[PATCH] doc: Correct the "guix shell --container" example.

  • Done
  • quality assurance status badge
Details
2 participants
  • Liliana Marie Prikler
  • Rostislav Svoboda
Owner
unassigned
Submitted by
Rostislav Svoboda
Severity
normal
R
R
Rostislav Svoboda wrote on 2 Apr 19:53 +0200
(address . guix-patches@gnu.org)(name . Rostislav Svoboda)(address . Rostislav.Svoboda@gmail.com)
95ccaa3fb35cdfbbd4097df3425f4bece79c71e8.1712080385.git.Rostislav.Svoboda@gmail.com
* doc/guix.texi (Invoking @command{guix shell}): Add missing parameters
--preserve='^XAUTHORITY$' --expose=$XAUTHORITY and adjust corresponding
textual description

Change-Id: Ib99c81c107ff9784708ae807ec9b3ab93ad75603
---
doc/guix.texi | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)

Toggle diff (30 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 69a904473c..14856027ca 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -6268,12 +6268,18 @@ Invoking guix shell
This @option{--container} option can also prove useful if you wish to
run a security-sensitive application, such as a web browser, in an
isolated environment. For example, the command below launches
-Ungoogled-Chromium in an isolated environment, this time sharing network
-access with the host and preserving its @code{DISPLAY} environment
-variable, but without even sharing the current directory:
+Ungoogled-Chromium in an isolated environment, which:
+@itemize
+@item shares network access with the host
+@item inherits host's environment variables @code{DISPLAY} and @code{XAUTHORITY}
+@item has access to host's authentication records from the @code{XAUTHORITY}
+file
+@item has no information about host's current directory
+@end itemize
@example
guix shell --container --network --no-cwd ungoogled-chromium \
+ --preserve='^XAUTHORITY$' --expose=$XAUTHORITY \
--preserve='^DISPLAY$' -- chromium
@end example

base-commit: 7af70efd7633b0d70091762cf43ce01a86176e8e
--
2.41.0
L
L
Liliana Marie Prikler wrote on 5 Apr 06:07 +0200
97f6ec063bfee37c653862c28c93db8b77beb479.camel@gmail.com
Am Dienstag, dem 02.04.2024 um 19:53 +0200 schrieb Rostislav Svoboda:
Toggle quote (38 lines)
> * doc/guix.texi (Invoking @command{guix shell}): Add missing
> parameters
> --preserve='^XAUTHORITY$' --expose=$XAUTHORITY and adjust
> corresponding
> textual description
>
> Change-Id: Ib99c81c107ff9784708ae807ec9b3ab93ad75603
> ---
>  doc/guix.texi | 12 +++++++++---
>  1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index 69a904473c..14856027ca 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -6268,12 +6268,18 @@ Invoking guix shell
>  This @option{--container} option can also prove useful if you wish
> to
>  run a security-sensitive application, such as a web browser, in an
>  isolated environment.  For example, the command below launches
> -Ungoogled-Chromium in an isolated environment, this time sharing
> network
> -access with the host and preserving its @code{DISPLAY} environment
> -variable, but without even sharing the current directory:
> +Ungoogled-Chromium in an isolated environment, which:
> +@itemize
> +@item shares network access with the host
> +@item inherits host's environment variables @code{DISPLAY} and
> @code{XAUTHORITY}
> +@item has access to host's authentication records from the
> @code{XAUTHORITY}
> +file
> +@item has no information about host's current directory
> +@end itemize
>  
>  @example
>  guix shell --container --network --no-cwd ungoogled-chromium \
> +  --preserve='^XAUTHORITY$' --expose=$XAUTHORITY \
Shell injection says "/run/user/$USER/gdm/Xauthority -- oops that
shouldn't happen".

Cheers
R
R
Rostislav Svoboda wrote on 5 Apr 11:47 +0200
(name . Liliana Marie Prikler)(address . liliana.prikler@gmail.com)(address . 70151@debbugs.gnu.org)
CAEtmmeyBVKnYysKqP9+tVvx8BRbByAxWZkFe-eW4PK1wE4H6zQ@mail.gmail.com
Toggle quote (3 lines)
> Shell injection says "/run/user/$USER/gdm/Xauthority -- oops that
> shouldn't happen".

??? Shell injection? Which, what, where? What do you mean?

Without the `--preserve='^XAUTHORITY$' --expose=$XAUTHORITY` (both
needed) the Chromium doesn't start, i.e. the example doesn't work:

$ guix shell --container --network --no-cwd ungoogled-chromium
--preserve='^DISPLAY$' -- chromium
[1:12:0405/094428.353734:ERROR:bus.cc(399)] Failed to connect to the
bus: Failed to connect to socket /var/run/dbus/system_bus_socket: No
such file or directory
Authorization required, but no authorization protocol specified

[1:1:0405/094428.361802:ERROR:ozone_platform_x11.cc(239)] Missing X
server or $DISPLAY
[1:1:0405/094428.361812:ERROR:env.cc(255)] The platform failed to
initialize. Exiting.

Cheers
L
L
Liliana Marie Prikler wrote on 5 Apr 15:07 +0200
(name . Rostislav Svoboda)(address . rostislav.svoboda@gmail.com)(address . 70151@debbugs.gnu.org)
f1d47ff8351014c74c9394e3563f6519616bc6b6.camel@gmail.com
Am Freitag, dem 05.04.2024 um 11:47 +0200 schrieb Rostislav Svoboda:
Toggle quote (7 lines)
> > Shell injection says "/run/user/$USER/gdm/Xauthority -- oops that
> > shouldn't happen".
>
> ??? Shell injection? Which, what, where? What do you mean?
>
> Without the `--preserve='^XAUTHORITY$' --expose=$XAUTHORITY` (both
> needed) the Chromium doesn't start, i.e. the example doesn't work:
You need to properly quote "${XAUTHORITY}", otherwise bad things can
happen.

Cheers
R
R
Rostislav Svoboda wrote on 8 Apr 13:34 +0200
(name . Liliana Marie Prikler)(address . liliana.prikler@gmail.com)(address . 70151@debbugs.gnu.org)
CAEtmmeycqjfyag0DXH4OVqKWDKxjpeFjySoNJsbYtsc8MUjQFA@mail.gmail.com
Toggle quote (2 lines)
> You need to properly quote "${XAUTHORITY}"

Fixed. See attachment.
Attachment: 0001-doc-Correct-the-guix-shell-container-example.patch
L
L
Liliana Marie Prikler wrote on 20 Apr 10:56 +0200
(name . Rostislav Svoboda)(address . rostislav.svoboda@gmail.com)(address . 70151-done@debbugs.gnu.org)
d9b56ff06e08f2ea40a20ddde9685387d6733bc6.camel@gmail.com
Am Montag, dem 08.04.2024 um 13:34 +0200 schrieb Rostislav Svoboda:
Toggle quote (3 lines)
> > You need to properly quote "${XAUTHORITY}"
>
> Fixed. See attachment.
Fixed your markup and pushed.

Cheers
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 70151@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 70151
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch