bug#73166: shell-autorized-directories

[Nicolas Graves]

On 2024-11-11 20:46, Suhail Singh wrote:

> Saku Laesvuori via Bug reports for GNU Guix <bug-guix@gnu.org> writes:
>
>> Anyway, I am not opposed to this change. The only effects for my use
>> cases are positive (nicer UI with the --allow flag). I just want to
>> point out that I don't think this makes any attacks significantly
>> harder.
>
> FWIW, this summarizes my belief as well.  I do see some improvements in
> convenience, but the threat model where this improves security (threat
> actor has access to the repository, but the files are such that the
> threat actor isn't able to modify their semantics without first
> modifying the files) seems contrived.  Am I mistaken?
>
> If not, while I don't have objections to the change (and do believe it
> has some value), I do have reservations about claiming security
> benefits.

My last message to Saku basically agreed to this ;)

I still think it improves it for my specific use-case and for the
addition of explicit user agreement to load code exterior to
manifest/guix.scm in the case this file is trusted but compromised.

But I agree the first message was probably too focussed on marginal
security improvements and we shouldn't sell a false promise that could
make people less careful.

I'm actually willing to improve that patch series if you have better
ideas/implementations, I was just building on what I know
(direnv/.dir-locals.el). Maybe we should only allow to automatically run
when the manifest is able to build without network access in container
mode. Or include things like automatic git commit authentication on such
allowed repositories.  But I'm not sure if they are convenient or easy
to implement, or make sense.

-- 
Best regards,
Nicolas Graves