guix_mirror_bot pushed a commit to branch master
in repository guix.
commit 38e82ca727512754c4ac9b43353255c91cadab8c
Author: Ludovic Courtès <[email protected]>
AuthorDate: Mon Jul 14 13:08:48 2025 +0200
pki: Always make /etc/guix/acl world-readable.
Fixes guix/guix#664.
This is necessary when running ‘guix-daemon’ as an unprivileged user and
also when running ‘guix weather’ as an unprivileged user.
* guix/pki.scm (ensure-acl): Make ‘%acl-file’ #o644.
* guix/scripts/archive.scm (authorize-key): Likewise.
* guix/ssh.scm (remote-authorize-signing-key): Likewise.
Change-Id: I3c979b2cdf52e7cb657d8fafa244c58854e7fb67
---
guix/pki.scm | 5 +++--
guix/scripts/archive.scm | 5 +++--
guix/ssh.scm | 5 +++--
3 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/guix/pki.scm b/guix/pki.scm
index 93932128cd..91c1be531a 100644
--- a/guix/pki.scm
+++ b/guix/pki.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2016, 2022 Ludovic Courtès <[email protected]>
+;;; Copyright © 2013-2014, 2016, 2022, 2025 Ludovic Courtès <[email protected]>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -87,7 +87,8 @@ element in KEYS must be a canonical sexp with type
'public-key'."
(with-atomic-file-output %acl-file
(lambda (port)
(write-acl (public-keys->acl (list public-key))
- port)))))))
+ port)))
+ (chmod %acl-file #o644)))))
(define (write-acl acl port)
"Write ACL to PORT in canonical-sexp format."
diff --git a/guix/scripts/archive.scm b/guix/scripts/archive.scm
index 2b5a55a23f..cf2c045c2e 100644
--- a/guix/scripts/archive.scm
+++ b/guix/scripts/archive.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019, 2020, 2021 Ludovic Courtès
<[email protected]>
+;;; Copyright © 2013-2017, 2019-2021, 2025 Ludovic Courtès <[email protected]>
;;; Copyright © 2020 Tobias Geerinckx-Rice <[email protected]>
;;;
;;; This file is part of GNU Guix.
@@ -324,7 +324,8 @@ the input port."
(let ((acl (public-keys->acl (cons key (acl->public-keys acl)))))
(mkdir-p (dirname %acl-file))
(with-atomic-file-output %acl-file
- (cut write-acl acl <>)))))
+ (cut write-acl acl <>))
+ (chmod %acl-file #o644))))
(define (list-contents port)
"Read a nar from PORT and print the list of files it contains to the current
diff --git a/guix/ssh.scm b/guix/ssh.scm
index 9e504c054c..20a35b2712 100644
--- a/guix/ssh.scm
+++ b/guix/ssh.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2016-2021, 2023-2024 Ludovic Courtès <[email protected]>
+;;; Copyright © 2016-2021, 2023-2025 Ludovic Courtès <[email protected]>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -458,7 +458,8 @@ to the system ACL file if it has not yet been authorized."
(let ((acl (public-keys->acl (cons key (acl->public-keys acl)))))
(mkdir-p (dirname %acl-file))
(with-atomic-file-output %acl-file
- (cut write-acl acl <>)))))
+ (cut write-acl acl <>))
+ (chmod %acl-file #o644))))
session
become-command))
