mirror of
https://git.savannah.gnu.org/git/guix.git
synced 2026-04-06 21:20:33 +02:00
3fd1690a73
* gnu/packages/ssh.scm (openssh): Updatet to 10.2p1. * gnu/packages/patches/openssh-trust-guix-store-directory.patch: Regenerate. Change-Id: I7214d91bd8ffd0528c4150c92abc995bd3355f0e Signed-off-by: Ludovic Courtès <ludo@gnu.org>
66 lines
2.0 KiB
Diff
66 lines
2.0 KiB
Diff
From 0d85bbd42ddcd442864a9ba4719aca8b70d68048 Mon Sep 17 00:00:00 2001
|
|
From: Alexey Abramov <levenson@mmer.org>
|
|
Date: Fri, 22 Apr 2022 11:32:15 +0200
|
|
Subject: [PATCH] Trust guix store directory
|
|
|
|
To be able to execute binaries defined in OpenSSH configuration, we need to
|
|
tell OpenSSH that we can trust Guix store objects. safe_path procedure is
|
|
patched to assume files in Guix store to be safe. Additionally configuration
|
|
file placed in Guix store is assumed to be safe to load.
|
|
---
|
|
misc.c | 6 ++++++
|
|
readconf.c | 7 ++++---
|
|
2 files changed, 10 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/misc.c b/misc.c
|
|
index dd0bd032a..6b866464c 100644
|
|
--- a/misc.c
|
|
+++ b/misc.c
|
|
@@ -2271,6 +2271,7 @@
|
|
safe_path(const char *name, struct stat *stp, const char *pw_dir,
|
|
uid_t uid, char *err, size_t errlen)
|
|
{
|
|
+ static const char guix_store[] = @STORE_DIRECTORY@;
|
|
char buf[PATH_MAX], buf2[PATH_MAX], homedir[PATH_MAX];
|
|
char *cp;
|
|
int comparehome = 0;
|
|
@@ -2288,6 +2289,11 @@
|
|
snprintf(err, errlen, "%s is not a regular file", buf);
|
|
return -1;
|
|
}
|
|
+ // the file is trusted when it is located in guix store
|
|
+ if (strncmp(buf, guix_store, strlen(guix_store)) == 0) {
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) ||
|
|
(stp->st_mode & 022) != 0) {
|
|
snprintf(err, errlen, "bad ownership or modes for file %s",
|
|
diff --git a/readconf.c b/readconf.c
|
|
index 7cbe7d2c2..40a5f1ace 100644
|
|
--- a/readconf.c
|
|
+++ b/readconf.c
|
|
@@ -2602,6 +2602,7 @@
|
|
{
|
|
FILE *f;
|
|
char *line = NULL;
|
|
+ char errmsg[512];
|
|
size_t linesize = 0;
|
|
int linenum;
|
|
int bad_options = 0;
|
|
@@ -2617,9 +2618,9 @@
|
|
|
|
if (fstat(fileno(f), &sb) == -1)
|
|
fatal("fstat %s: %s", filename, strerror(errno));
|
|
- if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
|
|
- (sb.st_mode & 022) != 0))
|
|
- fatal("Bad owner or permissions on %s", filename);
|
|
+ if (safe_path(filename, &sb, pw->pw_dir, pw->pw_uid, errmsg, sizeof(errmsg)) != 0) {
|
|
+ fatal(errmsg);
|
|
+ }
|
|
}
|
|
|
|
debug("Reading configuration data %.200s", filename);
|
|
--
|
|
2.49.0
|