhLNyYyvJiPvdySkrP59Q2b0R6MyJLvh1zNU6jYy2Mwg3OQ82SIrLu+62bY/Xm
 8BZg=
X-Gm-Gg: ASbGncuIZt/aTyDgEYuFEgb1QAZFwNc7RlEZel8oH0IOB0AMmx1zcXHWEscEFXfL0Wh
 s/053ptI+07e2DpE23hURnSNn6xURt2oMbQy0VurRuyeEzCugePQE+ASvVQyp37JZ9hzOAasZBe
 r4XiS0mMOYKaLvjiEgfdN/r63i4KIY5NeKcH6p9Ed+EWleYysj0eksq2XUpPpI19HrYqyLFR2yt
 zIkaGqR5CCoLEukW6BjPXoNgQu1JgC8YlTLHaBPMbJm5DDxz8ADHUE2BQ/iQb35HSFvH+SmQLyK
 EHpz4nguqkv68BzekfRnrMP5paycYkmvoKfxccHI0IdAWeqZ
X-Google-Smtp-Source: AGHT+IGrkwcNDQJaDtBE5P5PeATUdoq+ZJJCT9rrMwm/EmmRI99gVMjtmGAzMh8oKfMR+XU6Q+LYRA==
X-Received: by 2002:a05:6402:518d:b0:5f4:d5c7:d6f7 with SMTP id
 4fb4d7f45d1cf-5f62853dc20mr16729246a12.8.1745417595233; 
 Wed, 23 Apr 2025 07:13:15 -0700 (PDT)
Received: from localhost ([2a02:2454:a095:5600:a64e:31ff:fe38:fd6c])
 by smtp.gmail.com with ESMTPSA id
 4fb4d7f45d1cf-5f62554a102sm7404324a12.10.2025.04.23.07.13.14
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 23 Apr 2025 07:13:14 -0700 (PDT)
From: Sergey Trofimov <sarg@sarg.org.ru>
Date: Wed, 23 Apr 2025 16:13:10 +0200
Message-ID: <832e1767fc8d3203c8804035c344df0f99d5716d.1745417565.git.sarg@sarg.org.ru>
X-Mailer: git-send-email 2.49.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

* gnu/packages/patches/openssh-trust-guix-store-directory.patch
(openssh): Adjust to trust files in guix store owned by guix-daemon.
* gnu/packages/ssh.scm (openssh): [phases]: Append ending slash when
substituting STORE_DIRECTORY. Use default PRIVSEP_PATH (/var/empty).

Change-Id: I3bd01f8b9d6406e3b886eea8f4b8c265a51cc72f
---
 .../openssh-trust-guix-store-directory.patch  | 67 +++++++++++++------
 gnu/packages/ssh.scm                          | 14 ++--
 2 files changed, 51 insertions(+), 30 deletions(-)

diff --git a/gnu/packages/patches/openssh-trust-guix-store-directory.patch b/gnu/packages/patches/openssh-trust-guix-store-directory.patch
index b3a9c1bdfc..d190740f10 100644
--- a/gnu/packages/patches/openssh-trust-guix-store-directory.patch
+++ b/gnu/packages/patches/openssh-trust-guix-store-directory.patch
@@ -3,20 +3,20 @@ From: Alexey Abramov <levenson@mmer.org>
 Date: Fri, 22 Apr 2022 11:32:15 +0200
 Subject: [PATCH] Trust guix store directory
 
-To be able to execute binaries defined in OpenSSH configuration, we
-need to tell OpenSSH that we can trust Guix store objects. safe_path
-procedure takes a canonical path and for each component, walking
-upwards, checks ownership and permissions constrains which are: must
-be owned by root, not writable by group or others.
+To be able to execute binaries defined in OpenSSH configuration, we need to
+tell OpenSSH that we can trust Guix store objects. safe_path procedure is
+patched to assume files in Guix store to be safe. Additionally configuration
+file placed in Guix store is assumed to be safe to load.
 ---
- misc.c | 5 +++++
- 1 file changed, 5 insertions(+)
+ misc.c     | 6 ++++++
+ readconf.c | 7 ++++---
+ 2 files changed, 10 insertions(+), 3 deletions(-)
 
 diff --git a/misc.c b/misc.c
-index 0134d69..7131d5e 100644
+index dd0bd032a..6b866464c 100644
 --- a/misc.c
 +++ b/misc.c
-@@ -2146,6 +2146,7 @@ int
+@@ -2254,6 +2254,7 @@ int
  safe_path(const char *name, struct stat *stp, const char *pw_dir,
      uid_t uid, char *err, size_t errlen)
  {
@@ -24,17 +24,42 @@ index 0134d69..7131d5e 100644
  	char buf[PATH_MAX], homedir[PATH_MAX];
  	char *cp;
  	int comparehome = 0;
-@@ -2178,6 +2179,10 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
- 		}
- 		strlcpy(buf, cp, sizeof(buf));
- 
-+		/* If we are past the Guix store then we can stop */
-+		if (strcmp(guix_store, buf) == 0)
-+			break;
+@@ -2271,6 +2272,11 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
+ 		snprintf(err, errlen, "%s is not a regular file", buf);
+ 		return -1;
+ 	}
++	// the file is trusted when it is located in guix store
++	if (strncmp(buf, guix_store, strlen(guix_store)) == 0) {
++		return 0;
++	}
 +
- 		if (stat(buf, &st) == -1 ||
- 		    (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
- 		    (st.st_mode & 022) != 0) {
+ 	if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) ||
+ 	    (stp->st_mode & 022) != 0) {
+ 		snprintf(err, errlen, "bad ownership or modes for file %s",
+diff --git a/readconf.c b/readconf.c
+index 7cbe7d2c2..40a5f1ace 100644
+--- a/readconf.c
++++ b/readconf.c
+@@ -2566,6 +2566,7 @@ read_config_file_depth(const char *filename, struct passwd *pw,
+ {
+ 	FILE *f;
+ 	char *line = NULL;
++	char errmsg[512];
+ 	size_t linesize = 0;
+ 	int linenum;
+ 	int bad_options = 0;
+@@ -2581,9 +2582,9 @@ read_config_file_depth(const char *filename, struct passwd *pw,
+ 
+ 		if (fstat(fileno(f), &sb) == -1)
+ 			fatal("fstat %s: %s", filename, strerror(errno));
+-		if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
+-		    (sb.st_mode & 022) != 0))
+-			fatal("Bad owner or permissions on %s", filename);
++		if (safe_path(filename, &sb, pw->pw_dir, pw->pw_uid, errmsg, sizeof(errmsg)) != 0) {
++			fatal(errmsg);
++		}
+ 	}
+ 
+ 	debug("Reading configuration data %.200s", filename);
 -- 
-2.34.0
-
+2.49.0
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index 5f0b3e2a6a..0518d2ee1c 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -267,16 +267,11 @@ (define-public openssh
             '()))
      #:phases
      #~(modify-phases %standard-phases
-         (add-after 'configure 'reset-/var/empty
-           (lambda _
-             (substitute* "Makefile"
-               (("PRIVSEP_PATH=/var/empty")
-                (string-append "PRIVSEP_PATH=" #$output "/var/empty")))))
          (add-after 'configure 'set-store-location
            (lambda _
              (substitute* "misc.c"
                (("@STORE_DIRECTORY@")
-                (string-append "\"" (%store-directory) "\"")))))
+                (string-append "\"" (%store-directory) "/\"")))))
          (add-before 'check 'patch-tests
            (lambda _
              (substitute* "regress/test-exec.sh"
@@ -289,9 +284,10 @@ (define-public openssh
                 (string-append pre post)))))
          (replace 'install
            (lambda* (#:key (make-flags '()) #:allow-other-keys)
-             ;; Install without host keys and system configuration files.  This
-             ;; will install /var/empty to the store, which is needed by the
-             ;; system openssh-service-type.
+             ;; don't create /var/empty
+             (substitute* "Makefile"
+               ((".*MKDIR_P.*PRIVSEP_PATH.*") ""))
+             ;; Install without host keys and system configuration files.
              (apply invoke "make" "install-nosysconf" make-flags)
              (with-directory-excursion "contrib"
                (chmod "ssh-copy-id" #o555)

base-commit: 699ce22ed812cf8cfcdd8d0341829f8fac2c864a
--
2.49.0





From unknown Fri Jun 20 19:47:21 2025
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
X-Loop: help-debbugs@gnu.org
From: help-debbugs@gnu.org (GNU bug Tracking System)
To: Sergey Trofimov <sarg@sarg.org.ru>
Subject: bug#77968: closed (Re: bug#77968: [PATCH 0/1] gnu: openssh: Trust
 store items owned by guix-daemon.)
Message-ID: <handler.77968.D77968.174648390121550.notifdone@debbugs.gnu.org>
References: <87ecx23dga.fsf_-_@gnu.org>
 <cover.1745257594.git.sarg@sarg.org.ru>
X-Gnu-PR-Message: they-closed 77968
X-Gnu-PR-Package: guix-patches
X-Gnu-PR-Keywords: patch
Reply-To: 77968@debbugs.gnu.org
Date: Mon, 05 May 2025 22:25:04 +0000
Content-Type: multipart/mixed; boundary="----------=_1746483904-21636-1"

This is a multi-part message in MIME format...

------------=_1746483904-21636-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Your bug report

#77968: [PATCH 0/1] gnu: openssh: Trust store items owned by guix-daemon.

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 77968@debbugs.gnu.org.

