[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#55034] [PATCH 0/1] Let openssh trust /gnu/store
From: |
Alexey Abramov |
Subject: |
[bug#55034] [PATCH 0/1] Let openssh trust /gnu/store |
Date: |
Fri, 22 Apr 2022 09:33:45 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) |
Hi Tobias,
Thanks for the review.
Tobias Geerinckx-Rice <me@tobias.gr> writes:
[...]
> The RO bind mount is not a hard guarantee, and a footgun protector
> against accidental writes, not primarily a security feature (IMO).
>
> By design, *anyone* can write *anything* to the store by talking to
> the daemon. They just can't choose the file name. A much weaker
> guarantee than OpenSSH assumes, at the very least.
Even though I knew how the daemon works, I find your explanation very
nice and clear. Thank you.
[...]
>
> Why is 'RO location' relevant here?
>
> If the snippet you quote above is complete, which requirement does the
> un-bind-mounted store not meet? I can't think of one off the top o'
> me head?
Here is a comment from safe_path function
--8<---------------cut here---------------start------------->8---
/*
* Check a given path for security. This is defined as all components of
* the path to the file must be owned by either the owner of of the file
* or root and no directories must be group or world writable.
*
* XXX Should any specific check be done for sym links ?
*
* Takes a file name, its stat information (preferably from fstat() to
* avoid races), the uid of the expected owner, their home directory and
* an error buffer plus max size as arguments.
*
* Returns 0 on success and -1 on failure /
--8<---------------cut here---------------end--------------->8---
I probably had to post it first, to avoid
misunderstanding. sshd_config(5) is not that clear unfortunately. Due to
group write permissions on the /gnu/store directory, safe_path doesn't
allow openssh execute it.
Couple of months ago I posted this problem on IRC, and you mentioned the
read-only mount thingy. So I was trying to take advantage of that.
What other options do I have?
> That's a lot of trust. Tens of gigabytes on average.
=)
> We explicitly rejected that idea in IceCat for example, instead
> whitelisting only specific store subdirectories. Why is OpenSSH
> different?
I didn't know that. I don't treat OpenSSH any different than other
software either. Whitelist some specific directory is a really good
option here, even though It introduces some secret knowledge.
> The rationale and its assumptions (also) belong in the patch itself,
> not just a separate mail.
True. Let me put some more context on what I am trying to do. We have
LDAP server which also holds users' ssh keys. I package a simple wrapper
for LDAP search which returns them. I would like to use it with OpenSSH,
however due to the way it checks executable in the configuration, I
don't see the way to use it.
I assume it is possible to copy that store object somewhere, but it
doesn't look right to me.
--
Alexey