From unknown Sun Jun 22 03:54:50 2025 X-Loop: help-debbugs@gnu.org Subject: bug#78836: /var/empty permissions problems between sshd and nslcd Resent-From: Yann Dupont Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 19 Jun 2025 07:44:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 78836 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 78836@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.175031901115862 (code B ref -1); Thu, 19 Jun 2025 07:44:04 +0000 Received: (at submit) by debbugs.gnu.org; 19 Jun 2025 07:43:31 +0000 Received: from localhost ([127.0.0.1]:60286 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uS9vm-00047i-BI for submit@debbugs.gnu.org; Thu, 19 Jun 2025 03:43:30 -0400 Received: from lists.gnu.org ([2001:470:142::17]:51788) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uS9vi-00045t-1D for submit@debbugs.gnu.org; Thu, 19 Jun 2025 03:43:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uS9vc-0002TB-DR for bug-guix@gnu.org; Thu, 19 Jun 2025 03:43:20 -0400 Received: from smtptls1-cha.cpub.univ-nantes.fr ([193.52.103.113] helo=smtp-tls.univ-nantes.fr) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uS9vZ-0005gM-GI for bug-guix@gnu.org; Thu, 19 Jun 2025 03:43:20 -0400 Received: from localhost (localhost [127.0.0.1]) by smtp-tls.univ-nantes.fr (Postfix) with ESMTP id DC37F2043A for ; Thu, 19 Jun 2025 09:43:10 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=univ-nantes.fr; s=mailv2; t=1750318990; bh=eCCA9Zq8R71f8U8D0RZtTQn7mwGWA7kbQNbfOjYhPTw=; h=Date:To:From:Subject:From; b=GiI5NSGitEAY5qbzAkwj2utPARsapduTR5v7ZpgGU/4IoziffpvNoMHVgDLPhoRRs xNk+ffn/VO3XIrvA8TtxY3BMAlJbWF4ZuyAQlU/7+MnhCb+4JoSgp5dxUdCh1Y0OVv Dma6ql/zZlcbkm0jsBem5HpLVCxurWrl03fmgV/7cm70vQw/fRz0+Le4kfcoEoiY23 FTabAhvOneIa/HN0cy9F44103/O/OWsxG6m/pgYQ5g7Yi3unEo7SBQpxEC9aK1wArd hnDaLDcQ8AsLNcBO4+k+1rPWmRvRmjMAiMDD4Fq5YAdSzweG8npAJMSVwqIzKwvXk8 Wx+SpQVDQleJg== X-Virus-Scanned: Debian amavisd-new at smtptls1-lmb.cpub.univ-nantes.fr Received: from smtp-tls.univ-nantes.fr ([127.0.0.1]) by localhost (smtptls1-cha.cpub.univ-nantes.fr [127.0.0.1]) (amavisd-new, port 10024) with LMTP id LCNj2XRnxw6x for ; Thu, 19 Jun 2025 09:43:10 +0200 (CEST) Received: from [IPV6:2001:660:7220:389:dd29:96a3:fa10:de95] (unknown [IPv6:2001:660:7220:389:dd29:96a3:fa10:de95]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-tls.univ-nantes.fr (Postfix) with ESMTPSA id 859D220109 for ; Thu, 19 Jun 2025 09:43:10 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=univ-nantes.fr; s=mailv2; t=1750318990; bh=eCCA9Zq8R71f8U8D0RZtTQn7mwGWA7kbQNbfOjYhPTw=; h=Date:To:From:Subject:From; b=GiI5NSGitEAY5qbzAkwj2utPARsapduTR5v7ZpgGU/4IoziffpvNoMHVgDLPhoRRs xNk+ffn/VO3XIrvA8TtxY3BMAlJbWF4ZuyAQlU/7+MnhCb+4JoSgp5dxUdCh1Y0OVv Dma6ql/zZlcbkm0jsBem5HpLVCxurWrl03fmgV/7cm70vQw/fRz0+Le4kfcoEoiY23 FTabAhvOneIa/HN0cy9F44103/O/OWsxG6m/pgYQ5g7Yi3unEo7SBQpxEC9aK1wArd hnDaLDcQ8AsLNcBO4+k+1rPWmRvRmjMAiMDD4Fq5YAdSzweG8npAJMSVwqIzKwvXk8 Wx+SpQVDQleJg== Content-Type: multipart/alternative; boundary="------------zCe9HyMgvzUIcw0a0ovPcnjx" Message-ID: Date: Thu, 19 Jun 2025 09:43:04 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US From: Yann Dupont Received-SPF: pass client-ip=193.52.103.113; envelope-from=yann.dupont@univ-nantes.fr; helo=smtp-tls.univ-nantes.fr X-Spam_score_int: -10 X-Spam_score: -1.1 X-Spam_bar: - X-Spam_report: (-1.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEXHASH_WORD=1, HTML_MESSAGE=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.3 (/) This is a multi-part message in MIME format. --------------zCe9HyMgvzUIcw0a0ovPcnjx Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hi everyone, the patch eab097c682ed31efd8668f46fce8de8f73b92849 causes sshd to now use /var/empty as a chroot directory. sshd expects /var/empty to belong to root and with reduced write permissions. Unfortunately, when the nslcd service is also present on the system, it creates a user whose home directory is also /var/empty, which in this case belongs to the nslcd user. In this case, sshd refuses to start. I think the patch eab097c682ed31efd8668f46fce8de8f73b92849 is correct, and that nslcd should be changed to create /var/empty with the directory property set to root. But I don't know if there are any side effects to worry about with nslcd ? (I think the relevant code is in : services/authentication.scm), in (|define %nslcd-accounts) | |...| |(home-directory "/var/empty")| --------------zCe9HyMgvzUIcw0a0ovPcnjx Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit

