[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#55034] [PATCH 0/1] Let openssh trust /gnu/store
From: |
Ludovic Courtès |
Subject: |
[bug#55034] [PATCH 0/1] Let openssh trust /gnu/store |
Date: |
Wed, 20 Apr 2022 11:56:49 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Hi,
Alexey Abramov <levenson@mmer.org> skribis:
> This patch allows users to use /gnu/store objects for AuthorizedKeysCommand
> and similar options. According to the sshd_config(5):
>
>> The program must be owned by root, not writable by group or others, and
>> specified by an absolute path.
That’s the case with programs in /gnu/store. Why isn’t it working?
> However, this is not the case for Guix, even though it is RO. OpenSSH doesn't
> check if the location mounted or ended up on the RO mount point.
>
> I think implementing a check for RO location is much harder here, rather
> than to trust /gnu/store path. The same way OpenSSH does with users' home
> directory.
(RO = read-only, right?)
I’m not sure why checking whether a file is read-only is much harder.
Am I overlooking something?
Thanks,
Ludo’.