diff options
| author | Sergey Trofimov <sarg@sarg.org.ru> | 2025-04-23 16:13:10 +0200 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2025-05-06 00:16:33 +0200 |
| commit | eab097c682ed31efd8668f46fce8de8f73b92849 (patch) | |
| tree | 74c7510d82fb2d20cac2c8d24efac07de23f3e77 /gnu/packages/ssh.scm | |
| parent | d9e0bb44c07a3c0b9db5bc966042571817c163ad (diff) | |
gnu: openssh: Adapt for root-less guix store.
Fixes <https://issues.guix.gnu.org/78067>.
Previously sshd would use /gnu/store/…-openssh-…/var/empty as its
PRIVSEP_PATH. However, when using the unprivileged daemon, that
directory would belong to guix-daemon:guix-daemon, leading to this
error:
sshd[234]: fatal: /gnu/store/…-openssh-10.0p1/var/empty must be owned by root and not group or world-writable.
Fix that by switching to /var/empty.
* gnu/packages/patches/openssh-trust-guix-store-directory.patch
(openssh): Adjust to trust files in guix store owned by guix-daemon.
* gnu/packages/ssh.scm (openssh)[arguments]: Remove ‘reset-/var/empty’
phase; change ‘install’ phase to not create PRIVSEP_PATH.. Append
ending slash when substituting STORE_DIRECTORY.
Change-Id: I3bd01f8b9d6406e3b886eea8f4b8c265a51cc72f
Reported-by: Zack Weinberg <zack@owlfolio.org>
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Diffstat (limited to 'gnu/packages/ssh.scm')
| -rw-r--r-- | gnu/packages/ssh.scm | 14 |
1 files changed, 5 insertions, 9 deletions
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index de99bbfc907..f14dd431ac6 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -275,16 +275,11 @@ a server that supports the SSH-2 protocol.") '())) #:phases #~(modify-phases %standard-phases - (add-after 'configure 'reset-/var/empty - (lambda _ - (substitute* "Makefile" - (("PRIVSEP_PATH=/var/empty") - (string-append "PRIVSEP_PATH=" #$output "/var/empty"))))) (add-after 'configure 'set-store-location (lambda _ (substitute* "misc.c" (("@STORE_DIRECTORY@") - (string-append "\"" (%store-directory) "\""))))) + (string-append "\"" (%store-directory) "/\""))))) (add-before 'check 'patch-tests (lambda _ (substitute* "regress/test-exec.sh" @@ -297,9 +292,10 @@ a server that supports the SSH-2 protocol.") (string-append pre post))))) (replace 'install (lambda* (#:key (make-flags '()) #:allow-other-keys) - ;; Install without host keys and system configuration files. This - ;; will install /var/empty to the store, which is needed by the - ;; system openssh-service-type. + ;; Don't create /var/empty. + (substitute* "Makefile" + ((".*MKDIR_P.*PRIVSEP_PATH.*") "")) + ;; Install without host keys and system configuration files. (apply invoke "make" "install-nosysconf" make-flags) (with-directory-excursion "contrib" (chmod "ssh-copy-id" #o555) |