Hi everyone, the patch eab097c682ed31efd8668f46fce8de8f73b92849 causes sshd to now use /var/empty as a chroot directory. sshd expects /var/empty to belong to root and with reduced write permissions.

Unfortunately, when the nslcd service is also present on the system, it creates a user whose home directory is also /var/empty, which in this case belongs to the nslcd user.

In this case, sshd refuses to start.

I think the patch eab097c682ed31efd8668f46fce8de8f73b92849 is correct, and that nslcd should be changed to create /var/empty with the directory property set to root. But I don't know if there are any side effects to worry about with nslcd ?

(I think the relevant code is in : services/authentication.scm), in (define %nslcd-accounts)

...

(home-directory "/var/empty")

--------------zCe9HyMgvzUIcw0a0ovPcnjx-- From unknown Sun Jun 22 03:54:50 2025 X-Loop: help-debbugs@gnu.org Subject: bug#78836: /var/empty permissions problems between sshd and nslcd Resent-From: Sergey Trofimov Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 19 Jun 2025 08:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 78836 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Yann Dupont Cc: 78836@debbugs.gnu.org Received: via spool by 78836-submit@debbugs.gnu.org id=B78836.175032340429150 (code B ref 78836); Thu, 19 Jun 2025 08:57:02 +0000 Received: (at 78836) by debbugs.gnu.org; 19 Jun 2025 08:56:44 +0000 Received: from localhost ([127.0.0.1]:60603 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uSB4c-0007Zp-3d for submit@debbugs.gnu.org; Thu, 19 Jun 2025 04:56:44 -0400 Received: from mail-wr1-x42d.google.com ([2a00:1450:4864:20::42d]:61540) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1uSB4W-0007Y7-Tc for 78836@debbugs.gnu.org; Thu, 19 Jun 2025 04:56:39 -0400 Received: by mail-wr1-x42d.google.com with SMTP id ffacd0b85a97d-3a6cdc27438so237411f8f.2 for <78836@debbugs.gnu.org>; Thu, 19 Jun 2025 01:56:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sarg.org.ru; s=google; t=1750323390; x=1750928190; darn=debbugs.gnu.org; h=mime-version:message-id:date:user-agent:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=rgkzbA+MkR055aZuF/c4VIIl6VQYMqGFDiCnVUOI8F4=; b=GKuf+JCB3ZRDR74XKfzhyv1ZUEC8Ysr9VtfqAZQ4CMpZ5oyQCJ4/uiLb8OpxSD342s zOkYz+sXTpx3qUJUQXkgjGJaDsUmszIMhGIdaxuYyLvcMdGJkd+clKPeHidY8chd7Z4U srK3tJ0rsCzUSYi1bdCKehtZ+/oQJQ7MRyJWQttJFBgdSqKK00f+QM5E3IKarY2xH6Ir 4KO+IyOb1EVGyXRdnB+FzY//OdNAnd8Zw5pvDLEy9fyXBFIBVzf+g3VywJ/mQv+hd4Yu F33B4aYXHjzMGiEXRthO8WPxZoBXx/ek1LWSXTKkCtQCXCMRnKY79o05znD2bMPmLAY6 RJiA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750323390; x=1750928190; h=mime-version:message-id:date:user-agent:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=rgkzbA+MkR055aZuF/c4VIIl6VQYMqGFDiCnVUOI8F4=; b=aGNJBTXCbI/YgcbWZT+7iPMpbaZnnU6dLLTwm6CDk3znTm14RTmepgFADh+RHDvIvz 4BORLZmclPdNWc2VQt5WRMaSaN0vimeSSvvSGYGrVvk/n5pdd6MmUsKUZaaPCWyWDtE5 vq3dAPIuehvYTQnVC/5UDhkJs2tdCOe6PnSS9ZlEXPstrTE0wIUKzmLRbfYwoSvoLy4p dGBFJoIMdosxaKjjC3AABVaCN4nLnoGe7g0K6OES+3Noi8HrWLB6ENrx3SD0X49IlHi9 9sHfdk00K0EfQxjvR/NiOku7jDSVfKIzc6BkXyb9t8UYH4Wmmp0/PTNodW8AWJSHQyZ0 UYrg== X-Gm-Message-State: AOJu0Yw/njI2ikI2b5BuLVc0M1rmWb9NZqA0F2X4KO6TTuHHEyipcey2 uO9uNHQHG265JYbvNwuRsNRW1x6Y5rAlkDzePg1ISv1UXmaOo2Y2czUZV8oI2jwQuDpgA6WUCzU 1ESm9ABw= X-Gm-Gg: ASbGncswExbGZYtK+xpWVH1gn1KNSuRWuFp9TkM30pFz0G9WW1yL/elpADD2j1N05/u quJc+q/FAzOSr2Dlf8hLRwVoNOEGo6gwfGmLZU5MqZ4W7uRheeYNhNEdy48br9r4a2SCCVD16Wt xxn18IhgVyJA6BgvLAholrqMMn/X+dcYUTYs+++axVp5x92f+QHEnAYzZbZy3CGANBhUQ/fWpcV GEpvMfEN41IS2YEi2Lo3yB2rOwTp+2guey+323a1t3FyTFz+mUCj2LgUHRzMAXHG0vv/xo6sBqS +dZAVm/rrosRd3I8MNp1PLkaGm5PT33Qh0h2FFaP2aZbysORQrxGs6EWiEw= X-Google-Smtp-Source: AGHT+IHyZ0NNpPp8/8s7oeXR85muC4Oj6rj/8xWX31JH/cWkABi9oFfaE1NDF2VZ1gK6N4alhahp9Q== X-Received: by 2002:a05:6000:65b:b0:3a5:88cf:479e with SMTP id ffacd0b85a97d-3a588cf4d3cmr8334192f8f.48.1750323390154; Thu, 19 Jun 2025 01:56:30 -0700 (PDT) Received: from localhost ([2a02:2454:a095:5600:a64e:31ff:fe38:fd6c]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3a589092d1asm6731763f8f.24.2025.06.19.01.56.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Jun 2025 01:56:29 -0700 (PDT) From: Sergey Trofimov In-Reply-To: References: User-Agent: mu4e 1.12.11; emacs 31.0.50 Date: Thu, 19 Jun 2025 10:56:28 +0200 Message-ID: <877c18xg77.fsf@sarg.org.ru> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Yann, Yann Dupont writes: > Hi everyone, the patch eab097c682ed31efd8668f46fce8de8f73b92849 causes sshd to now use /var/empty as a chroot directory. > sshd expects /var/empty to belong to root and with reduced write permissions. > > Unfortunately, when the nslcd service is also present on the system, it creates a user whose home directory is also /var/empty, which > in this case belongs to the nslcd user. > > In this case, sshd refuses to start. > > I think the patch eab097c682ed31efd8668f46fce8de8f73b92849 is correct, and that nslcd should be changed to create /var/empty > with the directory property set to root. But I don't know if there are any side effects to worry about with nslcd ? > > (I think the relevant code is in : services/authentication.scm), in (define %nslcd-accounts) > > ... > > (home-directory "/var/empty") Check activate-users+groups in (gnu build activation). It should've adjusted directory permissions and ownership on /var/empty. There are many more accounts having /var/empty as the home dir (e.g. guixbuilder, guix-daemon accounts). Looks quite suspicious that in your case the dir belongs to nslcd. Could you try to reconfigure the system and see if the permissions get fixed? From unknown Sun Jun 22 03:54:50 2025 X-Loop: help-debbugs@gnu.org Subject: bug#78836: /var/empty permissions problems between sshd and nslcd Resent-From: Sergey Trofimov Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 19 Jun 2025 11:20:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 78836 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Yann Dupont Cc: 78836@debbugs.gnu.org Received: via spool by 78836-submit@debbugs.gnu.org id=B78836.175033199623780 (code B ref 78836); Thu, 19 Jun 2025 11:20:03 +0000 Received: (at 78836) by debbugs.gnu.org; 19 Jun 2025 11:19:56 +0000 Received: from localhost ([127.0.0.1]:32953 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uSDJD-0006BS-Ms for submit@debbugs.gnu.org; Thu, 19 Jun 2025 07:19:56 -0400 Received: from mail-wr1-x434.google.com ([2a00:1450:4864:20::434]:58568) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1uSDJ9-00069z-GL for 78836@debbugs.gnu.org; Thu, 19 Jun 2025 07:19:53 -0400 Received: by mail-wr1-x434.google.com with SMTP id ffacd0b85a97d-3a53359dea5so425312f8f.0 for <78836@debbugs.gnu.org>; Thu, 19 Jun 2025 04:19:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sarg.org.ru; s=google; t=1750331985; x=1750936785; darn=debbugs.gnu.org; h=mime-version:message-id:date:user-agent:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=wi3goydK9oBl9IxZ1ftARn6Dd55khBjYEWkAqc22exQ=; b=pBScJtF5u8lV+YQwB6PfW1uV5V+uWSitUWTRuYm8SHADJawv0586cMWu/27dnNinpw U73O86BVv7IkzbnkzcyzfMzct3CUsebNvHAUp24Mgf78sa6W8vHr2yqmd6sKOjgwKgpq 5r7vxVgpfK+SO7aM/88a7/4lHf6AhmRwV+9ylbmv/dYHsytP8JU63HM73DeBlQycWIYH a1viztpaAqjJEUHOI0UzGYCrzzCEqilqd6oLmOYu6yzY+UKhFxy+MKYyDD6B9xZaffR5 utKISrYfQokenj8/pipfCUhKvOxoFHDzmlQqgTAHmahAqS2L+AMZ012P+fYOIAlKvCm/ 9sNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750331985; x=1750936785; h=mime-version:message-id:date:user-agent:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=wi3goydK9oBl9IxZ1ftARn6Dd55khBjYEWkAqc22exQ=; b=YnQ8mqJNYdYHDKtzAWLMiNseT6FnL6/E08q3A6ry0NLGNYwCZuX9l2dArOsIcY7OWg V4F/xpv0aARkrGQEgQiLtkGUmzPxkUefHEa7FRQ9QO8l2pG/kUjioeKaE8jSYeiVCAul fiElYYRDh46uggPyy+oeKoAfNcApk7gc8OcfgdGdKR/VQCKkhSFgyljSVhvc9yHvoikK 2YpKzh8nL7HpM2rj/vrerCIa0G9hbX55KsBGY9tlmcfq/BrjvNRg7MNqD+bp7QPI0F4x q3AQcHDyrPIqNOxUeMfDdDxzTWDOYr9EpxG/DwG+qWlIvzf6mfS/fDwpgxVfE4iGmw0o N4tQ== X-Gm-Message-State: AOJu0YwPwpqmBt5XZ6jQxPePiDV5nd/1FYbMg0Rb4yegN48qIqJd5NZv P+kcktnxKhp1SieJKlq/3RY48iDafCgLlzSSZM+Ha3VxigxVls7t0Qy8c9AennWqnfS8hlk0i1T HoODG8wY= X-Gm-Gg: ASbGnctVJ/DsAsTtKTAloQQmnVnj40B7B51sCJZaiaz1DzrixS/+mQUIzXiLKG4qUN5 XHnVBMiuoSnboyv5Q6OJcq+K2jT1XxqilriJg3KM+0YIY54lcbeLm2IIc4RXmr9+NP0dmARl41G I5zp00XmjywTrYSoMSQSxRziRarFUxygPU0batZhUswkuXym9CdQZ5B+ThO/2L6XERjlm1U4fY1 CRjbR7x4Ni0rlpwL/bUxRR14fgPh28salmMz9sxvldNKPzFMBXocUM+qZhCH+2JoQgdtcdJMHz6 RceIaPFZ5Uh2w/9967sZhsmS7F3YzogCSIhenOPNoFmuELraSLTk5xO2acs= X-Google-Smtp-Source: AGHT+IFA8j0WJJwZLUriWgDbaOmj8YmgTRt+agCRht6NAgBkV2FKMnYr2y/gXh6+9ztrG2XMuCIcIA== X-Received: by 2002:a5d:5885:0:b0:3a4:f6c4:355a with SMTP id ffacd0b85a97d-3a572e59b50mr17915804f8f.57.1750331984750; Thu, 19 Jun 2025 04:19:44 -0700 (PDT) Received: from localhost ([2a02:2454:a095:5600:a64e:31ff:fe38:fd6c]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3a568b28876sm19204519f8f.73.2025.06.19.04.19.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 19 Jun 2025 04:19:44 -0700 (PDT) From: Sergey Trofimov In-Reply-To: <3f4f9d28-cfda-4689-8fc4-963d4f6360ac@univ-nantes.fr> References: <877c18xg77.fsf@sarg.org.ru> <3f4f9d28-cfda-4689-8fc4-963d4f6360ac@univ-nantes.fr> User-Agent: mu4e 1.12.11; emacs 31.0.50 Date: Thu, 19 Jun 2025 13:19:42 +0200 Message-ID: <871prgx9kh.fsf@sarg.org.ru> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Yann Dupont writes: > I don't know if this is relevant information, but we encounter this problem on disposable virtual machines, freshly generated by guix > system image for one-time use, we don't reconfigure on these machines. Maybe this function is not called in this specific case? > > I'll see if a reconfigure changes things, , but it's going to take some time, as our templates are a bit complex and divided into > several files that can't be found in /running/current-system/configuration.scm. You could simply run /run/current-system/activate and check if it fixes permissions. From unknown Sun Jun 22 03:54:50 2025 X-Loop: help-debbugs@gnu.org Subject: bug#78836: /var/empty permissions problems between sshd and nslcd Resent-From: Yann Dupont Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 20 Jun 2025 13:18:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 78836 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Sergey Trofimov Cc: 78836@debbugs.gnu.org Received: via spool by 78836-submit@debbugs.gnu.org id=B78836.17504254436135 (code B ref 78836); Fri, 20 Jun 2025 13:18:02 +0000 Received: (at 78836) by debbugs.gnu.org; 