--=20
77968: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D77968
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

------------=_1746483904-21636-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at 77968-done) by debbugs.gnu.org; 5 May 2025 22:25:01 +0000
Received: from localhost ([127.0.0.1]:43900 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1uC4FA-0005bR-UO
	for submit@debbugs.gnu.org; Mon, 05 May 2025 18:25:01 -0400
Received: from mail3-relais-sop.national.inria.fr ([192.134.164.104]:60553)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ludo@gnu.org>)
 id 1uC4F6-0005aT-Cl; Mon, 05 May 2025 18:24:57 -0400
Authentication-Results: mail3-relais-sop.national.inria.fr;
 dkim=none (message not signed) header.i=none;
 spf=SoftFail smtp.mailfrom=ludo@gnu.org;
 dmarc=fail (p=none dis=none) d=gnu.org
X-IronPort-AV: E=Sophos;i="6.15,264,1739833200"; d="scan'208";a="115891454"
Received: from 91-160-117-201.subs.proxad.net (HELO ribbon) ([91.160.117.201])
 by mail3-relais-sop.national.inria.fr with
 ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 May 2025 00:24:49 +0200
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
To: Sergey Trofimov <sarg@sarg.org.ru>
Subject: Re: bug#77968: [PATCH 0/1] gnu: openssh: Trust store items owned by
 guix-daemon.
In-Reply-To: <832e1767fc8d3203c8804035c344df0f99d5716d.1745417565.git.sarg@sarg.org.ru>
 (Sergey Trofimov's message of "Wed, 23 Apr 2025 16:13:10 +0200")
References: <cover.1745257594.git.sarg@sarg.org.ru>
 <832e1767fc8d3203c8804035c344df0f99d5716d.1745417565.git.sarg@sarg.org.ru>
Date: Tue, 06 May 2025 00:22:29 +0200
Message-ID: <87ecx23dga.fsf_-_@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: 77968-done
Cc: 78067-done@debbugs.gnu.org, 77968-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

Hi Sergey,

Sergey Trofimov <sarg@sarg.org.ru> writes:

> * gnu/packages/patches/openssh-trust-guix-store-directory.patch
> (openssh): Adjust to trust files in guix store owned by guix-daemon.
> * gnu/packages/ssh.scm (openssh): [phases]: Append ending slash when
> substituting STORE_DIRECTORY. Use default PRIVSEP_PATH (/var/empty).
>
> Change-Id: I3bd01f8b9d6406e3b886eea8f4b8c265a51cc72f

I adjusted the commit log to refer to the bug and committed it as
eab097c682ed31efd8668f46fce8de8f73b92849.

Thanks!

Ludo=E2=80=99.


