Re: How to put a file in /gnu/store and set its permissions

help-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to put a file in /gnu/store and set its permissions

From:	Gary Johnson
Subject:	Re: How to put a file in /gnu/store and set its permissions
Date:	Wed, 08 Dec 2021 11:26:21 -0500

> Nathan Dehnel <ncdehnel@gmail.com> writes:
>
> Thanks. I guess then I need to know how to put a file in /etc/ssh
> without putting it in the store.

> On Sun, Dec 5, 2021 at 8:44 PM Gary Johnson <lambdatronic@disroot.org> wrote:
>
> To programmatically add a file to /etc, you can extend the
> etc-service-type in your operating-system's services field like so:
>
> ```
> (use-modules
>  ((gnu services)         #:select (simple-service etc-service-type))
>  ((gnu services desktop) #:select (%desktop-services))
>  ((gnu system)           #:select (operating-system))
>  ((guix gexp)            #:select (local-file)))
>
> (define guixrig_host_rsa_key
>   (local-file "ssh/guixrig_host_rsa_key" #:recursive? #t))
>
> (operating-system
>  ...
>  (services (cons* (simple-service 'my-secret-service etc-service-type
>                                   `(("ssh/guixrig_host_rsa_key" 
> ,guixrig_host_rsa_key)))
>                   %desktop-services)))
> ```
>
> Have fun and happy hacking!
>   ~Gary

> Nathan Dehnel <ncdehnel@gmail.com> writes:
>
> Thanks. Though that code causes "guix system: error: symlink: File
> exists: "/etc/ssh"" when I use it, and by the looks of it, would still
> be putting the key in the store, which is insecure.

Bummer. It works as expected when I run that code on my system with:

```
sudo guix system reconfigure config.scm
```

Maybe you manually created /etc/ssh already, which could be causing the
error on your end? Either way, your file does end up in the store and is
owned by root:root with permissions 444.

I'm not aware of a way to add files to /etc or any other guix-managed
directory without placing a copy in the store. However, once your file
lands in /etc/ssh/guixrig_host_rsa_key, isn't it owned by root:root and
readable as well?

Perhaps one of the other Guix wizards on this mailing list would have
some ideas on how to control the permissions on these auto-generated
files.

Good luck,
  Gary

-- 
GPG Key ID: 7BC158ED
Use `gpg --search-keys lambdatronic' to find me
Protect yourself from surveillance: https://emailselfdefense.fsf.org
=======================================================================
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

Why is HTML email a security nightmare? See https://useplaintext.email/

Please avoid sending me MS-Office attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

[Prev in Thread]

Current Thread

[Next in Thread]

How to put a file in /gnu/store and set its permissions, Nathan Dehnel, 2021/12/04
- Re: How to put a file in /gnu/store and set its permissions, Leo Famulari, 2021/12/05
  - Re: How to put a file in /gnu/store and set its permissions, Nathan Dehnel, 2021/12/05
    - Re: How to put a file in /gnu/store and set its permissions, Gary Johnson, 2021/12/05
    - Re: How to put a file in /gnu/store and set its permissions, Nathan Dehnel, 2021/12/07
    - Re: How to put a file in /gnu/store and set its permissions, Arun Isaac, 2021/12/08
    - Re: How to put a file in /gnu/store and set its permissions, Gary Johnson <=

Prev by Date: Run .deb or .rpm packages
Next by Date: Re: Run .deb or .rpm packages
Previous by thread: Re: How to put a file in /gnu/store and set its permissions
Next by thread: cache for guix build
Index(es):
- Date
- Thread