20 Jun 2025 13:17:23 +0000 Received: from localhost ([127.0.0.1]:50223 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uSbcQ-0001at-Lm for submit@debbugs.gnu.org; Fri, 20 Jun 2025 09:17:22 -0400 Received: from smtptls2-lmb.cpub.univ-nantes.fr ([193.52.103.111]:33456 helo=smtp-tls.univ-nantes.fr) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uSbcM-0001ab-JS for 78836@debbugs.gnu.org; Fri, 20 Jun 2025 09:17:20 -0400 Received: from localhost (localhost [127.0.0.1]) by smtp-tls.univ-nantes.fr (Postfix) with ESMTP id 82509980; Fri, 20 Jun 2025 15:17:16 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=univ-nantes.fr; s=mailv2; t=1750425436; bh=+fDO06sfjJyz0GOMjbCQchY01/DHbeb/fkybz8wYKik=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=SKd8WXqC/xdCV8zgvXV/nW5kdJ4xpBq5Dc+zS57sNCcquDjU3UX36PNpe7op0yFiV FlPEoCJkv8zKvD8s868lQoxeb+zwXuFScDqBrP0FxQuc25Lqm9oT4+KFcDHVG27V5i SmFDQcdvpNW/0vDeIZEHRrBzk1aM6R6mTH6MMd4R9llZbHFHIjwFGJjS6F7SYxRRB4 2jfh0ch5gq6kGMPTgAaYEBQTLBSS8FyMnobz3clV2yg5fwHL0R1lM2I6wKZD8QWRxN B/qoMhK88piZcHz9ETMwJ1QVtUOIIcuXvVCEAqJ+ueI6YOHwmASxO34MlNcglrLSoo Aonr2FtbygaeA== X-Virus-Scanned: Debian amavisd-new at smtptls1-lmb.cpub.univ-nantes.fr Received: from smtp-tls.univ-nantes.fr ([127.0.0.1]) by localhost (smtptls2-lmb.cpub.univ-nantes.fr [127.0.0.1]) (amavisd-new, port 10024) with LMTP id j6xvxyOFoo8c; Fri, 20 Jun 2025 15:17:16 +0200 (CEST) Received: from [IPV6:2a01:e0a:2c6:9282:7b5e:4625:980b:616f] (unknown [IPv6:2a01:e0a:2c6:9282:7b5e:4625:980b:616f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-tls.univ-nantes.fr (Postfix) with ESMTPSA id 4391997B; Fri, 20 Jun 2025 15:17:16 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=univ-nantes.fr; s=mailv2; t=1750425436; bh=+fDO06sfjJyz0GOMjbCQchY01/DHbeb/fkybz8wYKik=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=SKd8WXqC/xdCV8zgvXV/nW5kdJ4xpBq5Dc+zS57sNCcquDjU3UX36PNpe7op0yFiV FlPEoCJkv8zKvD8s868lQoxeb+zwXuFScDqBrP0FxQuc25Lqm9oT4+KFcDHVG27V5i SmFDQcdvpNW/0vDeIZEHRrBzk1aM6R6mTH6MMd4R9llZbHFHIjwFGJjS6F7SYxRRB4 2jfh0ch5gq6kGMPTgAaYEBQTLBSS8FyMnobz3clV2yg5fwHL0R1lM2I6wKZD8QWRxN B/qoMhK88piZcHz9ETMwJ1QVtUOIIcuXvVCEAqJ+ueI6YOHwmASxO34MlNcglrLSoo Aonr2FtbygaeA== Message-ID: Date: Fri, 20 Jun 2025 15:17:08 +0200 MIME-Version: 1.0 User-Agent: Icedove Daily References: <877c18xg77.fsf@sarg.org.ru> <3f4f9d28-cfda-4689-8fc4-963d4f6360ac@univ-nantes.fr> <871prgx9kh.fsf@sarg.org.ru> Content-Language: en-US From: Yann Dupont In-Reply-To: <871prgx9kh.fsf@sarg.org.ru> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) On 19/06/2025 13:19, Sergey Trofimov wrote: > Hi > > Yann Dupont writes: > >> I don't know if this is relevant information, but we encounter this problem on disposable virtual machines, freshly generated by guix >> system image for one-time use, we don't reconfigure on these machines. Maybe this function is not called in this specific case? >> >> I'll see if a reconfigure changes things, , but it's going to take some time, as our templates are a bit complex and divided into >> several files that can't be found in /running/current-system/configuration.scm. > You could simply run /run/current-system/activate and check if it fixes permissions. Hi Sergey, launching /run/current-system/activate does not change the directory property. However, I'm afraid this could be a problem on our side. By simplifying a vm definition as much as possible to be able to reproduce, the nslcd service creates /var/empty with root as owner... so