bug#53752: guix home symlink permissions

[Zacchaeus Scheffer]

> I finally migrated my home configuration to guix home.  However, it
> seems guix home creates all symlinks with 777 permissions.  This causes
> problems with openssh as it will not recognize my
> ~/.ssh/authorized_keys.  It seems the directories have reasonable
> permissions (maybe because they already existed?), but it seems like
> someone could in theory edit the symlinks in-place (though I wasn't
> able to figure that out).
Instead of using symllinks for ~/.ssh/authorized_keys, you could try to
write a home-activation-service, which

1. creates ~/.ssh with chmod 700
1a. if it already existed, enforces chmod 700 anyways
2. creates authorized_keys with chmod 600 if it doesn't exist
3. writes the authorized keys.

 

I'll try that soon (next 1-3 days), and hopefully then we can close this issue.

I was able create the desired effect with the following service definition:

(simple-service
 'my-activation-service
 home-activation-service-type
 (gexp
  (begin
    (chdir (ungexp user-home))
    (if (not (file-exists? ".ssh"))
        (mkdir ".ssh"))
    (chmod ".ssh" #o700)
    (chdir ".ssh")
    (let ((port (open-output-file "authorized_keys")))
      (display (ungexp authorized-keys) port)
      (close-port port))
    (chmod "authorized_keys" #o600)
    (chdir ".."))))

where 'user-home and 'authorized-keys are appropriate strings defined earlier in the file.

I believe that resolves the issue,

Zacchaeus Scheffer