GNU bug report logs

#65832 [PATCH] guix: shell: Don't whitelist / by typo in `shell-authorized-directories'.

Package	Source(s)		Maintainer(s)
guix		PTS Buildd Popcon

Reported by Janneke Nieuwenhuizen <janneke@gnu.org>
Date 2023-09-08T20:50:01
Severity important
Tags patch security
Done Janneke Nieuwenhuizen <janneke@gnu.org>
Bug is Archived

Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to bug-guix@gnu.org:
bug#65832; Package guix. (Fri, 08 Sep 2023 20:50:01 GMT) (full text, mbox, link).

Acknowledgement sent to Janneke Nieuwenhuizen <janneke@gnu.org>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org. (Fri, 08 Sep 2023 20:50:01 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Title says it all...

So, i've started using direnv with envrc.el, really great!

...which meant that on top op `guix shell' pestering me with its
shell-authorized-directories, I had to also type `direnv allow' all day.

Anyway, I found that direnv has a whitelist, prefix even; so I looked
into what guix shell might have and found that using

--8<---------------cut here---------------start------------->8---
echo '-allow-all- > ~/.config/guix/shell-authorized-directories
--8<---------------cut here---------------end--------------->8---

acts like an undocumented whitelist prefix for /.

Find a fix attached.

Greetings,
Janneke

[0001-guix-shell-Don-t-whitelist-by-typo-in-shell-authoriz.patch (text/x-patch, inline)]

From 5b7af1342f4f0d91df9de960877889d40b8c5d64 Mon Sep 17 00:00:00 2001
Message-ID: <5b7af1342f4f0d91df9de960877889d40b8c5d64.1694206063.git.janneke@gnu.org>
From: Janneke Nieuwenhuizen <janneke@gnu.org>
Date: Wed, 6 Sep 2023 10:52:17 +0200
Subject: [PATCH] guix: shell: Don't whitelist / by typo in
 `shell-authorized-directories'.

Fixes <https://issues.guix.gnu.org/...>

* guix/scripts/shell.scm (authorized-shell-directory?): After warning,
continue LOOP to return valid query result for DIRECTORY.
---
 guix/scripts/shell.scm | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/guix/scripts/shell.scm b/guix/scripts/shell.scm
index d67152cef7..83888eee1d 100644
--- a/guix/scripts/shell.scm
+++ b/guix/scripts/shell.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2021-2023 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2023 Janneke Nieuwenhuizen <janneke@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -232,7 +233,8 @@ (define (authorized-shell-directory? directory)
                                            (port-line port)
                                            (port-column port))))
                         (warning loc (G_ "ignoring invalid file name: '~a'~%")
-                                 line))))))))))
+                                 line)
+                        (loop))))))))))
     (const #f)))
 
 (define (options-with-caching opts)

base-commit: 4dd33fc62899134606f36f92594cf160b972f685
-- 
2.41.0

[Message part 3 (text/plain, inline)]

-- 
Janneke Nieuwenhuizen <janneke@gnu.org>  | GNU LilyPond https://LilyPond.org
Freelance IT https://www.JoyOfSource.com | Avatar® https://AvatarAcademy.com

Reply sent to Janneke Nieuwenhuizen <janneke@gnu.org>:
You have taken responsibility. (Fri, 08 Sep 2023 20:56:02 GMT) (full text, mbox, link).

Notification sent to Janneke Nieuwenhuizen <janneke@gnu.org>:
bug acknowledged by developer. (Fri, 08 Sep 2023 20:56:02 GMT) (full text, mbox, link).

Message #10 received at 65832-done@debbugs.gnu.org (full text, mbox, reply):

Janneke Nieuwenhuizen writes:

Hi!

> Title says it all...

[..]

After discussing with the security team, pushed to master as

    1ef4974be94d75d935d98399dcda44199a1fca47

Greetings,
Janneke

-- 
Janneke Nieuwenhuizen <janneke@gnu.org>  | GNU LilyPond https://LilyPond.org
Freelance IT https://www.JoyOfSource.com | Avatar® https://AvatarAcademy.com

Severity set to 'important' from 'normal' Request was from Ludovic Courtès <ludo@gnu.org> to control@debbugs.gnu.org. (Mon, 11 Sep 2023 15:50:02 GMT) (full text, mbox, link).

Added tag(s) security. Request was from Ludovic Courtès <ludo@gnu.org> to control@debbugs.gnu.org. (Mon, 11 Sep 2023 15:50:02 GMT) (full text, mbox, link).

Information forwarded to bug-guix@gnu.org:
bug#65832; Package guix. (Mon, 11 Sep 2023 15:51:02 GMT) (full text, mbox, link).

Message #17 received at 65832@debbugs.gnu.org (full text, mbox, reply):

Hi,

Janneke Nieuwenhuizen <janneke@gnu.org> skribis:

> From: Janneke Nieuwenhuizen <janneke@gnu.org>
> Date: Wed, 6 Sep 2023 10:52:17 +0200
> Subject: [PATCH] guix: shell: Don't whitelist / by typo in
>  `shell-authorized-directories'.
>
> Fixes <https://issues.guix.gnu.org/...>
>
> * guix/scripts/shell.scm (authorized-shell-directory?): After warning,
> continue LOOP to return valid query result for DIRECTORY.

Thanks a lot for finding, reporting, and fixing this issue!

Ludo’.

bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Tue, 10 Oct 2023 11:24:08 GMT) (full text, mbox, link).

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 06:07:30 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.