------------=_1746483904-21636-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at submit) by debbugs.gnu.org; 21 Apr 2025 17:51:41 +0000
Received: from localhost ([127.0.0.1]:38089 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1u6vIz-0003oc-1K
	for submit@debbugs.gnu.org; Mon, 21 Apr 2025 13:51:41 -0400
Received: from lists.gnu.org ([2001:470:142::17]:57928)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <sarg@sarg.org.ru>) id 1u6vIw-0003oK-9h
 for submit@debbugs.gnu.org; Mon, 21 Apr 2025 13:51:39 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <sarg@sarg.org.ru>) id 1u6vIp-0004JA-LA
 for guix-patches@gnu.org; Mon, 21 Apr 2025 13:51:31 -0400
Received: from mail-ej1-x632.google.com ([2a00:1450:4864:20::632])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <sarg@sarg.org.ru>) id 1u6vIm-0005SW-J7
 for guix-patches@gnu.org; Mon, 21 Apr 2025 13:51:31 -0400
Received: by mail-ej1-x632.google.com with SMTP id
 a640c23a62f3a-ac345bd8e13so615371166b.0
 for <guix-patches@gnu.org>; Mon, 21 Apr 2025 10:51:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=sarg.org.ru; s=google; t=1745257883; x=1745862683; darn=gnu.org;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=SVPyX4Xw5dPGyR7KS0mVKNU9lPW93ZYDIQ/XSUbweSQ=;
 b=qGLsir95YkUOt3cR/N0pjzClVicN6k2RBO7miw2+vX21Xs17aXQ+iroChyfXNPTYN3
 u2SrMCVQ9dEfnrpRdmX/s7/wpvpjDtvui4n0a1Vu/0gOkRnXmRc4PoxCRwdxZizr/PYj
 ZgMQ2NzrJ4HKyx0/DhlC/gDMaRIEVe63zvdYCfwT+tl2X+U35WQOKZYNh8GWNvCJN95y
 CPm/zrtZYafYirKE5YzIcJM74Br50QXB3IUGHHaarGQ0SeiwjGqlrr5mNYOgek2OjD8L
 M44mLCAUEOcNUVFGdWfNfJ+WYCMJcICLOCrAeVE65suCg6j7Lukac7zmQrLd35FXpnz7
 DhNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1745257883; x=1745862683;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=SVPyX4Xw5dPGyR7KS0mVKNU9lPW93ZYDIQ/XSUbweSQ=;
 b=e918pMLxownz2KOam8JBBCjr5r7G7kGqF6pYg0FbtRhsevpqJIgUKPdpuISCJ4ie44
 s0DlM5HoL9gsB2i4iE1evQPIEJvUFE84eHp+yMmitqedXNP4nxL8vsTKjDWNGSbpj0Ht
 mgbjio0R5g6UinpptHxauu+XBlM1IkofG8LKxE4b3HJOQeITRfwT49HWdRcDzIl7RIZP
 NmVN9vs0CsFGRXlFEWExlKwU/piUL1xxprJxiBfr/Z/6B0hhxxbBnfJwqbyBQPyH1yPz
 tpFWm3CNHN8Zrqpnd/RB87Ssm+RHEVFVwYv8yhdFDheDi36nLhny2eyFSU6tfMvc6FhO
 O7sA==
X-Gm-Message-State: AOJu0Yy3jeGhlKrR6Je8LRdL9tVThRm8P80BBC6mRXLYynN9j0a7b8hN
 06awzD/8qIVaGjMxQdLWXxrKd8PI6wYr6OFjME7oZlEgVWPOx4EZ6QTbyQGyQFzWZp0qghnqdQm
 kyDw=
X-Gm-Gg: ASbGncvoFxOpaLDA/4bxr98g9oEvQyrleCCkfmHfYkCPOvu5aFCvZH1fksxnsVDajMe
 EqYHR5U2Q2PJ/EFtKvVjdyg/wNC/EqItDwWm2iC/cBpDQHfUcOMsNXXpPDENJT2PORipijlLEOl
 Vu8/scbGC8PqNUoB5+dgAK1KtyugNH/rUb9Y6s+Dx2tXK/w+AD9AUbvsZZ/kCuBzZMMYZ+bnc8x
 TWJXePqGmodmPgxqwr8LMtyQkIaN7206ZA37Xpc2yILdwvKWDOjJSLqNFnJ66lUbUohxBZrsDm4
 EM2kL1uNgPlLjx1MBbD78t1ETZnsONG+Chh5vQ==
X-Google-Smtp-Source: AGHT+IH4YbURyzVly4VoauKjBtc8FXWLACcKjVY0a7tNBSzzKr3Snw6P72/q0Qhoh8m6VmWjVApw1A==
X-Received: by 2002:a17:907:fdc9:b0:acb:86f0:feda with SMTP id
 a640c23a62f3a-acb86f1017cmr855375866b.14.1745257882802; 
 Mon, 21 Apr 2025 10:51:22 -0700 (PDT)
Received: from localhost ([2a02:2454:a095:5600:a64e:31ff:fe38:fd6c])
 by smtp.gmail.com with ESMTPSA id
 a640c23a62f3a-acb6ec0b6fbsm546612966b.19.2025.04.21.10.51.21
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 21 Apr 2025 10:51:22 -0700 (PDT)
From: Sergey Trofimov <sarg@sarg.org.ru>
To: guix-patches@gnu.org
Subject: [PATCH 0/1] gnu: openssh: Trust store items owned by guix-daemon.
Date: Mon, 21 Apr 2025 19:51:18 +0200
Message-ID: <cover.1745257594.git.sarg@sarg.org.ru>
X-Mailer: git-send-email 2.49.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2a00:1450:4864:20::632;
 envelope-from=sarg@sarg.org.ru; helo=mail-ej1-x632.google.com
X-Spam_score_int: -16
X-Spam_score: -1.7
X-Spam_bar: -
X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_INVALID=0.1,
 DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: submit
Cc: Sergey Trofimov <sarg@sarg.org.ru>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

After migration to rootless guix-daemon on Guix system, ssh started to refuse
operations with the error `Bad owner or permissions on /home/sarg/.ssh/config`.
The config is managed with `home-openssh-service-type` and is a symlink to
/gnu/store/...  The file was previously owned by root which is treated specially
in openssh source code.

As a solution I suggest to patch ssh to trust config files in /gnu/store/ As a
workaround users can for now use `ssh -F ~/.ssh/config` as this would skip
ownership checks.

Sergey Trofimov (1):
  gnu: openssh: Trust store items owned by guix-daemon.

 .../openssh-trust-guix-store-directory.patch  | 67 +++++++++++++------
 gnu/packages/ssh.scm                          |  2 +-
 2 files changed, 47 insertions(+), 22 deletions(-)


base-commit: 7a7eff34613c9b3357adf39813793f607c03629d
-- 
2.49.0




------------=_1746483904-21636-1--