[bug#55034] [PATCH 0/1] Let openssh trust /gnu/store

[Tobias Geerinckx-Rice]

On 20 April 2022 08:47:24 UTC, Alexey Abramov via Guix-patches via 
<guix-patches@gnu.org> wrote:
>This patch allows users to use /gnu/store objects for AuthorizedKeysCommand
>and similar options. According to the sshd_config(5):
>
>> The program must be owned by root, not writable by group or others, and
>> specified by an absolute path.
>
>However, this is not the case for Guix, even though it is RO. OpenSSH doesn't
>check if the location mounted or ended up on the RO mount point.

The RO bind mount is not a hard guarantee, and a footgun protector against 
accidental writes, not primarily a security feature (IMO).

By design, *anyone* can write *anything* to the store by talking to the daemon. 
 They just can't choose the file name.  A much weaker guarantee than OpenSSH 
assumes, at the very least.

With that in mind, could this highly intrusive patch be used to compromise a 
system?  It seems so very likely.  If it is, Guix will be rightly derided for 
what amounts to ifdeffing out the securities, even if OpenBSD's can be 
frustratingly theatrical at times.

>I think implementing a check for RO location is much harder here

Why is 'RO location' relevant here?

If the snippet you quote above is complete, which requirement does the 
un-bind-mounted store not meet?  I can't think of one off the top o' me head?

> , rather
>than to trust /gnu/store path.

That's a lot of trust.  Tens of gigabytes on average.

We explicitly rejected that idea in IceCat for example, instead whitelisting 
only specific store subdirectories.  Why is OpenSSH different?

> The same way OpenSSH does with users' home
>directory.
>
>Let me know what you think.

The rationale and its assumptions (also) belong in the patch itself, not just a 
separate mail.

Hi Alexey,

Thanks for the patch suggestion!

Kind regards,

T G-R

Sent on the go.  Excuse or enjoy my brevity.