GNU bug report logs - #77968
[PATCH 0/1] gnu: openssh: Trust store items owned by guix-daemon.

Previous Next

Package: guix-patches;

Reported by: Sergey Trofimov <sarg <at> sarg.org.ru>

Date: Mon, 21 Apr 2025 17:52:01 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Sergey Trofimov <sarg <at> sarg.org.ru>
Subject: bug#77968: closed (Re: bug#77968: [PATCH 0/1] gnu: openssh: Trust
 store items owned by guix-daemon.)
Date: Mon, 05 May 2025 22:25:04 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#77968: [PATCH 0/1] gnu: openssh: Trust store items owned by guix-daemon.

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 77968 <at> debbugs.gnu.org.

-- 
77968: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=77968
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org>
To: Sergey Trofimov <sarg <at> sarg.org.ru>
Cc: 78067-done <at> debbugs.gnu.org, 77968-done <at> debbugs.gnu.org
Subject: Re: bug#77968: [PATCH 0/1] gnu: openssh: Trust store items owned by
 guix-daemon.
Date: Tue, 06 May 2025 00:22:29 +0200

Hi Sergey,

Sergey Trofimov <sarg <at> sarg.org.ru> writes:

> * gnu/packages/patches/openssh-trust-guix-store-directory.patch
> (openssh): Adjust to trust files in guix store owned by guix-daemon.
> * gnu/packages/ssh.scm (openssh): [phases]: Append ending slash when
> substituting STORE_DIRECTORY. Use default PRIVSEP_PATH (/var/empty).
>
> Change-Id: I3bd01f8b9d6406e3b886eea8f4b8c265a51cc72f

I adjusted the commit log to refer to the bug and committed it as
eab097c682ed31efd8668f46fce8de8f73b92849.

Thanks!

Ludo’.


[Message part 3 (message/rfc822, inline)]
From: Sergey Trofimov <sarg <at> sarg.org.ru>
To: guix-patches <at> gnu.org
Cc: Sergey Trofimov <sarg <at> sarg.org.ru>
Subject: [PATCH 0/1] gnu: openssh: Trust store items owned by guix-daemon.
Date: Mon, 21 Apr 2025 19:51:18 +0200

After migration to rootless guix-daemon on Guix system, ssh started to refuse
operations with the error `Bad owner or permissions on /home/sarg/.ssh/config`.
The config is managed with `home-openssh-service-type` and is a symlink to
/gnu/store/...  The file was previously owned by root which is treated specially
in openssh source code.

As a solution I suggest to patch ssh to trust config files in /gnu/store/ As a
workaround users can for now use `ssh -F ~/.ssh/config` as this would skip
ownership checks.

Sergey Trofimov (1):
  gnu: openssh: Trust store items owned by guix-daemon.

 .../openssh-trust-guix-store-directory.patch  | 67 +++++++++++++------
 gnu/packages/ssh.scm                          |  2 +-
 2 files changed, 47 insertions(+), 22 deletions(-)


base-commit: 7a7eff34613c9b3357adf39813793f607c03629d
-- 
2.49.0
This bug report was last modified 16 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.