search

nix-community / nix-user-chroot

Install & Run nix without root permissions [maintainer=@Mic92]
MIT License
281 stars 25 forks source link

ssh errors out if its configuration includes other files when run under nix-user-chroot #61

Closed miniBill closed 3 years ago

miniBill commented 3 years ago

How to reproduce

  1. Inside /etc/ssh/ssh_config, have a line like Include /etc/ssh/ssh_config.d/*.conf
  2. Create, outside the chroot a file inside /etc/ssh/ssh_config.d, owned by root
  3. Run nix-user-chroot ~/.nix ssh git@github.com -vvv

What happens

OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 19: Including file /etc/ssh/ssh_config.d/XXX.conf depth 0
Bad owner or permissions on /etc/ssh/ssh_config.d/XXX.conf

What should happen

ssh works correctly

Why does this happen

That file, from inside the chroot, appears as owned by nobody. Interestingly enough, /etc/ssh_config is "owned" by nobody too, but it doesn't trigger the error

How to fix this

Uh. Maybe have ssh not read those??? It's not a great solution, tbh.
I cannot delete that file or integrate it inside the main ssh_config unfortunately.

Another option would be to allow additional bind mounts as options from the CLI?

Mic92 commented 3 years ago

Usernamespaces only allow to map a single uid (your own) to a different uid in the usernamespace. Hence all other uids will be mapped to nobody. We need usernamespaces in order to use mountnamespaces without root. This is a fundamental disadvantage and I don't see any other way around it except having nix-user-chroot requiring root, which would defeat its purpose.

Mic92 commented 3 years ago

You might be able to build a similiar environment to nix-user-chroot with bubblewrap and mount a user owned ssh configuration to /etc/ssh/ssh_config.d/ but than you would also need to map your own uid to root to make openssh happy.

miniBill commented 3 years ago

So using bubblewrap I could have a different ssh config that doesn't do the include I guess? I expect it could work.

Can I tell git/ssh to just ignore the config in /etc/ssh?

ETA: bubblewarp is setuid though, so it kinda defeats the purpose of "install nix without being root" I guess :thinking:

Mic92 commented 3 years ago

bubblewrap also works without setuid. We use this in one fshUserenv implementation in nixpkgs. Bubblewrap would allow you to bind mount a different /etc/ssh/. You would need to run bubblewrap so it bind mounts your nix store to /nix.

hmenke commented 2 years ago

A workaround for this issue is to explicitly specify a configfile on the command line:

ssh -F ~/.ssh/config ...

From the man page:

     -F configfile
             Specifies an alternative per-user configuration file.  If a con‐
             figuration file is given on the command line, the system-wide
             configuration file (/etc/ssh/ssh_config) will be ignored.  The
             default for the per-user configuration file is ~/.ssh/config.
             If set to “none”, no configuration files will be read.