Avoid references to the store in authorized_keys

  • Done
  • quality assurance status badge
Details
2 participants
  • Clément Lassieur
  • ng0
Owner
unassigned
Submitted by
Clément Lassieur
Severity
normal
C
C
Clément Lassieur wrote on 30 Apr 2017 18:30
(address . guix-patches@gnu.org)
87wpa1q2po.fsf@lassieur.org
Note that if gitolite is already installed, one has to remove the
references from authorized_keys manually first, because otherwise the
old (bugged) gitolite will be used instead of the one in the PATH, and
authorized_keys will never be updated.
C
C
Clément Lassieur wrote on 30 Apr 2017 18:32
[PATCH] gnu: gitolite: Avoid references to the store in authorized_keys.
(address . 26717@debbugs.gnu.org)
20170430163244.2830-1-clement@lassieur.org
* gnu/packages/version-control.scm (gitolite)[arguments]: Substitute
'$glshell' with 'gitolite-shell' in ssh-authkeys.
---
gnu/packages/version-control.scm | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)

Toggle diff (21 lines)
diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
index e0770dc58..1cad0f285 100644
--- a/gnu/packages/version-control.scm
+++ b/gnu/packages/version-control.scm
@@ -628,7 +628,13 @@ also walk each side of a merge and test those changes individually.")
;; invokes Perl.
(substitute* (find-files "." ".*")
((" perl -")
- (string-append " " perl " -"))))))
+ (string-append " " perl " -")))
+
+ ;; Avoid references to the store in authorized_keys.
+ ;; This works because gitolite-shell is in the PATH.
+ (substitute* "src/triggers/post-compile/ssh-authkeys"
+ (("\\$glshell \\$user")
+ "gitolite-shell $user")))))
(replace 'install
(lambda* (#:key outputs #:allow-other-keys)
(let* ((output (assoc-ref outputs "out"))
--
2.12.2
N
N
ng0 wrote on 30 Apr 2017 21:31
(name . Clément Lassieur)(address . clement@lassieur.org)(address . 26717@debbugs.gnu.org)
20170430193117.setdri6ykdbbmza3@abyayala
Clément Lassieur transcribed 1.3K bytes:
Toggle quote (32 lines)
> * gnu/packages/version-control.scm (gitolite)[arguments]: Substitute
> '$glshell' with 'gitolite-shell' in ssh-authkeys.
> ---
> gnu/packages/version-control.scm | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
> index e0770dc58..1cad0f285 100644
> --- a/gnu/packages/version-control.scm
> +++ b/gnu/packages/version-control.scm
> @@ -628,7 +628,13 @@ also walk each side of a merge and test those changes individually.")
> ;; invokes Perl.
> (substitute* (find-files "." ".*")
> ((" perl -")
> - (string-append " " perl " -"))))))
> + (string-append " " perl " -")))
> +
> + ;; Avoid references to the store in authorized_keys.
> + ;; This works because gitolite-shell is in the PATH.
> + (substitute* "src/triggers/post-compile/ssh-authkeys"
> + (("\\$glshell \\$user")
> + "gitolite-shell $user")))))
> (replace 'install
> (lambda* (#:key outputs #:allow-other-keys)
> (let* ((output (assoc-ref outputs "out"))
> --
> 2.12.2
>
>
>
>

This looks good. I have yet to test it. Do you think we could fix the hook files of gitolite like this too?
--
C
C
Clément Lassieur wrote on 30 Apr 2017 23:57
(name . ng0)(address . contact.ng0@cryptolab.net)
87lgqhd0d5.fsf@lassieur.org
ng0 <contact.ng0@cryptolab.net> writes:

Toggle quote (35 lines)
> Clément Lassieur transcribed 1.3K bytes:
>> * gnu/packages/version-control.scm (gitolite)[arguments]: Substitute
>> '$glshell' with 'gitolite-shell' in ssh-authkeys.
>> ---
>> gnu/packages/version-control.scm | 8 +++++++-
>> 1 file changed, 7 insertions(+), 1 deletion(-)
>>
>> diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
>> index e0770dc58..1cad0f285 100644
>> --- a/gnu/packages/version-control.scm
>> +++ b/gnu/packages/version-control.scm
>> @@ -628,7 +628,13 @@ also walk each side of a merge and test those changes individually.")
>> ;; invokes Perl.
>> (substitute* (find-files "." ".*")
>> ((" perl -")
>> - (string-append " " perl " -"))))))
>> + (string-append " " perl " -")))
>> +
>> + ;; Avoid references to the store in authorized_keys.
>> + ;; This works because gitolite-shell is in the PATH.
>> + (substitute* "src/triggers/post-compile/ssh-authkeys"
>> + (("\\$glshell \\$user")
>> + "gitolite-shell $user")))))
>> (replace 'install
>> (lambda* (#:key outputs #:allow-other-keys)
>> (let* ((output (assoc-ref outputs "out"))
>> --
>> 2.12.2
>>
>>
>>
>>
>
> This looks good. I have yet to test it. Do you think we could fix the hook files of gitolite like this too?

Well, I don't think so because the mechanism used in hooks is different:
the reference to the store is in the shebang and shebangs need absolute
paths, they don't look at PATH. We could use 'env' though, as suggested
by Marius here:
As in:

#!/run/current-system/profile/bin/env perl

Assuming /run/current-system/profile/bin/env exists on all possible
setups. WDYT?
C
C
Clément Lassieur wrote on 3 May 2017 21:47
(name . ng0)(address . contact.ng0@cryptolab.net)(address . 26717-done@debbugs.gnu.org)
87r3057mep.fsf@lassieur.org
ng0 <contact.ng0@cryptolab.net> writes:

Toggle quote (35 lines)
> Clément Lassieur transcribed 1.3K bytes:
>> * gnu/packages/version-control.scm (gitolite)[arguments]: Substitute
>> '$glshell' with 'gitolite-shell' in ssh-authkeys.
>> ---
>> gnu/packages/version-control.scm | 8 +++++++-
>> 1 file changed, 7 insertions(+), 1 deletion(-)
>>
>> diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm
>> index e0770dc58..1cad0f285 100644
>> --- a/gnu/packages/version-control.scm
>> +++ b/gnu/packages/version-control.scm
>> @@ -628,7 +628,13 @@ also walk each side of a merge and test those changes individually.")
>> ;; invokes Perl.
>> (substitute* (find-files "." ".*")
>> ((" perl -")
>> - (string-append " " perl " -"))))))
>> + (string-append " " perl " -")))
>> +
>> + ;; Avoid references to the store in authorized_keys.
>> + ;; This works because gitolite-shell is in the PATH.
>> + (substitute* "src/triggers/post-compile/ssh-authkeys"
>> + (("\\$glshell \\$user")
>> + "gitolite-shell $user")))))
>> (replace 'install
>> (lambda* (#:key outputs #:allow-other-keys)
>> (let* ((output (assoc-ref outputs "out"))
>> --
>> 2.12.2
>>
>>
>>
>>
>
> This looks good. I have yet to test it. Do you think we could fix the hook files of gitolite like this too?

Thank you :) I pushed it.
Closed
C
C
Clément Lassieur wrote on 4 May 2017 10:50
(name . ng0)(address . contact.ng0@cryptolab.net)
87d1bpatva.fsf@lassieur.org
Clément Lassieur <clement@lassieur.org> writes:

Toggle quote (15 lines)
> ng0 <contact.ng0@cryptolab.net> writes:
>> This looks good. I have yet to test it. Do you think we could fix the hook files of gitolite like this too?
>
> Well, I don't think so because the mechanism used in hooks is different:
> the reference to the store is in the shebang and shebangs need absolute
> paths, they don't look at PATH. We could use 'env' though, as suggested
> by Marius here:
> http://lists.gnu.org/archive/html/guix-patches/2017-03/msg00339.html.
> As in:
>
> #!/run/current-system/profile/bin/env perl
>
> Assuming /run/current-system/profile/bin/env exists on all possible
> setups. WDYT?

This won't work on a non-GuixSD OS. I can't find a simple solution.
?