home-openssh-service-type creates .ssh/config with wrong permissions

  • Done
  • quality assurance status badge
Details
2 participants
  • Elias Kueny
  • Ludovic Courtès
Owner
unassigned
Submitted by
Elias Kueny
Severity
important
E
E
Elias Kueny wrote on 14 Aug 2022 20:04
(address . bug-guix@gnu.org)
877d3ais5w.fsf@posteo.net
Hello,

I'm trying to use home-openssh-service-type. I'm testing the configuration by running
guix home container home-configuration.scm

The files are created with too open permissions, so ssh refuses to run:

$ ssh xxx
Bad owner or permissions on ~/.ssh/config

$ ls -l .ssh
lrwxrwxrwx 1 user users 59 Aug 14 18:17 authorized_keys -> /gnu/store/y8g2d9kmlrhfna23r26cfgp5mr1sxl72-authorized_keys
lrwxrwxrwx 1 user users 52 Aug 14 18:17 config -> /gnu/store/dnnzwrz4hp1z6wnr76a6j57v95vyrbf3-ssh.conf

And the file system being read-only, a manual chmod is not possible.


$ guix describe
guix 9e46320
branch: master
commit: 9e4632081ff31bf0d1715edd66f514614c6dc4bb

Best,
Elias
L
L
Ludovic Courtès wrote on 31 Aug 2022 12:51
control message for bug #57217
(address . control@debbugs.gnu.org)
87mtbkbs92.fsf@gnu.org
severity 57217 important
quit
L
L
Ludovic Courtès wrote on 23 Sep 2022 09:13
Re: bug#57217: home-openssh-service-type creates .ssh/config with wrong permissions
(name . Elias Kueny)(address . elias.kueny@posteo.net)(address . 57217@debbugs.gnu.org)
8735ciftqs.fsf@gnu.org
Hi Elias,

Elias Kueny <elias.kueny@posteo.net> skribis:

Toggle quote (9 lines)
> The files are created with too open permissions, so ssh refuses to run:
>
> $ ssh xxx
> Bad owner or permissions on ~/.ssh/config
>
> $ ls -l .ssh
> lrwxrwxrwx 1 user users 59 Aug 14 18:17 authorized_keys -> /gnu/store/y8g2d9kmlrhfna23r26cfgp5mr1sxl72-authorized_keys
> lrwxrwxrwx 1 user users 52 Aug 14 18:17 config -> /gnu/store/dnnzwrz4hp1z6wnr76a6j57v95vyrbf3-ssh.conf

Here’s what I see in a container:

Toggle snippet (8 lines)
$ ls -ld .ssh
drwx------ 2 ludo users 80 Sep 23 06:39 .ssh/
$ ls -l .ssh/config
lrwxrwxrwx 1 ludo users 52 Sep 23 06:39 .ssh/config -> /gnu/store/5lksmnx3mlyinlja2lhd84p0jkp06bg5-ssh.conf
$ ls -l $(readlink .ssh/config)
-r--r--r-- 1 65534 overflow 6219 Jan 1 1970 /gnu/store/5lksmnx3mlyinlja2lhd84p0jkp06bg5-ssh.conf

The relevant check in OpenSSH is this:

Toggle snippet (7 lines)
if (fstat(fileno(f), &sb) == -1)
fatal("fstat %s: %s", filename, strerror(errno));
if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
(sb.st_mode & 022) != 0))
fatal("Bad owner or permissions on %s", filename);

That is, if ~/.ssh/config is owned by root, it’s fine; and this is
exactly what happens outside the container:

Toggle snippet (4 lines)
$ ls -l $(readlink ~/.ssh/config)
-r--r--r-- 1 root root 6219 Jan 1 1970 /gnu/store/5lksmnx3mlyinlja2lhd84p0jkp06bg5-ssh.conf

So ‘ssh’ works fine outside the container, but not inside.

To address the issue at hand, we would need to map UID 0 of the host as
UID 0 of the guest, but I’m not sure this can be done.

To be continued…

Ludo’.
L
L
Ludovic Courtès wrote on 23 Sep 2022 22:15
(name . Elias Kueny)(address . elias.kueny@posteo.net)(address . 57217@debbugs.gnu.org)
87pmfletjf.fsf@gnu.org
Ludovic Courtès <ludo@gnu.org> skribis:

Toggle quote (3 lines)
> To address the issue at hand, we would need to map UID 0 of the host as
> UID 0 of the guest, but I’m not sure this can be done.

I believe it cannot be done: we can only map a single UID (at least
unless/until we use subordinate UIDs.)

Back to the original problem: it only affects ‘guix home container’; so
while this is annoying, it’s not a showstopper. WDYT?

Ludo’.
L
L
Ludovic Courtès wrote on 7 Oct 2022 10:32
control message for bug #57217
(address . control@debbugs.gnu.org)
87wn9cdofs.fsf@gnu.org
tags 57217 notabug
close 57217
quit
?