[PATCH] guix: shell: Don't whitelist / by typo in `shell-authorized-directories'.

  • Done
  • quality assurance status badge
Details
2 participants
  • Janneke Nieuwenhuizen
  • Ludovic Courtès
Owner
unassigned
Submitted by
Janneke Nieuwenhuizen
Severity
important
J
J
Janneke Nieuwenhuizen wrote on 8 Sep 2023 22:49
(address . bug-guix@gnu.org)
87tts4qtko.fsf@gnu.org
Title says it all...

So, i've started using direnv with envrc.el, really great!

...which meant that on top op `guix shell' pestering me with its
shell-authorized-directories, I had to also type `direnv allow' all day.

Anyway, I found that direnv has a whitelist, prefix even; so I looked
into what guix shell might have and found that using

Toggle snippet (3 lines)
echo '-allow-all- > ~/.config/guix/shell-authorized-directories

acts like an undocumented whitelist prefix for /.

Find a fix attached.

Greetings,
Janneke
From 5b7af1342f4f0d91df9de960877889d40b8c5d64 Mon Sep 17 00:00:00 2001
Message-ID: <5b7af1342f4f0d91df9de960877889d40b8c5d64.1694206063.git.janneke@gnu.org>
From: Janneke Nieuwenhuizen <janneke@gnu.org>
Date: Wed, 6 Sep 2023 10:52:17 +0200
Subject: [PATCH] guix: shell: Don't whitelist / by typo in
`shell-authorized-directories'.


* guix/scripts/shell.scm (authorized-shell-directory?): After warning,
continue LOOP to return valid query result for DIRECTORY.
---
guix/scripts/shell.scm | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

Toggle diff (25 lines)
diff --git a/guix/scripts/shell.scm b/guix/scripts/shell.scm
index d67152cef7..83888eee1d 100644
--- a/guix/scripts/shell.scm
+++ b/guix/scripts/shell.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2021-2023 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2023 Janneke Nieuwenhuizen <janneke@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -232,7 +233,8 @@ (define (authorized-shell-directory? directory)
(port-line port)
(port-column port))))
(warning loc (G_ "ignoring invalid file name: '~a'~%")
- line))))))))))
+ line)
+ (loop))))))))))
(const #f)))
(define (options-with-caching opts)

base-commit: 4dd33fc62899134606f36f92594cf160b972f685
--
2.41.0
--
Janneke Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond https://LilyPond.org
Freelance IT https://www.JoyOfSource.com| Avatar® https://AvatarAcademy.com
J
J
Janneke Nieuwenhuizen wrote on 8 Sep 2023 22:54
(address . 65832-done@debbugs.gnu.org)
87ledgqtb5.fsf@gnu.org
Janneke Nieuwenhuizen writes:

Hi!

Toggle quote (2 lines)
> Title says it all...

[..]

After discussing with the security team, pushed to master as

1ef4974be94d75d935d98399dcda44199a1fca47

Greetings,
Janneke

--
Janneke Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond https://LilyPond.org
Freelance IT https://www.JoyOfSource.com| Avatar® https://AvatarAcademy.com
Closed
L
L
Ludovic Courtès wrote on 11 Sep 2023 17:48
control message for bug #65832
(address . control@debbugs.gnu.org)
877cowsobt.fsf@gnu.org
severity 65832 important
quit
L
L
Ludovic Courtès wrote on 11 Sep 2023 17:48
(address . control@debbugs.gnu.org)
875y4gsob8.fsf@gnu.org
tags 65832 + security
quit
L
L
Ludovic Courtès wrote on 11 Sep 2023 17:49
Re: bug#65832: [PATCH] guix: shell: Don't whitelist / by typo in `shell-authorized-directories'.
(name . Janneke Nieuwenhuizen)(address . janneke@gnu.org)(address . 65832@debbugs.gnu.org)
871qf4so9q.fsf@gnu.org
Hi,

Janneke Nieuwenhuizen <janneke@gnu.org> skribis:

Toggle quote (10 lines)
> From: Janneke Nieuwenhuizen <janneke@gnu.org>
> Date: Wed, 6 Sep 2023 10:52:17 +0200
> Subject: [PATCH] guix: shell: Don't whitelist / by typo in
> `shell-authorized-directories'.
>
> Fixes <https://issues.guix.gnu.org/...>
>
> * guix/scripts/shell.scm (authorized-shell-directory?): After warning,
> continue LOOP to return valid query result for DIRECTORY.

Thanks a lot for finding, reporting, and fixing this issue!

Ludo’.
?