something unexpected is happening on our side. I'll look into it. Thanks for your help, -- Yann Dupont - GLiCID / HPC Pays de la Loire Tel : 02.53.48.49.39 - Yann.Dupont@univ-nantes.fr From unknown Sun Jun 22 03:54:50 2025 X-Loop: help-debbugs@gnu.org Subject: bug#78836: /var/empty permissions problems between sshd and nslcd Resent-From: Sergey Trofimov Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 20 Jun 2025 15:59:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 78836 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Yann Dupont Cc: 78836@debbugs.gnu.org Received: via spool by 78836-submit@debbugs.gnu.org id=B78836.175043508917430 (code B ref 78836); Fri, 20 Jun 2025 15:59:01 +0000 Received: (at 78836) by debbugs.gnu.org; 20 Jun 2025 15:58:09 +0000 Received: from localhost ([127.0.0.1]:53896 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uSe80-0004Ww-Fn for submit@debbugs.gnu.org; Fri, 20 Jun 2025 11:58:09 -0400 Received: from mail-wm1-x32a.google.com ([2a00:1450:4864:20::32a]:44283) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1uSe7v-0004Ur-PF for 78836@debbugs.gnu.org; Fri, 20 Jun 2025 11:58:06 -0400 Received: by mail-wm1-x32a.google.com with SMTP id 5b1f17b1804b1-4530921461aso17335465e9.0 for <78836@debbugs.gnu.org>; Fri, 20 Jun 2025 08:58:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sarg.org.ru; s=google; t=1750435077; x=1751039877; darn=debbugs.gnu.org; h=mime-version:message-id:date:user-agent:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=8ettBmbY8np3HLorRwLoM/NBr4fWkUFUhiRK2ib7vks=; b=dDRpJVWQRzuFFlP0jV+WAtLuXRpK4TYEXzHQCQd/0H7WtiZr6NSq/Q/k7/HtNC7B5n Qe6VhnbCmt02H++VN0Ir4sgarzA1Z9pPacAliiBZko6D7GRXstNwEBdYXenM42u0pmx2 AZvOlN/GqcN+fmbpedApHAjgNmefZse7eZU9034b+WMZ6ZG5KejqF7uhSwo3Vc1BqG9n SfZA8oSGOe8nIvMcUZKUYk0txIw8iYfLK1NPatESxPFr4n1++s9ZXAwC//CtblUXd728 Fyrk4jz02A74hRgA9vYoY1MBG6MWxgzFvq+3VXjDC1zbW0UOUsDaJTJ3dw8ecy5oCrzF q+LQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750435077; x=1751039877; h=mime-version:message-id:date:user-agent:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=8ettBmbY8np3HLorRwLoM/NBr4fWkUFUhiRK2ib7vks=; b=lf0oTpYMDXWTQgagrWbs525btP5A5l+cWCoD21LXVoqyadXZfYNXM9CNH0ZUxOGScQ r4AFn4K16UCeNIsKDpfSL+5YP83wE4JXSyifWY1+/5YAuXxExCwVcKQnpc7C9pEWrH7j FhVEHV9UQjYI5WAVklLIXjc+UxDsg2E/sLX1a99c5zm2GmKELyuU0a973NBluQlENE1N q7LGkzDcqII4thhPS/lss7ymy3h2Yt+9TSBTeHIT/Djba0mmIKkR4pHP8wPy2I8TlsmD wg+7JKckr6wFE70F5WMkyv9enKTctT8OshAhDK7bUsDwdOkCl9VlvrXNXQhrJgHuGPsZ 3CXA== X-Gm-Message-State: AOJu0YwxclQirKLQcNFGYY01eHlDQmOUNeC0fIaKyVQGhZHm9cYsYYgu Bz8s2uDuDrSK+Nd6fwcmFhyPvBeE1UliKByMqu7kL51N0QI3xv611iWpPHNNbFkatZE= X-Gm-Gg: ASbGncsFn/CiLXbBMty6XmZq42BJdQPdCDdONuXjaODNXAR4H3BU+t9VWWWGWsxcs2P kgbZSDA+nXvh7RFauT6iN7nBEKYDTBGzGeJym/t0UaRJJ1KbCaBUPowq2mcGkEF5LZZCZmgEvAr Sej/3iS8DCRQqMy3gb1UNHj8GDvNQ4rfqUb1HqdGlLTUeTypHyllrxSnTjVC2O1ugJ0CaKgubjZ SzSnuEztlyFV+l1IKVLQy6dwzVxg3uVLsdIoQRvja9Mhq7oZjXSycQ9YrAtsAq80bic2i0vJCHs oyOri3Nrcqvy97+mcv2oG8/P2jG5+jvwCyr8U875H0s9eoStLEo1gpSOnpQ= X-Google-Smtp-Source: AGHT+IEuH4Szvg0ACsH4DBq8q9iy4xIeU4maBqz9zG7FVIoyKMQ8qLkYWMa7UCsMZZzN/oj8kn6IYg== X-Received: by 2002:a5d:5f96:0:b0:3a4:ef2c:2e03 with SMTP id ffacd0b85a97d-3a6d12d9fc2mr3037262f8f.33.1750435076634; Fri, 20 Jun 2025 08:57:56 -0700 (PDT) Received: from localhost ([2a02:2454:a095:5600:a64e:31ff:fe38:fd6c]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3a6d1190b68sm2370322f8f.86.2025.06.20.08.57.