[PATCH] doc: Correct the "guix shell --container" example.

  • Open
  • quality assurance status badge
Details
2 participants
  • Liliana Marie Prikler
  • Rostislav Svoboda
Owner
unassigned
Submitted by
Rostislav Svoboda
Severity
normal
R
R
Rostislav Svoboda wrote on 2 Apr 19:53 +0200
(address . guix-patches@gnu.org)(name . Rostislav Svoboda)(address . Rostislav.Svoboda@gmail.com)
95ccaa3fb35cdfbbd4097df3425f4bece79c71e8.1712080385.git.Rostislav.Svoboda@gmail.com
* doc/guix.texi (Invoking @command{guix shell}): Add missing parameters
--preserve='^XAUTHORITY$' --expose=$XAUTHORITY and adjust corresponding
textual description

Change-Id: Ib99c81c107ff9784708ae807ec9b3ab93ad75603
---
doc/guix.texi | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)

Toggle diff (30 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 69a904473c..14856027ca 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -6268,12 +6268,18 @@ Invoking guix shell
This @option{--container} option can also prove useful if you wish to
run a security-sensitive application, such as a web browser, in an
isolated environment. For example, the command below launches
-Ungoogled-Chromium in an isolated environment, this time sharing network
-access with the host and preserving its @code{DISPLAY} environment
-variable, but without even sharing the current directory:
+Ungoogled-Chromium in an isolated environment, which:
+@itemize
+@item shares network access with the host
+@item inherits host's environment variables @code{DISPLAY} and @code{XAUTHORITY}
+@item has access to host's authentication records from the @code{XAUTHORITY}
+file
+@item has no information about host's current directory
+@end itemize
@example
guix shell --container --network --no-cwd ungoogled-chromium \
+ --preserve='^XAUTHORITY$' --expose=$XAUTHORITY \
--preserve='^DISPLAY$' -- chromium
@end example

base-commit: 7af70efd7633b0d70091762cf43ce01a86176e8e
--
2.41.0
L
L
Liliana Marie Prikler wrote on 5 Apr 06:07 +0200
97f6ec063bfee37c653862c28c93db8b77beb479.camel@gmail.com
Am Dienstag, dem 02.04.2024 um 19:53 +0200 schrieb Rostislav Svoboda:
Toggle quote (38 lines)
> * doc/guix.texi (Invoking @command{guix shell}): Add missing
> parameters
> --preserve='^XAUTHORITY$' --expose=$XAUTHORITY and adjust
> corresponding
> textual description
>
> Change-Id: Ib99c81c107ff9784708ae807ec9b3ab93ad75603
> ---
>  doc/guix.texi | 12 +++++++++---
>  1 file changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index 69a904473c..14856027ca 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -6268,12 +6268,18 @@ Invoking guix shell
>  This @option{--container} option can also prove useful if you wish
> to
>  run a security-sensitive application, such as a web browser, in an
>  isolated environment.  For example, the command below launches
> -Ungoogled-Chromium in an isolated environment, this time sharing
> network
> -access with the host and preserving its @code{DISPLAY} environment
> -variable, but without even sharing the current directory:
> +Ungoogled-Chromium in an isolated environment, which:
> +@itemize
> +@item shares network access with the host
> +@item inherits host's environment variables @code{DISPLAY} and
> @code{XAUTHORITY}
> +@item has access to host's authentication records from the
> @code{XAUTHORITY}
> +file
> +@item has no information about host's current directory
> +@end itemize
>  
>  @example
>  guix shell --container --network --no-cwd ungoogled-chromium \
> +  --preserve='^XAUTHORITY$' --expose=$XAUTHORITY \
Shell injection says "/run/user/$USER/gdm/Xauthority -- oops that
shouldn't happen".

Cheers
R
R
Rostislav Svoboda wrote on 5 Apr 11:47 +0200
(name . Liliana Marie Prikler)(address . liliana.prikler@gmail.com)(address . 70151@debbugs.gnu.org)
CAEtmmeyBVKnYysKqP9+tVvx8BRbByAxWZkFe-eW4PK1wE4H6zQ@mail.gmail.com
Toggle quote (3 lines)
> Shell injection says "/run/user/$USER/gdm/Xauthority -- oops that
> shouldn't happen".

??? Shell injection? Which, what, where? What do you mean?

Without the `--preserve='^XAUTHORITY$' --expose=$XAUTHORITY` (both
needed) the Chromium doesn't start, i.e. the example doesn't work:

$ guix shell --container --network --no-cwd ungoogled-chromium
--preserve='^DISPLAY$' -- chromium
[1:12:0405/094428.353734:ERROR:bus.cc(399)] Failed to connect to the
bus: Failed to connect to socket /var/run/dbus/system_bus_socket: No
such file or directory
Authorization required, but no authorization protocol specified

[1:1:0405/094428.361802:ERROR:ozone_platform_x11.cc(239)] Missing X
server or $DISPLAY
[1:1:0405/094428.361812:ERROR:env.cc(255)] The platform failed to
initialize. Exiting.

Cheers
L
L
Liliana Marie Prikler wrote on 5 Apr 15:07 +0200
(name . Rostislav Svoboda)(address . rostislav.svoboda@gmail.com)(address . 70151@debbugs.gnu.org)
f1d47ff8351014c74c9394e3563f6519616bc6b6.camel@gmail.com
Am Freitag, dem 05.04.2024 um 11:47 +0200 schrieb Rostislav Svoboda:
Toggle quote (7 lines)
> > Shell injection says "/run/user/$USER/gdm/Xauthority -- oops that
> > shouldn't happen".
>
> ??? Shell injection? Which, what, where? What do you mean?
>
> Without the `--preserve='^XAUTHORITY$' --expose=$XAUTHORITY` (both
> needed) the Chromium doesn't start, i.e. the example doesn't work:
You need to properly quote "${XAUTHORITY}", otherwise bad things can
happen.

Cheers
R
R
Rostislav Svoboda wrote on 8 Apr 13:34 +0200
(name . Liliana Marie Prikler)(address . liliana.prikler@gmail.com)(address . 70151@debbugs.gnu.org)
CAEtmmeycqjfyag0DXH4OVqKWDKxjpeFjySoNJsbYtsc8MUjQFA@mail.gmail.com
Toggle quote (2 lines)
> You need to properly quote "${XAUTHORITY}"

Fixed. See attachment.
?