From eab097c682ed31efd8668f46fce8de8f73b92849 Mon Sep 17 00:00:00 2001
From: Sergey Trofimov <sarg@sarg.org.ru>
Date: Wed, 23 Apr 2025 16:13:10 +0200
Subject: gnu: openssh: Adapt for root-less guix store.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes <https://issues.guix.gnu.org/78067>.

Previously sshd would use /gnu/store/…-openssh-…/var/empty as its
PRIVSEP_PATH.  However, when using the unprivileged daemon, that
directory would belong to guix-daemon:guix-daemon, leading to this
error:

  sshd[234]: fatal: /gnu/store/…-openssh-10.0p1/var/empty must be owned by root and not group or world-writable.

Fix that by switching to /var/empty.

* gnu/packages/patches/openssh-trust-guix-store-directory.patch
(openssh): Adjust to trust files in guix store owned by guix-daemon.
* gnu/packages/ssh.scm (openssh)[arguments]:  Remove ‘reset-/var/empty’
phase; change ‘install’ phase to not create PRIVSEP_PATH..  Append
ending slash when substituting STORE_DIRECTORY.

Change-Id: I3bd01f8b9d6406e3b886eea8f4b8c265a51cc72f
Reported-by: Zack Weinberg <zack@owlfolio.org>
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
---
 gnu/packages/ssh.scm | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

(limited to 'gnu/packages/ssh.scm')

diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index de99bbfc907..f14dd431ac6 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -275,16 +275,11 @@ a server that supports the SSH-2 protocol.")
             '()))
      #:phases
      #~(modify-phases %standard-phases
-         (add-after 'configure 'reset-/var/empty
-           (lambda _
-             (substitute* "Makefile"
-               (("PRIVSEP_PATH=/var/empty")
-                (string-append "PRIVSEP_PATH=" #$output "/var/empty")))))
          (add-after 'configure 'set-store-location
            (lambda _
              (substitute* "misc.c"
                (("@STORE_DIRECTORY@")
-                (string-append "\"" (%store-directory) "\"")))))
+                (string-append "\"" (%store-directory) "/\"")))))
          (add-before 'check 'patch-tests
            (lambda _
              (substitute* "regress/test-exec.sh"
@@ -297,9 +292,10 @@ a server that supports the SSH-2 protocol.")
                 (string-append pre post)))))
          (replace 'install
            (lambda* (#:key (make-flags '()) #:allow-other-keys)
-             ;; Install without host keys and system configuration files.  This
-             ;; will install /var/empty to the store, which is needed by the
-             ;; system openssh-service-type.
+             ;; Don't create /var/empty.
+             (substitute* "Makefile"
+               ((".*MKDIR_P.*PRIVSEP_PATH.*") ""))
+             ;; Install without host keys and system configuration files.
              (apply invoke "make" "install-nosysconf" make-flags)
              (with-directory-excursion "contrib"
                (chmod "ssh-copy-id" #o555)
-- 
cgit v1.3