[bug#55034] [PATCH 0/1] Let openssh trust /gnu/store

[Alexey Abramov]

Hi Ludo,

Ludovic Courtès <ludo@gnu.org> writes:

> Hi,
>
> Alexey Abramov <levenson@mmer.org> skribis:
>
>> This patch allows users to use /gnu/store objects for AuthorizedKeysCommand
>> and similar options. According to the sshd_config(5):
>>
>>> The program must be owned by root, not writable by group or others, and
>>> specified by an absolute path.
>
> That’s the case with programs in /gnu/store.  Why isn’t it working?

The reason is that safe_path in openssh takes a full path of the file
and checks every directory one by one. The constrain fails on /gnu/store
directory due to write permissions for group.

openssh reports the following message:

Unsafe AuthorizedKeysCommand "/gnu/store/xxxx-echo-sshkey.sh": bad
ownership or modes for directory /gnu/store.

>> However, this is not the case for Guix, even though it is RO. OpenSSH doesn't
>> check if the location mounted or ended up on the RO mount point.
>>
>> I think implementing a check for RO location is much harder here, rather
>> than to trust /gnu/store path. The same way OpenSSH does with users' home
>> directory.
>
> (RO = read-only, right?)

Yes. 

> I’m not sure why checking whether a file is read-only is much harder.
> Am I overlooking something?

As I mentioned before, the check not just checking the file path itself,
but also follows down to the root and check every single directory for
the constrain. Me dunno, was thinking about an extra check against mount
locations, and in case it has read-only mount options along the way, I
could trust the executable. It also implies cross-compilation...

May be I overthink the thing? Maybe it is me who overlooking something?

-- 
Alexey