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Jun 2025 08:57:56 -0700 (PDT) From: Sergey Trofimov In-Reply-To: References: <877c18xg77.fsf@sarg.org.ru> <3f4f9d28-cfda-4689-8fc4-963d4f6360ac@univ-nantes.fr> <871prgx9kh.fsf@sarg.org.ru> User-Agent: mu4e 1.12.11; emacs 31.0.50 Date: Fri, 20 Jun 2025 17:57:55 +0200 Message-ID: <87ikkqiews.fsf@sarg.org.ru> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Yann, Yann Dupont writes: > On 19/06/2025 13:19, Sergey Trofimov wrote: >> Hi >> >> Yann Dupont writes: >> >>> I don't know if this is relevant information, but we encounter this problem on disposable virtual machines, freshly generated by guix >>> system image for one-time use, we don't reconfigure on these machines. Maybe this function is not called in this specific case? >>> >>> I'll see if a reconfigure changes things, , but it's going to take some time, as our templates are a bit complex and divided into >>> several files that can't be found in /running/current-system/configuration.scm. >> You could simply run /run/current-system/activate and check if it fixes permissions. > Hi Sergey, launching /run/current-system/activate does not change the directory > property. > > However, I'm afraid this could be a problem on our side. By simplifying a vm > definition as much as possible to be able to reproduce, the nslcd service > creates /var/empty with root as owner... so something unexpected is happening on > our side. I'll look into it. > > Thanks for your help, If the OS is stripped to the bare minimum, I assume that it doesn't have all the system users usually present in Guix system (daemon and builders). It could happen that nslcd is the only user with the home dir set to /var/empty (check /etc/passwd). In that case activate-users+groups won't be changing the permissions because it only does that on directories that are shared between multiple accounts. From unknown Sun Jun 22 03:54:50 2025 X-Loop: help-debbugs@gnu.org Subject: bug#78836: /var/empty permissions problems between sshd and nslcd Resent-From: Yann Dupont Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 20 Jun 2025 16:09:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 78836 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Sergey Trofimov Cc: 78836@debbugs.gnu.org Received: via spool by 78836-submit@debbugs.gnu.org id=B78836.175043569922579 (code B ref 78836); Fri, 20 Jun 2025 16:09:02 +0000 Received: (at 78836) by debbugs.gnu.org; 20 Jun 2025 16:08:19 +0000 Received: from localhost ([127.0.0.1]:54022 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uSeHr-0005s7-3e for submit@debbugs.gnu.org; Fri, 20 Jun 2025 12:08:19 -0400 Received: from smtptls1-loi.cpub.univ-nantes.fr ([193.52.103.112]:45822 helo=smtp-tls.univ-nantes.fr) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uSeHn-0005rr-Ix for 78836@debbugs.gnu.org; Fri, 20 Jun 2025 12:08:17 -0400 Received: from localhost (localhost [127.0.0.1]) by smtp-tls.univ-nantes.fr (Postfix) with ESMTP id 6D8629FF; Fri, 20 Jun 2025 18:08:13 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=univ-nantes.fr; s=mailv2; t=1750435693; bh=CHDBM2nQKCb/ClCN3p/3BTfaalPzgIUyYVBS0ftnUaM=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=DOaXvZr2Fjk7eiP57RCkE8I/iH1D6itwi1LeGBdQ+brDCssDtrrdE6j4EdKb4gUMb 0+6Wu5m37TGuAK47vKFU34+0iNBN6jBGUYByR0Q/E6VWB1jOub+iA/6VmCG6QQscG4 9h78cVsTg6+94h46GnKjKNlQ/LYOM4BIp85olvXhzxkxOGkuypovjRlYFzLfRifSlL V7SJDzZrV7ZfDVq2U4ZYQiugKI8UbnxfE4zk2DRsAnGWW4G2XFd/VF/mFh9Ai1ezM8 kQsmS6YQ/Ks+J/KlXQHygkXqWhGFNr0d5jdapIMaxKQXCZTBL3udJtcWnUEB+tkBG7 