From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 04 04:07:59 2021 Received: (at 50960) by debbugs.gnu.org; 4 Oct 2021 08:07:59 +0000 Received: from localhost ([127.0.0.1]:35559 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mXJ0w-0007Is-PG for submit@debbugs.gnu.org; Mon, 04 Oct 2021 04:07:59 -0400 Received: from eggs.gnu.org ([209.51.188.92]:43438) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mXJ0v-0007If-7s for 50960@debbugs.gnu.org; Mon, 04 Oct 2021 04:07:57 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:43816) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mXJ0o-0005fe-QX; Mon, 04 Oct 2021 04:07:50 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=60520 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mXJ0o-0002La-Hl; Mon, 04 Oct 2021 04:07:50 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Maxime Devos Subject: Re: [bug#50960] [PATCH 04/10] DRAFT shell: By default load the local 'guix.scm' or 'manifest.scm' file. References: <20211002102240.27815-1-ludo@gnu.org> <20211002102240.27815-4-ludo@gnu.org> <80360a349abc0eb00a8645fe3e7b5f8008f33ec8.camel@telenet.be> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 13 =?utf-8?Q?Vend=C3=A9miaire?= an 230 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 04 Oct 2021 10:07:48 +0200 In-Reply-To: <80360a349abc0eb00a8645fe3e7b5f8008f33ec8.camel@telenet.be> (Maxime Devos's message of "Sat, 02 Oct 2021 16:15:21 +0200") Message-ID: <87bl45tdpn.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 50960 Cc: 50960@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi Maxime, Maxime Devos skribis: > Ludovic Court=C3=A8s schreef op za 02-10-2021 om 12:22 [+0200]: >> +(define (find-file-in-parent-directories candidates) >> + "Find one of CANDIDATES in the current directory or one of its ancest= ors." >> + (let loop ((directory (getcwd))) >> + (and (=3D (stat:uid (stat directory)) (getuid)) >> + (or (any (lambda (candidate) >> + (let ((candidate (string-append directory "/" candi= date))) >> + (and (file-exists? candidate) candidate))) >> + candidates) >> + (loop (string-append directory "/..")))))) ;Unix ".." reso= lution > > I do not recommend this. What would happen if someone creates a temporar= y directory > "/tmp/stuff" do things in to throw away later (setting permissions approp= riately), > tries to create a guix.scm in that directory but misspells it as, say, gu= ix.sm, and runs > "guix shell" from within /tmp/stuff? Then find-file-in-parent-directorie= s would > load /tmp/guix.scm (possibly created by a local attacker, assuming a mult= i-user system), > -- if it weren't for the (=3D (stat:uid (stat directory)) (getuid)). > > Because of the (=3D (stat:uid ...) (getuid)), this attack method is not p= ossible. Right. :-) In libgit2, =E2=80=98find_repo=E2=80=99 (called by =E2=80=98git_repository_= discover=E2=80=99) stops at device boundaries, which is wise. But it doesn=E2=80=99t stop when the par= ent has a different owner (!). Unlike the code above, it does lexical =E2=80=9C..=E2=80=9D resolution afte= r first calling realpath(3) on the directory name; not sure what to think about this. (The code of Git itself is harder to read for me.) > However, it causes other issues. Now it isn't possible for two users (th= at trust > each other), to set up a directory writable by both (e.g. with ACLs, or b= y making > the directory group-writable and placing the two users in the same group)= , for > working together, with a guix.scm usable by both. > > These can be two users on the same machine, or remotely via something lik= e NFS, > or a single person having multiple user accounts used for different purpo= ses. Well, sure, but that=E2=80=99s a very uncommon scenario, isn=E2=80=99t it? I was actually hesitant about this find-in-parent behavior. I find it convenient that =E2=80=98git=E2=80=99 does that, for instance, so I thought= it might be nice as well. Thoughts? Ludo=E2=80=99.