home-openssh-service-type creates .ssh/config with wrong permissions

  • Done
  • quality assurance status badge
Details
2 participants
  • Elias Kueny
  • Ludovic Courtès
Owner
unassigned
Submitted by
Elias Kueny
Severity
important

Debbugs page

E
E
Elias Kueny wrote on 14 Aug 2022 11:04
(address . bug-guix@gnu.org)
877d3ais5w.fsf@posteo.net
Hello,

I'm trying to use home-openssh-service-type. I'm testing the configuration by running
guix home container home-configuration.scm

The files are created with too open permissions, so ssh refuses to run:

$ ssh xxx
Bad owner or permissions on ~/.ssh/config

$ ls -l .ssh
lrwxrwxrwx 1 user users 59 Aug 14 18:17 authorized_keys -> /gnu/store/y8g2d9kmlrhfna23r26cfgp5mr1sxl72-authorized_keys
lrwxrwxrwx 1 user users 52 Aug 14 18:17 config -> /gnu/store/dnnzwrz4hp1z6wnr76a6j57v95vyrbf3-ssh.conf

And the file system being read-only, a manual chmod is not possible.


$ guix describe
guix 9e46320
branch: master
commit: 9e4632081ff31bf0d1715edd66f514614c6dc4bb

Best,
Elias
L
L
Ludovic Courtès wrote on 31 Aug 2022 03:51
control message for bug #57217
(address . control@debbugs.gnu.org)
87mtbkbs92.fsf@gnu.org
severity 57217 important
quit
L
L
Ludovic Courtès wrote on 23 Sep 2022 00:13
Re: bug#57217: home-openssh-service-type creates .ssh/config with wrong permissions
(name . Elias Kueny)(address . elias.kueny@posteo.net)(address . 57217@debbugs.gnu.org)
8735ciftqs.fsf@gnu.org
Hi Elias,

Elias Kueny <elias.kueny@posteo.net> skribis:

Toggle quote (9 lines)
> The files are created with too open permissions, so ssh refuses to run:
>
> $ ssh xxx
> Bad owner or permissions on ~/.ssh/config
>
> $ ls -l .ssh
> lrwxrwxrwx 1 user users 59 Aug 14 18:17 authorized_keys -> /gnu/store/y8g2d9kmlrhfna23r26cfgp5mr1sxl72-authorized_keys
> lrwxrwxrwx 1 user users 52 Aug 14 18:17 config -> /gnu/store/dnnzwrz4hp1z6wnr76a6j57v95vyrbf3-ssh.conf

Here’s what I see in a container:

Toggle snippet (8 lines)
$ ls -ld .ssh
drwx------ 2 ludo users 80 Sep 23 06:39 .ssh/
$ ls -l .ssh/config
lrwxrwxrwx 1 ludo users 52 Sep 23 06:39 .ssh/config -> /gnu/store/5lksmnx3mlyinlja2lhd84p0jkp06bg5-ssh.conf
$ ls -l $(readlink .ssh/config)
-r--r--r-- 1 65534 overflow 6219 Jan 1 1970 /gnu/store/5lksmnx3mlyinlja2lhd84p0jkp06bg5-ssh.conf

The relevant check in OpenSSH is this:

Toggle snippet (7 lines)
if (fstat(fileno(f), &sb) == -1)
fatal("fstat %s: %s", filename, strerror(errno));
if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
(sb.st_mode & 022) != 0))
fatal("Bad owner or permissions on %s", filename);

That is, if ~/.ssh/config is owned by root, it’s fine; and this is
exactly what happens outside the container:

Toggle snippet (4 lines)
$ ls -l $(readlink ~/.ssh/config)
-r--r--r-- 1 root root 6219 Jan 1 1970 /gnu/store/5lksmnx3mlyinlja2lhd84p0jkp06bg5-ssh.conf

So ‘ssh’ works fine outside the container, but not inside.

To address the issue at hand, we would need to map UID 0 of the host as
UID 0 of the guest, but I’m not sure this can be done.

To be continued…

Ludo’.
L
L
Ludovic Courtès wrote on 23 Sep 2022 13:15
(name . Elias Kueny)(address . elias.kueny@posteo.net)(address . 57217@debbugs.gnu.org)
87pmfletjf.fsf@gnu.org
Ludovic Courtès <ludo@gnu.org> skribis:

Toggle quote (3 lines)
> To address the issue at hand, we would need to map UID 0 of the host as
> UID 0 of the guest, but I’m not sure this can be done.

I believe it cannot be done: we can only map a single UID (at least
unless/until we use subordinate UIDs.)

Back to the original problem: it only affects ‘guix home container’; so
while this is annoying, it’s not a showstopper. WDYT?

Ludo’.
L
L
Ludovic Courtès wrote on 7 Oct 2022 01:32
control message for bug #57217
(address . control@debbugs.gnu.org)
87wn9cdofs.fsf@gnu.org
tags 57217 notabug
close 57217
quit
?
Your comment

This issue is archived.

To comment on this conversation send an email to 57217@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 57217
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch