guix-patches
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#55034] [PATCH 0/1] Let openssh trust /gnu/store

From: Ludovic Courtès
Subject: [bug#55034] [PATCH 0/1] Let openssh trust /gnu/store
Date: Wed, 20 Apr 2022 11:56:49 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) 
Hi,

Alexey Abramov <levenson@mmer.org> skribis:

> This patch allows users to use /gnu/store objects for AuthorizedKeysCommand
> and similar options. According to the sshd_config(5):
>
>> The program must be owned by root, not writable by group or others, and
>> specified by an absolute path.

That’s the case with programs in /gnu/store.  Why isn’t it working?

> However, this is not the case for Guix, even though it is RO. OpenSSH doesn't
> check if the location mounted or ended up on the RO mount point.
>
> I think implementing a check for RO location is much harder here, rather
> than to trust /gnu/store path. The same way OpenSSH does with users' home
> directory.

(RO = read-only, right?)

I’m not sure why checking whether a file is read-only is much harder.
Am I overlooking something?

Thanks,
Ludo’.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]