4d3c142e0b
* gnu/local.mk (dist_patch_DATA): Add the patch * gnu/packages/patches/openssh-trust-guix-store-directory.patch: Patch it * gnu/packages/ssh.scm (openssh[source]): Use it. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
40 lines
1.3 KiB
Diff
40 lines
1.3 KiB
Diff
From 0d85bbd42ddcd442864a9ba4719aca8b70d68048 Mon Sep 17 00:00:00 2001
|
|
From: Alexey Abramov <levenson@mmer.org>
|
|
Date: Fri, 22 Apr 2022 11:32:15 +0200
|
|
Subject: [PATCH] Trust guix store directory
|
|
|
|
To be able to execute binaries defined in OpenSSH configuration, we
|
|
need to tell OpenSSH that we can trust Guix store objects. safe_path
|
|
procedure takes a canonical path and for each component, walking
|
|
upwards, checks ownership and permissions constrains which are: must
|
|
be owned by root, not writable by group or others.
|
|
---
|
|
misc.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/misc.c b/misc.c
|
|
index 0134d69..7131d5e 100644
|
|
--- a/misc.c
|
|
+++ b/misc.c
|
|
@@ -2146,6 +2146,7 @@ int
|
|
safe_path(const char *name, struct stat *stp, const char *pw_dir,
|
|
uid_t uid, char *err, size_t errlen)
|
|
{
|
|
+ static const char guix_store[] = @STORE_DIRECTORY@;
|
|
char buf[PATH_MAX], homedir[PATH_MAX];
|
|
char *cp;
|
|
int comparehome = 0;
|
|
@@ -2178,6 +2179,10 @@ safe_path(const char *name, struct stat *stp, const char *pw_dir,
|
|
}
|
|
strlcpy(buf, cp, sizeof(buf));
|
|
|
|
+ /* If we are past the Guix store then we can stop */
|
|
+ if (strcmp(guix_store, buf) == 0)
|
|
+ break;
|
|
+
|
|
if (stat(buf, &st) == -1 ||
|
|
(!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
|
|
(st.st_mode & 022) != 0) {
|
|
--
|
|
2.34.0
|
|
|