[PATCH] doc: Correct the "guix shell --container" example.

  • Done
  • quality assurance status badge
Details
2 participants
  • Liliana Marie Prikler
  • Rostislav Svoboda
Owner
unassigned
Submitted by
Rostislav Svoboda
Severity
normal

Debbugs page

Rostislav Svoboda wrote 11 months ago
(address . guix-patches@gnu.org)(name . Rostislav Svoboda)(address . Rostislav.Svoboda@gmail.com)
95ccaa3fb35cdfbbd4097df3425f4bece79c71e8.1712080385.git.Rostislav.Svoboda@gmail.com
* doc/guix.texi (Invoking @command{guix shell}): Add missing parameters
--preserve='^XAUTHORITY$' --expose=$XAUTHORITY and adjust corresponding
textual description

Change-Id: Ib99c81c107ff9784708ae807ec9b3ab93ad75603
---
doc/guix.texi | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)

Toggle diff (30 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 69a904473c..14856027ca 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -6268,12 +6268,18 @@ Invoking guix shell
This @option{--container} option can also prove useful if you wish to
run a security-sensitive application, such as a web browser, in an
isolated environment. For example, the command below launches
-Ungoogled-Chromium in an isolated environment, this time sharing network
-access with the host and preserving its @code{DISPLAY} environment
-variable, but without even sharing the current directory:
+Ungoogled-Chromium in an isolated environment, which:
+@itemize
+@item shares network access with the host
+@item inherits host's environment variables @code{DISPLAY} and @code{XAUTHORITY}
+@item has access to host's authentication records from the @code{XAUTHORITY}
+file
+@item has no information about host's current directory
+@end itemize
@example
guix shell --container --network --no-cwd ungoogled-chromium \
+ --preserve='^XAUTHORITY$' --expose=$XAUTHORITY \
--preserve='^DISPLAY$' -- chromium
@end example

base-commit: 7af70efd7633b0d70091762cf43ce01a86176e8e
--
2.41.0
Liliana Marie Prikler wrote 11 months ago
(name . Rostislav Svoboda)(address . rostislav.svoboda@gmail.com)(address . 70151@debbugs.gnu.org)
97f6ec063bfee37c653862c28c93db8b77beb479.camel@gmail.com
Am Dienstag, dem 02.04.2024 um 19:53 +0200 schrieb Rostislav Svoboda:
Toggle quote (38 lines)
> * doc/guix.texi (Invoking @command{guix shell}): Add missing
> parameters
> --preserve='^XAUTHORITY$' --expose=$XAUTHORITY and adjust
> corresponding
> textual description
>
> Change-Id: Ib99c81c107ff9784708ae807ec9b3ab93ad75603
> ---
>  doc/guix.texi | 12 +++++++++---
>  1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index 69a904473c..14856027ca 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -6268,12 +6268,18 @@ Invoking guix shell
>  This @option{--container} option can also prove useful if you wish
> to
>  run a security-sensitive application, such as a web browser, in an
>  isolated environment.  For example, the command below launches
> -Ungoogled-Chromium in an isolated environment, this time sharing
> network
> -access with the host and preserving its @code{DISPLAY} environment
> -variable, but without even sharing the current directory:
> +Ungoogled-Chromium in an isolated environment, which:
> +@itemize
> +@item shares network access with the host
> +@item inherits host's environment variables @code{DISPLAY} and
> @code{XAUTHORITY}
> +@item has access to host's authentication records from the
> @code{XAUTHORITY}
> +file
> +@item has no information about host's current directory
> +@end itemize
>  
>  @example
>  guix shell --container --network --no-cwd ungoogled-chromium \
> +  --preserve='^XAUTHORITY$' --expose=$XAUTHORITY \
Shell injection says "/run/user/$USER/gdm/Xauthority -- oops that
shouldn't happen".

Cheers
Rostislav Svoboda wrote 11 months ago
(name . Liliana Marie Prikler)(address . liliana.prikler@gmail.com)(address . 70151@debbugs.gnu.org)
CAEtmmeyBVKnYysKqP9+tVvx8BRbByAxWZkFe-eW4PK1wE4H6zQ@mail.gmail.com
Toggle quote (3 lines)
> Shell injection says "/run/user/$USER/gdm/Xauthority -- oops that
> shouldn't happen".

??? Shell injection? Which, what, where? What do you mean?

Without the `--preserve='^XAUTHORITY$' --expose=$XAUTHORITY` (both
needed) the Chromium doesn't start, i.e. the example doesn't work:

$ guix shell --container --network --no-cwd ungoogled-chromium
--preserve='^DISPLAY$' -- chromium
[1:12:0405/094428.353734:ERROR:bus.cc(399)] Failed to connect to the
bus: Failed to connect to socket /var/run/dbus/system_bus_socket: No
such file or directory
Authorization required, but no authorization protocol specified

[1:1:0405/094428.361802:ERROR:ozone_platform_x11.cc(239)] Missing X
server or $DISPLAY
[1:1:0405/094428.361812:ERROR:env.cc(255)] The platform failed to
initialize. Exiting.

Cheers
Liliana Marie Prikler wrote 11 months ago
(name . Rostislav Svoboda)(address . rostislav.svoboda@gmail.com)(address . 70151@debbugs.gnu.org)
f1d47ff8351014c74c9394e3563f6519616bc6b6.camel@gmail.com
Am Freitag, dem 05.04.2024 um 11:47 +0200 schrieb Rostislav Svoboda:
Toggle quote (7 lines)
> > Shell injection says "/run/user/$USER/gdm/Xauthority -- oops that
> > shouldn't happen".
>
> ??? Shell injection? Which, what, where? What do you mean?
>
> Without the `--preserve='^XAUTHORITY$' --expose=$XAUTHORITY` (both
> needed) the Chromium doesn't start, i.e. the example doesn't work:
You need to properly quote "${XAUTHORITY}", otherwise bad things can
happen.

Cheers
Rostislav Svoboda wrote 11 months ago
(name . Liliana Marie Prikler)(address . liliana.prikler@gmail.com)(address . 70151@debbugs.gnu.org)
CAEtmmeycqjfyag0DXH4OVqKWDKxjpeFjySoNJsbYtsc8MUjQFA@mail.gmail.com
Toggle quote (2 lines)
> You need to properly quote "${XAUTHORITY}"

Fixed. See attachment.
Attachment: 0001-doc-Correct-the-guix-shell-container-example.patch
Liliana Marie Prikler wrote 11 months ago
(name . Rostislav Svoboda)(address . rostislav.svoboda@gmail.com)(address . 70151-done@debbugs.gnu.org)
d9b56ff06e08f2ea40a20ddde9685387d6733bc6.camel@gmail.com
Am Montag, dem 08.04.2024 um 13:34 +0200 schrieb Rostislav Svoboda:
Toggle quote (3 lines)
> > You need to properly quote "${XAUTHORITY}"
>
> Fixed. See attachment.
Fixed your markup and pushed.

Cheers
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 70151@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 70151
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch
You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags
mumi command -t +confirmed -t +easy
Or, remove the moreinfo tag and set the help tag
mumi command -t -moreinfo -t +help