[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to put a file in /gnu/store and set its permissions

From: Gary Johnson
Subject: Re: How to put a file in /gnu/store and set its permissions
Date: Wed, 08 Dec 2021 11:26:21 -0500

> Nathan Dehnel <> writes:
> Thanks. I guess then I need to know how to put a file in /etc/ssh
> without putting it in the store.

> On Sun, Dec 5, 2021 at 8:44 PM Gary Johnson <> wrote:
> To programmatically add a file to /etc, you can extend the
> etc-service-type in your operating-system's services field like so:
> ```
> (use-modules
>  ((gnu services)         #:select (simple-service etc-service-type))
>  ((gnu services desktop) #:select (%desktop-services))
>  ((gnu system)           #:select (operating-system))
>  ((guix gexp)            #:select (local-file)))
> (define guixrig_host_rsa_key
>   (local-file "ssh/guixrig_host_rsa_key" #:recursive? #t))
> (operating-system
>  ...
>  (services (cons* (simple-service 'my-secret-service etc-service-type
>                                   `(("ssh/guixrig_host_rsa_key" 
> ,guixrig_host_rsa_key)))
>                   %desktop-services)))
> ```
> Have fun and happy hacking!
>   ~Gary

> Nathan Dehnel <> writes:
> Thanks. Though that code causes "guix system: error: symlink: File
> exists: "/etc/ssh"" when I use it, and by the looks of it, would still
> be putting the key in the store, which is insecure.

Bummer. It works as expected when I run that code on my system with:

sudo guix system reconfigure config.scm

Maybe you manually created /etc/ssh already, which could be causing the
error on your end? Either way, your file does end up in the store and is
owned by root:root with permissions 444.

I'm not aware of a way to add files to /etc or any other guix-managed
directory without placing a copy in the store. However, once your file
lands in /etc/ssh/guixrig_host_rsa_key, isn't it owned by root:root and
readable as well?

Perhaps one of the other Guix wizards on this mailing list would have
some ideas on how to control the permissions on these auto-generated

Good luck,

GPG Key ID: 7BC158ED
Use `gpg --search-keys lambdatronic' to find me
Protect yourself from surveillance:
()  ascii ribbon campaign - against html e-mail
/\   - against proprietary attachments

Why is HTML email a security nightmare? See

Please avoid sending me MS-Office attachments.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]