lnkuLabmNRFbQ== X-Virus-Scanned: Debian amavisd-new at smtptls1-lmb.cpub.univ-nantes.fr Received: from smtp-tls.univ-nantes.fr ([127.0.0.1]) by localhost (smtptls1-loi.cpub.univ-nantes.fr [127.0.0.1]) (amavisd-new, port 10024) with LMTP id XrAHRQYtTGpI; Fri, 20 Jun 2025 18:08:13 +0200 (CEST) Received: from [IPV6:2a01:e0a:2c6:9282:7b5e:4625:980b:616f] (unknown [IPv6:2a01:e0a:2c6:9282:7b5e:4625:980b:616f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-tls.univ-nantes.fr (Postfix) with ESMTPSA id 2F5B99E8; Fri, 20 Jun 2025 18:08:13 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=univ-nantes.fr; s=mailv2; t=1750435693; bh=CHDBM2nQKCb/ClCN3p/3BTfaalPzgIUyYVBS0ftnUaM=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=DOaXvZr2Fjk7eiP57RCkE8I/iH1D6itwi1LeGBdQ+brDCssDtrrdE6j4EdKb4gUMb 0+6Wu5m37TGuAK47vKFU34+0iNBN6jBGUYByR0Q/E6VWB1jOub+iA/6VmCG6QQscG4 9h78cVsTg6+94h46GnKjKNlQ/LYOM4BIp85olvXhzxkxOGkuypovjRlYFzLfRifSlL V7SJDzZrV7ZfDVq2U4ZYQiugKI8UbnxfE4zk2DRsAnGWW4G2XFd/VF/mFh9Ai1ezM8 kQsmS6YQ/Ks+J/KlXQHygkXqWhGFNr0d5jdapIMaxKQXCZTBL3udJtcWnUEB+tkBG7 lnkuLabmNRFbQ== Content-Type: multipart/alternative; boundary="------------ZfwMMQbrh4N4IYMTNobGY5PR" Message-ID: Date: Fri, 20 Jun 2025 18:08:12 +0200 MIME-Version: 1.0 User-Agent: Icedove Daily References: <877c18xg77.fsf@sarg.org.ru> <3f4f9d28-cfda-4689-8fc4-963d4f6360ac@univ-nantes.fr> <871prgx9kh.fsf@sarg.org.ru> <87ikkqiews.fsf@sarg.org.ru> Content-Language: en-US From: Yann Dupont In-Reply-To: <87ikkqiews.fsf@sarg.org.ru> X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) This is a multi-part message in MIME format. --------------ZfwMMQbrh4N4IYMTNobGY5PR Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 20/06/2025 17:57, Sergey Trofimov wrote: > If the OS is stripped to the bare minimum, I assume that it doesn't have > all the system users usually present in Guix system (daemon and > builders). It could happen that nslcd is the only user with the home dir > set to /var/empty (check /etc/passwd). In that case > activate-users+groups won't be changing the permissions because it only > does that on directories that are shared between multiple accounts. yes, I was debugging this afternoon and just came to the same conclusion : The culprit is this lineĀ  (modify-services %base-services (delete guix-service-type)) We delete it because our store is shared and GUIX_DAEMON_SOCKET set. I think we can close this bug report, as I imagine there can't be many of us with this problem. Thanks a lot for the explanation, --------------ZfwMMQbrh4N4IYMTNobGY5PR Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit


On 20/06/2025 17:57, Sergey Trofimov wrote:
If the OS is stripped to the bare minimum, I assume that it doesn't have
all the system users usually present in Guix system (daemon and
builders). It could happen that nslcd is the only user with the home dir
set to /var/empty (check /etc/passwd). In that case
activate-users+groups won't be changing the permissions because it only
does that on directories that are shared between multiple accounts.

yes, I was debugging this afternoon and just came to the same conclusion :

The culprit is this lineĀ  (modify-services %base-services (delete guix-service-type))

We delete it because our store is shared and GUIX_DAEMON_SOCKET set.

I think we can close this bug report, as I imagine there can't be many of us with this problem.

Thanks a lot for the explanation,

--------------ZfwMMQbrh4N4IYMTNobGY5PR--