From unknown Sun Jun 22 11:32:08 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#78067 <78067@debbugs.gnu.org> To: bug#78067 <78067@debbugs.gnu.org> Subject: Status: Conversion to unprivileged guix-daemon breaks ssh Reply-To: bug#78067 <78067@debbugs.gnu.org> Date: Sun, 22 Jun 2025 18:32:08 +0000 retitle 78067 Conversion to unprivileged guix-daemon breaks ssh reassign 78067 guix submitter 78067 "Zack Weinberg" severity 78067 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 25 16:35:22 2025 Received: (at submit) by debbugs.gnu.org; 25 Apr 2025 20:35:22 +0000 Received: from localhost ([127.0.0.1]:53758 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u8PlZ-0006qU-Px for submit@debbugs.gnu.org; Fri, 25 Apr 2025 16:35:22 -0400 Received: from lists.gnu.org ([2001:470:142::17]:43772) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u8PlW-0006q9-D9 for submit@debbugs.gnu.org; Fri, 25 Apr 2025 16:35:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u8PlP-0002qy-Sz for bug-guix@gnu.org; Fri, 25 Apr 2025 16:35:11 -0400 Received: from fhigh-a8-smtp.messagingengine.com ([103.168.172.159]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u8PlN-0007MI-3l for bug-guix@gnu.org; Fri, 25 Apr 2025 16:35:11 -0400 Received: from phl-compute-06.internal (phl-compute-06.phl.internal [10.202.2.46]) by mailfhigh.phl.internal (Postfix) with ESMTP id 380E011402F4 for ; Fri, 25 Apr 2025 16:35:06 -0400 (EDT) Received: from phl-imap-05 ([10.202.2.95]) by phl-compute-06.internal (MEProxy); Fri, 25 Apr 2025 16:35:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=owlfolio.org; h= cc:content-transfer-encoding:content-type:content-type:date:date :from:from:in-reply-to:message-id:mime-version:reply-to:subject :subject:to:to; s=fm2; t=1745613306; x=1745699706; bh=uwjMevqd+M pBuiOjjYjU7OLr7vHap+HSu4ITzdYIrLQ=; b=LrhFN1qK801/1wLyZKGTYwrVtc L5TPHbZBFnUSqCfhc/8XL+ojNuilmVOr+NsfP+9EWe8A+adVFJb4MqE6nhJOdSob 9TLWDAltQrdYyFuhIyHAi6mT9XkBlRg+lx/KFl4EZJ+VvAe4enQvmv1wxSJNmtR2 ioiRW2UrgoBxoSFA7V1fHIzXPGrGwHLe/m/wxaSwyTg0L5qtUdpcL6JrvbzV1aZY q5i1GnYYd+fiHZDSKr3pSKMDH4xZYY7Hj/cOVgMVebMfEzQqkHpHbFkYejEBQoAx n9erQ2eIUxPlmy7d6j4Rx1LmCxBCfC1wbtPVAf6AvRWIqca+pUQ9eqt97Mwg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:message-id:mime-version:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1745613306; x=1745699706; bh=uwjMevqd+MpBuiOjjYjU7OLr7vHap+HSu4I TzdYIrLQ=; b=SK7z+WxYlMQa8n3gbWYME77w1HCpd4y4KbsGkHMYFMJsjn7Kry0 CW4ROPKgi0p1JSnr3rwBlGlweXyZbnuU9S9DOohnNlboS+O+ifBcJwM+IiSknIB4 hajxsClGPhGpleY4+NBtug1QIxSXZJAtBB/xiuZ8uppPCMTEqQa5z8cdrf/tm4J6 QIm1WM1gNX/vx96mkSKdMm71+256rBaoeoAWHOh+AU9qLQUoOORyheSiK2Sikgvr X1dCAbw54ZILc/sjkTmZn/bGc7g9texnqZwS7/+mwchPAGY6hHYFKbrYHtJvvcYp c1AyjHbPZUNOcAk2w0Wli0/c8uWE8Cv6cvA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvheeffeduucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefogg ffhffvkffutgfgsehtjeertdertddtnecuhfhrohhmpedfkggrtghkucghvghinhgsvghr ghdfuceoiigrtghksehofihlfhholhhiohdrohhrgheqnecuggftrfgrthhtvghrnhepfe duteeifeevuedtgeehvefgtedvjefhleejteduvddtvddvhedvgeekhfejffdtnecuvehl uhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepiigrtghksehofi hlfhholhhiohdrohhrghdpnhgspghrtghpthhtohepuddpmhhouggvpehsmhhtphhouhht pdhrtghpthhtohepsghughdqghhuihigsehgnhhurdhorhhg X-ME-Proxy: Feedback-ID: i876146a2:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id CA3923020080; Fri, 25 Apr 2025 16:35:05 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface MIME-Version: 1.0 Date: Fri, 25 Apr 2025 16:34:45 -0400 From: "Zack Weinberg" To: bug-guix@gnu.org Message-Id: <8d70405b-7f96-43a2-90de-8b5adde8873d@app.fastmail.com> Subject: Conversion to unprivileged guix-daemon breaks ssh Content-Type: text/plain Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=103.168.172.159; envelope-from=zack@owlfolio.org; helo=fhigh-a8-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.7 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.3 (/) I just switched my Guix System-based server over to unprivileged guix- daemon, after which I was unable to ssh into it. From the client, the syndrome looks like this (shell variables indicate redactions): $ ssh $my_server kex_exchange_identification: read: Connection reset by peer Connection reset by $ip_address port 22 or with -v: $ ssh -v $my_server OpenSSH_9.9p2, OpenSSL 3.3.3 11 Feb 2025 debug1: Reading configuration data $HOME/.ssh/config debug1: $HOME/.ssh/config line 31: Applying options for tinka debug1: Reading configuration data /etc/ssh/ssh_config debug1: Connecting to $my_server [$ip_address] port 22. debug1: Connection established. debug1: identity file $HOME/.ssh/$private_key type 0 [more lines about identity files omitted...] debug1: Local version string SSH-2.0-OpenSSH_9.9 kex_exchange_identification: read: Connection reset by peer Connection reset by $ip_address port 22 Fortunately, I can get into the server using a serial console, and the problem is quite clear from server-side logs: 2025-04-25 20:27:40 localhost shepherd[1]: Accepted connection on 0.0.0.0:22 from $client_ip:51626. 2025-04-25 20:27:40 localhost shepherd[1]: Starting service sshd-69... 2025-04-25 20:27:40 localhost shepherd[1]: Service sshd-69 has been started. 2025-04-25 20:27:40 localhost shepherd[1]: Service sshd-69 started. 2025-04-25 20:27:40 localhost shepherd[1]: Service sshd-69 running with value #< id: 234 command: ("/gnu/store/8kman284vvlzk2hgy1bv1xzys3rfdzlr-openssh-10.0p1/sbin/sshd" "-D" "-f" "/gnu/store/vwy5d5mj35rh147iwzkzxijld0gx06mb-sshd_config" "-i")>. 2025-04-25 20:27:40 localhost sshd[234]: fatal: /gnu/store/8kman284vvlzk2hgy1bv1xzys3rfdzlr-openssh-10.0p1/var/empty must be owned by root and not group or world-writable. 2025-04-25 20:27:40 localhost shepherd[1]: 0 connections still in use after sshd-69 termination. 2025-04-25 20:27:40 localhost shepherd[1]: Service sshd-69 (PID 234) exited with 255. 2025-04-25 20:27:40 localhost shepherd[1]: Service sshd-69 has been disabled. 2025-04-25 20:27:40 localhost shepherd[1]: Transient service sshd-69 terminated, now unregistered. # ls -l /gnu/store/8kman284vvlzk2hgy1bv1xzys3rfdzlr-openssh-10.0p1 total 24 dr-xr-xr-x 2 guix-daemon guix-daemon 4096 Jan 1 1970 bin/ dr-xr-xr-x 2 guix-daemon guix-daemon 4096 Jan 1 1970 etc/ dr-xr-xr-x 2 guix-daemon guix-daemon 4096 Jan 1 1970 libexec/ dr-xr-xr-x 2 guix-daemon guix-daemon 4096 Jan 1 1970 sbin/ dr-xr-xr-x 4 guix-daemon guix-daemon 4096 Jan 1 1970 share/ dr-xr-xr-x 3 guix-daemon guix-daemon 4096 Jan 1 1970 var/ # ls -l /gnu/store/8kman284vvlzk2hgy1bv1xzys3rfdzlr-openssh-10.0p1/var total 4 dr-xr-xr-x 2 guix-daemon guix-daemon 4096 Jan 1 1970 empty/ `chown root:root /gnu/store/8kman284vvlzk2hgy1bv1xzys3rfdzlr-openssh-10.0p1/var/empty` is sufficient to fix ssh, but I wonder if store contents in general should maybe remain owned by root regardless of whether the daemon is running as an unprivileged user. It seems likely to me that this will not be the only such problem. zw From debbugs-submit-bounces@debbugs.gnu.org Mon May 05 11:35:17 2025 Received: (at 78067) by debbugs.gnu.org; 5 May 2025 15:35:17 +0000 Received: from localhost ([127.0.0.1]:41789 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uBxqf-0005s4-7C for submit@debbugs.gnu.org; Mon, 05 May 2025 11:35:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34304) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uBxqX-0005m2-Uk for 78067@debbugs.gnu.org; Mon, 05 May 2025 11:35:10 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uBxqS-00023M-Ar; Mon, 05 May 2025 11:35:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=38WxeU53pI7KKehwt+9/WO6hCQfyoN+x6RrELgb4+S4=; b=sPE6eNShwgcImGb/0Obv qlql8wgVJmtcTRTgaMmFJqZAoBTcpWXM6iGUttMdwJ06ulcMqT0DvdSeZmF7dadbxkgbxreEGrvkb S7dlILRtS8YcDfaaYI75j7H7Qq4zehbtAQXy7G3y6eayROC5rsfyfbj8EVM/S5PhLJjkhv0bhSq+L iYcSv8EescZnGZ4D4Z4bTZHG5c3/PKJI87tD+0g7UZxjZ6mDxK+NCASN+OYulFZvJHemB1jJ2N0Xl XUGjFpZz1gjP/qpbCIJiTLx8iosI6hGbxVexP1Pyb88Nw10Bu3cka7RIuE+cXl4mTmAc6L6ihsCI1 O7IIFzjmE5ReWA==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: "Zack Weinberg" Subject: Re: bug#78067: Conversion to unprivileged guix-daemon breaks ssh In-Reply-To: <8d70405b-7f96-43a2-90de-8b5adde8873d@app.fastmail.com> (Zack Weinberg's message of "Fri, 25 Apr 2025 16:34:45 -0400") References: <8d70405b-7f96-43a2-90de-8b5adde8873d@app.fastmail.com> Date: Mon, 05 May 2025 14:58:28 +0200 Message-ID: <871pt35i4r.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 78067 Cc: 78067@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi Zack, "Zack Weinberg" writes: > I just switched my Guix System-based server over to unprivileged guix- > daemon, after which I was unable to ssh into it. From the client, the > syndrome looks like this (shell variables indicate redactions): [...] > 2025-04-25 20:27:40 localhost shepherd[1]: Service sshd-69 running > with value #< id: 234 command: > ("/gnu/store/8kman284vvlzk2hgy1bv1xzys3rfdzlr-openssh-10.0p1/sbin/sshd" > "-D" "-f" "/gnu/store/vwy5d5mj35rh147iwzkzxijld0gx06mb-sshd_config" > "-i")>. > 2025-04-25 20:27:40 localhost sshd[234]: fatal: > /gnu/store/8kman284vvlzk2hgy1bv1xzys3rfdzlr-openssh-10.0p1/var/empty > must be owned by root and not group or world-writable. D=E2=80=99oh. The fix here is to tell OpenSSH to use /var/empty instead. = Do you know how to do that via sshd_config? > `chown root:root /gnu/store/8kman284vvlzk2hgy1bv1xzys3rfdzlr-openssh-10.0= p1/var/empty` > is sufficient to fix ssh, but I wonder if store contents in general shoul= d maybe remain > owned by root regardless of whether the daemon is running as an unprivile= ged user. > It seems likely to me that this will not be the only such problem. You should never manually modify files in the store or change their ownership. In the case above, the daemon will now be unable to delete this store item when you run =E2=80=98guix gc=E2=80=99. Thanks for the bug report, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Mon May 