[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#53752: guix home symlink permissions
From: |
Liliana Marie Prikler |
Subject: |
bug#53752: guix home symlink permissions |
Date: |
Tue, 08 Feb 2022 08:01:33 +0100 |
User-agent: |
Evolution 3.42.1 |
Am Montag, dem 07.02.2022 um 22:02 +0100 schrieb Maxime Devos:
> Zacchaeus Scheffer schreef op ma 07-02-2022 om 14:47 [-0500]:
> > I was able create the desired effect with the following service
> > definition:
> > (simple-service
> > 'my-activation-service
> > home-activation-service-type
> > (gexp
> > (begin
> > (chdir (ungexp user-home))
> > (if (not (file-exists? ".ssh"))
> > (mkdir ".ssh"))
> > (chmod ".ssh" #o700)
> > (chdir ".ssh")
> > (let ((port (open-output-file "authorized_keys")))
> > (display (ungexp authorized-keys) port)
> > (close-port port))
> > (chmod "authorized_keys" #o600)
> > (chdir ".."))))
> > where 'user-home and 'authorized-keys are appropriate strings
> > defined earlier in the file.
> >
> > I believe that resolves the issue,
>
> Users shouldn't have to do this (relatively) huge block of relatively
> inscrutable code though, I believe something along these lines (or a
> different solution) needs to be implemented in Guix itself somewhere
> before the issue is resolved.
I'll again be pointing at the "don't put secrets into your store"
shield. We'd have to find a reasonable way of encrypting sensitive
data before we can do a home-ssh-service-type.
@Zacchaeus, your code can likely be simplified to
#~(with-directory-excursion #$user-home
(mkdir-p ".ssh")
(chmod ".ssh" #o700)
(with-directory-excursion ".ssh"
(copy-file #$authorized-keys "authorized_keys")
(chmod "authorized_keys" #o600)))
though perhaps there's some magic incantation to import (guix build
utils) for mkdir-p and with-directory-excursion that I'm missing here.
Cheers