GNU bug report logs - #77968
[PATCH 0/1] gnu: openssh: Trust store items owned by guix-daemon.

Previous Next

Package: guix-patches;

Reported by: Sergey Trofimov <sarg <at> sarg.org.ru>

Date: Mon, 21 Apr 2025 17:52:01 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#77968: closed ([PATCH 0/1] gnu: openssh: Trust store items
 owned by guix-daemon.)
Date: Mon, 05 May 2025 22:25:04 +0000

[Message part 1 (text/plain, inline)]
Your message dated Tue, 06 May 2025 00:22:29 +0200
with message-id <87ecx23dga.fsf_-_ <at> gnu.org>
and subject line Re: bug#77968: [PATCH 0/1] gnu: openssh: Trust store items owned by guix-daemon.
has caused the debbugs.gnu.org bug report #77968,
regarding [PATCH 0/1] gnu: openssh: Trust store items owned by guix-daemon.
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
77968: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=77968
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Sergey Trofimov <sarg <at> sarg.org.ru>
To: guix-patches <at> gnu.org
Cc: Sergey Trofimov <sarg <at> sarg.org.ru>
Subject: [PATCH 0/1] gnu: openssh: Trust store items owned by guix-daemon.
Date: Mon, 21 Apr 2025 19:51:18 +0200

After migration to rootless guix-daemon on Guix system, ssh started to refuse
operations with the error `Bad owner or permissions on /home/sarg/.ssh/config`.
The config is managed with `home-openssh-service-type` and is a symlink to
/gnu/store/...  The file was previously owned by root which is treated specially
in openssh source code.

As a solution I suggest to patch ssh to trust config files in /gnu/store/ As a
workaround users can for now use `ssh -F ~/.ssh/config` as this would skip
ownership checks.

Sergey Trofimov (1):
  gnu: openssh: Trust store items owned by guix-daemon.

 .../openssh-trust-guix-store-directory.patch  | 67 +++++++++++++------
 gnu/packages/ssh.scm                          |  2 +-
 2 files changed, 47 insertions(+), 22 deletions(-)


base-commit: 7a7eff34613c9b3357adf39813793f607c03629d
-- 
2.49.0




[Message part 3 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org>
To: Sergey Trofimov <sarg <at> sarg.org.ru>
Cc: 78067-done <at> debbugs.gnu.org, 77968-done <at> debbugs.gnu.org
Subject: Re: bug#77968: [PATCH 0/1] gnu: openssh: Trust store items owned by
 guix-daemon.
Date: Tue, 06 May 2025 00:22:29 +0200

Hi Sergey,

Sergey Trofimov <sarg <at> sarg.org.ru> writes:

> * gnu/packages/patches/openssh-trust-guix-store-directory.patch
> (openssh): Adjust to trust files in guix store owned by guix-daemon.
> * gnu/packages/ssh.scm (openssh): [phases]: Append ending slash when
> substituting STORE_DIRECTORY. Use default PRIVSEP_PATH (/var/empty).
>
> Change-Id: I3bd01f8b9d6406e3b886eea8f4b8c265a51cc72f

I adjusted the commit log to refer to the bug and committed it as
eab097c682ed31efd8668f46fce8de8f73b92849.

Thanks!

Ludo’.
This bug report was last modified 16 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.