05 12:00:23 2025 Received: (at 78067) by debbugs.gnu.org; 5 May 2025 16:00:23 +0000 Received: from localhost ([127.0.0.1]:41965 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uByEx-0001p7-0o for submit@debbugs.gnu.org; Mon, 05 May 2025 12:00:23 -0400 Received: from fhigh-a8-smtp.messagingengine.com ([103.168.172.159]:47419) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uByEu-0001lH-8B for 78067@debbugs.gnu.org; Mon, 05 May 2025 12:00:21 -0400 Received: from phl-compute-06.internal (phl-compute-06.phl.internal [10.202.2.46]) by mailfhigh.phl.internal (Postfix) with ESMTP id E91AA114022F; Mon, 5 May 2025 12:00:14 -0400 (EDT) Received: from phl-imap-16 ([10.202.2.88]) by phl-compute-06.internal (MEProxy); Mon, 05 May 2025 12:00:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=owlfolio.org; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1746460814; x=1746547214; bh=tbFX7+QxLnYsao0x34jS1OSdLEYBW+nkiXxBvannCcQ=; b= PBEo2rIgGCEvvkbLn2KW8sBaLu/belIzCh+yDIXhj/hYkNca+QdDh5pEN7qyNwmI voYVORR6Uop9gLYsp4savCrY8S0IugZ9qo4QUdPXaU97FLaqeO2n6b+unzWwnuqd CxxnJFRv3kL52rOmv72rUrOKlBT2aNMdPFdGPCe27wqYame27KL9s0M4SeAU4UCj /Rv79KrT0ckjiirLt+vJ0mY1xFU4EKUSkojrqu/b6DOKWKQdEEgQRTyPSHLLZ01g BbUltpkGnvus2R3cozGNit4rPsgE/DkoXSQLkT8fR3zREEGBR2G+WGDdt7vhO8lV I3nrHe485sLcqfOjC6w5Ig== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1746460814; x= 1746547214; bh=tbFX7+QxLnYsao0x34jS1OSdLEYBW+nkiXxBvannCcQ=; b=o IExn0kC+Cr2iaDcfFERPr/U/7gJ/QkJvpWdNP9rA8FpWHnfc6+brGbtLVsH1tSIb Yunj/agT8E2yCl1xXZhGY6UsYqKc5NyVWBitFQteexTEQMO/R3w574eUgDPUW4ee Q8gw67dTtbL1/f3oaX8fQqZrpDbQRqNzsGVj5/zKjGSKdwNLAS+Zv4jDYGszAMAf BRtZzWeTAy30CIr6ncPm3q03FB/05dt8sk8kjJi+ZJurGV7NX/cinoNbBl1rAYGy DwazIty6CgjmwhF5z0gbkfBXKm79yHMy2RZTl3cA14bH5xLPew/6ncM0iDldXdR/ D+bb7m1KWY8g2bgk4GFzg== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvkeduhedvucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpih gvnhhtshculddquddttddmnecujfgurhepofggfffhvfevkfgjfhfutgfgsehtqhertder tdejnecuhfhrohhmpedfkggrtghkucghvghinhgsvghrghdfuceoiigrtghksehofihlfh holhhiohdrohhrgheqnecuggftrfgrthhtvghrnhephedtlefgieduheelgeejheefteeh teffueettdegvdehteefgedtffehgfehkeetnecuffhomhgrihhnpehgihhthhhusgdrtg homhdptghonhhfihhguhhrvgdrrggtpdhgnhhurdhorhhgnecuvehluhhsthgvrhfuihii vgeptdenucfrrghrrghmpehmrghilhhfrhhomhepiigrtghksehofihlfhholhhiohdroh hrghdpnhgspghrtghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohep jeektdeijeesuggvsggsuhhgshdrghhnuhdrohhrghdprhgtphhtthhopehluhguohesgh hnuhdrohhrgh X-ME-Proxy: Feedback-ID: i876146a2:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id 9FE502CC0075; Mon, 5 May 2025 12:00:14 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface MIME-Version: 1.0 X-ThreadId: T0b75d3f2ee5771f4 Date: Mon, 05 May 2025 11:59:54 -0400 From: "Zack Weinberg" To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= Message-Id: In-Reply-To: <871pt35i4r.fsf@gnu.org> References: <8d70405b-7f96-43a2-90de-8b5adde8873d@app.fastmail.com> <871pt35i4r.fsf@gnu.org> Subject: Re: bug#78067: Conversion to unprivileged guix-daemon breaks ssh Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 78067 Cc: 78067@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On Mon, May 5, 2025, at 8:58 AM, Ludovic Court=C3=A8s wrote: >> 2025-04-25 20:27:40 localhost sshd[234]: fatal: >> /gnu/store/8kman284vvlzk2hgy1bv1xzys3rfdzlr-openssh-10.0p1/var/empty >> must be owned by root and not group or world-writable. > > D=E2=80=99oh. The fix here is to tell OpenSSH to use /var/empty inste= ad. Do > you know how to do that via sshd_config? I don't see any way to do that in `man sshd_config`, but there is a relevant AC_ARG_WITH option: > PRIVSEP_PATH=3D/var/empty > AC_ARG_WITH([privsep-path], > [ --with-privsep-path=3Dxxx Path for privilege separation chroot (de= fault=3D/var/empty)], > [ > if test -n "$withval" && test "x$withval" !=3D "xno" && \ > test "x${withval}" !=3D "xyes"; then > PRIVSEP_PATH=3D$withval > fi > ] > ) > AC_SUBST([PRIVSEP_PATH]) https://github.com/openssh/openssh-portable/blob/61525ba967ac1bb7394ea07= 92aa6030bcbbad049/configure.ac#L4984-L4994 ... But maybe all we need to do is *remove* the 'reset-/var/empty stanza= from here? https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/ssh.scm#n277 > You should never manually modify files in the store or change their > ownership. In the case above, the daemon will now be unable to delete > this store item when you run =E2=80=98guix gc=E2=80=99. Good to know, thanks. zw From debbugs-submit-bounces@debbugs.gnu.org Mon May 05 18:25:00 2025 Received: (at 78067-done) by debbugs.gnu.org; 5 May 2025 22:25:01 +0000 Received: from localhost ([127.0.0.1]:43898 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uC4FA-0005bG-Cr for submit@debbugs.gnu.org; Mon, 05 May 2025 18:25:00 -0400 Received: from mail3-relais-sop.national.inria.fr ([192.134.164.104]:60553) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uC4F6-0005aT-Cl; Mon, 05 May 2025 18:24:57 -0400 Authentication-Results: mail3-relais-sop.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=ludo@gnu.org; dmarc=fail (p=none dis=none) d=gnu.org X-IronPort-AV: E=Sophos;i="6.15,264,1739833200"; d="scan'208";a="115891454" Received: from 91-160-117-201.subs.proxad.net (HELO ribbon) ([91.160.117.201]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 06 May 2025 00:24:49 +0200 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Sergey Trofimov Subject: Re: bug#77968: [PATCH 0/1] gnu: openssh: Trust store items owned by guix-daemon. In-Reply-To: <832e1767fc8d3203c8804035c344df0f99d5716d.1745417565.git.sarg@sarg.org.ru> (Sergey Trofimov's message of "Wed, 23 Apr 2025 16:13:10 +0200") References: <832e1767fc8d3203c8804035c344df0f99d5716d.1745417565.git.sarg@sarg.org.ru> Date: Tue, 06 May 2025 00:22:29 +0200 Message-ID: <87ecx23dga.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: 78067-done Cc: 78067-done@debbugs.gnu.org, 77968-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) Hi Sergey, Sergey Trofimov writes: > * gnu/packages/patches/openssh-trust-guix-store-directory.patch > (openssh): Adjust to trust files in guix store owned by guix-daemon. > * gnu/packages/ssh.scm (openssh): [phases]: Append ending slash when > substituting STORE_DIRECTORY. Use default PRIVSEP_PATH (/var/empty). > > Change-Id: I3bd01f8b9d6406e3b886eea8f4b8c265a51cc72f I adjusted the commit log to refer to the bug and committed it as eab097c682ed31efd8668f46fce8de8f73b92849. Thanks! Ludo=E2=80=99. From unknown Sun Jun 22 11:32:08 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 03 Jun 2025 11:24:39 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator