X-Loop: help-debbugs@HIDDEN
Subject: [bug#77201] [PATCH] guix: substitute-key-authorization: Fix case when acl symlink is broken
Resent-From: Rutherther <rutherther@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Sun, 23 Mar 2025 09:49:01 +0000
Resent-Message-ID: <handler.77201.B.17427233302470 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 77201
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 77201 <at> debbugs.gnu.org
Cc: Rutherther <rutherther@HIDDEN>
X-Debbugs-Original-To: guix-patches@HIDDEN
Received: via spool by submit <at> debbugs.gnu.org id=B.17427233302470
(code B ref -1); Sun, 23 Mar 2025 09:49:01 +0000
Received: (at submit) by debbugs.gnu.org; 23 Mar 2025 09:48:50 +0000
Received: from localhost ([127.0.0.1]:47703 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1twHwn-0000dj-I0
for submit <at> debbugs.gnu.org; Sun, 23 Mar 2025 05:48:50 -0400
Received: from lists.gnu.org ([2001:470:142::17]:52716)
by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.84_2) (envelope-from <rutherther@HIDDEN>)
id 1twHwk-0000ck-6L
for submit <at> debbugs.gnu.org; Sun, 23 Mar 2025 05:48:47 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <rutherther@HIDDEN>)
id 1twHwd-0004Nb-O6
for guix-patches@HIDDEN; Sun, 23 Mar 2025 05:48:39 -0400
Received: from ditigal.xyz ([2a01:4f8:1c1b:6a1c::] helo=mail.ditigal.xyz)
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256)
(Exim 4.90_1) (envelope-from <rutherther@HIDDEN>)
id 1twHwb-00060R-Qx
for guix-patches@HIDDEN; Sun, 23 Mar 2025 05:48:39 -0400
Received: by cerebrum (OpenSMTPD) with ESMTPSA id 028405d7
(TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO);
Sun, 23 Mar 2025 09:48:35 +0000 (UTC)
From: Rutherther <rutherther@HIDDEN>
Date: Sun, 23 Mar 2025 10:48:28 +0100
Message-ID: <f56c393fa6872cb0142564061ee17e5e7f8131cc.1742723299.git.rutherther@HIDDEN>
X-Mailer: git-send-email 2.48.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ditigal.xyz;
i=@ditigal.xyz; q=dns/txt; s=20240917; t=1742723315; h=from : to : cc
: subject : date : message-id : mime-version :
content-transfer-encoding : from;
bh=SnfH/9YlJIz/7LFQOM+sSgPS5cEE/0qCd8lCiESVlQg=;
b=skWeXuNLGd3AGLqFzxZMwiF/C5qKJ4cuRO5ljF4falg369g+J2XtdU3MtPVJ+l1cEVwmU
4cVcgdlv+VBz32+DL+bn067Cfbzxs/CqBB36ZORnxuRbPbYLiv6kF9r3pVTZGTua1DWTKVT
QFwkwKanM1B5w1cfyh8dZFmYDMOp+x0=
Received-SPF: pass client-ip=2a01:4f8:1c1b:6a1c::;
envelope-from=rutherther@HIDDEN; helo=mail.ditigal.xyz
X-Spam_score_int: 19
X-Spam_score: 1.9
X-Spam_bar: +
X-Spam_report: (1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_SUSPICIOUS_NTLD=0.499,
FROM_SUSPICIOUS_NTLD_FP=2, PDS_OTHER_BAD_TLD=1.474, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 4.9 (++++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: One possible solution for an issue when /etc/guix/acl file
exists, but points to a non-existent location. This can for example happen
if one is reinitializing the system, and remove only /gnu/store an [...]
Content analysis details: (4.9 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
no trust [2001:470:142:0:0:0:0:17 listed in] [list.dnswl.org]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
1.5 PDS_OTHER_BAD_TLD Untrustworthy TLDs
[URI: ditigal.xyz (xyz)]
0.9 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;
id=rutherther%40ditigal.xyz; ip=2001%3A470%3A142%3A%3A17; r=debbugs.gnu.org]
2.0 FROM_SUSPICIOUS_NTLD_FP From abused NTLD
0.5 FROM_SUSPICIOUS_NTLD From abused NTLD
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 1.9 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: One possible solution for an issue when /etc/guix/acl file
exists, but points to a non-existent location. This can for example happen
if one is reinitializing the system, and remove only /gnu/store an [...]
Content analysis details: (1.9 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
no trust
[2001:470:142:0:0:0:0:17 listed in]
[list.dnswl.org]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
1.5 PDS_OTHER_BAD_TLD Untrustworthy TLDs
[URI: ditigal.xyz (xyz)]
0.9 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=rutherther%40ditigal.xyz;ip=2001%3A470%3A142%3A%3A17;r=debbugs.gnu.org]
0.5 FROM_SUSPICIOUS_NTLD From abused NTLD
-1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
manager
One possible solution for an issue when /etc/guix/acl file exists, but points
to a non-existent location. This can for example happen if one is
reinitializing the system, and remove only /gnu/store and /var/guix, keep the
rest okay. This is a major advantage of guix as compared to other distros that
usually need you to reinitialize the whole root partition. But this will leave
the user with acl file pointing to non-existent location. The file-exists?
procedure will return #f for broken symbolic links.
I think that another reason one would get this issue is, if one was booted in
a live iso, chrooted, fixing their system. They would switch generations to
one with different acl file, delete other generations gc rooting the original
acl file and then gc. One could do this approach for example when recovering
from file corruptions in the store, to get rid of the unsubstitutable paths
that can't be repaired with guix gc --verify.
I don't know if there is a better way as I am not that proficient in guile,
but I definitely think this should be fixed and it should be checked if
anything exists in that place, not that the link points to a known location.
Does Guile have a procedure for that that I am missing? If not, shouldn't
we create one in Guix? I can imagine this being a common mistake, where we
want to check if something exists at place 'x', without caring if it's
actually an accessible file. I was looking online and someone made themselves
a function 'file-exists??' that checked basically this what I did here - that
it's either a valid file on the disk, or a broken symlink.
During debugging this issue I also noticed similar issue can occur in special
files and /run/current-system with the .new files that are created with
symlink procedure without checking for their existence. While it's not likely
(especially because the symlink is moved the second it's created)
the user would have /run/current-system.new nor /bin/sh.new etc., I still
think it would be worth fixing to make sure the system can boot even in cases
where something goes horribly wrong.
* gnu/services/base.scm (substitute-key-authorization): Check if acl file is a
(broken) symbolic link
Change-Id: I2f8170606b2f4afeea48f04acfd738b04cafc7cf
---
gnu/services/base.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index 0d2bb31190..e419d043ae 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -1845,7 +1845,7 @@ (define (substitute-key-authorization keys guix)
;; If the ACL already exists, move it out of the way. Create a backup
;; if it's a regular file: it's likely that the user manually updated
;; it with 'guix archive --authorize'.
- (if (file-exists? acl-file)
+ (if (or (file-exists? acl-file) (symbolic-link? acl-file))
(if (and (symbolic-link? acl-file)
(store-file-name? (readlink acl-file)))
(delete-file acl-file)
base-commit: fbfd2b93831978aadbb96f32cafdab997b04c6c6
prerequisite-patch-id: cf473eb15513404ca1d287f5b7eca109c848203c
prerequisite-patch-id: a46e75bdd193acb5e276e0aa31c77197a3254699
prerequisite-patch-id: a2b4aa0a33d89ee3f6c483aeb71a783cb0e63aa9
--
2.49.0
Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Type: text/plain; charset=utf-8 X-Loop: help-debbugs@HIDDEN From: help-debbugs@HIDDEN (GNU bug Tracking System) To: Rutherther <rutherther@HIDDEN> Subject: bug#77201: Acknowledgement ([PATCH] guix: substitute-key-authorization: Fix case when acl symlink is broken) Message-ID: <handler.77201.B.17427233302470.ack <at> debbugs.gnu.org> References: <f56c393fa6872cb0142564061ee17e5e7f8131cc.1742723299.git.rutherther@HIDDEN> X-Gnu-PR-Message: ack 77201 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 77201 <at> debbugs.gnu.org Date: Sun, 23 Mar 2025 09:49:02 +0000 Thank you for filing a new bug report with debbugs.gnu.org. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): guix-patches@HIDDEN If you wish to submit further information on this problem, please send it to 77201 <at> debbugs.gnu.org. Please do not send mail to help-debbugs@HIDDEN unless you wish to report a problem with the Bug-tracking system. --=20 77201: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D77201 GNU Bug Tracking System Contact help-debbugs@HIDDEN with problems
X-Loop: help-debbugs@HIDDEN
Subject: [bug#77201] [PATCH] guix: substitute-key-authorization: Fix case when acl symlink is broken
References: <f56c393fa6872cb0142564061ee17e5e7f8131cc.1742723299.git.rutherther@HIDDEN>
In-Reply-To: <f56c393fa6872cb0142564061ee17e5e7f8131cc.1742723299.git.rutherther@HIDDEN>
Resent-From: Ian Eure <ian@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Sat, 29 Mar 2025 17:10:02 +0000
Resent-Message-ID: <handler.77201.B77201.17432681809426 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 77201
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Rutherther <rutherther@HIDDEN>
Cc: 77201 <at> debbugs.gnu.org
Received: via spool by 77201-submit <at> debbugs.gnu.org id=B77201.17432681809426
(code B ref 77201); Sat, 29 Mar 2025 17:10:02 +0000
Received: (at 77201) by debbugs.gnu.org; 29 Mar 2025 17:09:40 +0000
Received: from localhost ([127.0.0.1]:32886 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1tyZgh-0002Rx-Fa
for submit <at> debbugs.gnu.org; Sat, 29 Mar 2025 13:09:39 -0400
Received: from fhigh-b6-smtp.messagingengine.com ([202.12.124.157]:42043)
by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.84_2) (envelope-from <ian@HIDDEN>) id 1tyZgd-0002RY-1m
for 77201 <at> debbugs.gnu.org; Sat, 29 Mar 2025 13:09:36 -0400
Received: from phl-compute-01.internal (phl-compute-01.phl.internal
[10.202.2.41])
by mailfhigh.stl.internal (Postfix) with ESMTP id 520972540197;
Sat, 29 Mar 2025 13:09:27 -0400 (EDT)
Received: from phl-mailfrontend-01 ([10.202.2.162])
by phl-compute-01.internal (MEProxy); Sat, 29 Mar 2025 13:09:27 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=retrospec.tv; h=
cc:cc:content-transfer-encoding:content-type:content-type:date
:date:from:from:in-reply-to:message-id:mime-version:reply-to
:subject:subject:to:to; s=fm1; t=1743268167; x=1743354567; bh=J7
cPXHsFc39xOrcNpdkzkHY/q+k5IRX8qvnYfs3m0i4=; b=mXJ79sVUHWLLL8QInS
bIkVEPEC41Yn0+HIfPqpX9RShd6XK8apvLTNcgD4wBq20n4A6CPYe7lyaTkjCAhw
X6MAaHntWJc5epPXD2pGFzrRwh/H3Um+omLMomypMO/1y67Jqbgm8RjPT/UDVNi6
WNylZRcTK/JYn0whpzrQ9BNCM0v1iCFYDxkWDfV9ScALHATo6v2RxjpzsMTHjIL/
giOOy697SEiAUsIajQqsCP/q2Ju9TUlV6L7Rr2qrLXreMVnnlbGJ+W9UDhpFYkAc
C9QdUuzSIoE+gg3kjcZM61DxpenNiHsj7qjomsL93csibc1eGbkgDAqBt1uAwnLj
9IcQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
messagingengine.com; h=cc:cc:content-transfer-encoding
:content-type:content-type:date:date:feedback-id:feedback-id
:from:from:in-reply-to:message-id:mime-version:reply-to:subject
:subject:to:to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
fm2; t=1743268167; x=1743354567; bh=J7cPXHsFc39xOrcNpdkzkHY/q+k5
IRX8qvnYfs3m0i4=; b=WY7ke7QfmPgKw74SqfLOzEUOKt0VrU8t0ukx9WrvhY74
DWIj+lS4VBdGPuanaHm/iKeudWKh+xf2GyTnSzeJndzqU9a0SLWmgZEfpMMee0bF
bEYqWm9Ho3cK9HGOeQ5fWpcNF95pLYS9FPKfP8qiC8mnOpUmYgHGeawe86CpAPQj
eeRsVbG9N/miKlw5JZRBuusqsZWCC2fLNGBbZIKJcXRXofljbDBpkzudMayZsU7b
gImruyv/jzxTU6omVuk4xA256k7EGptTiVAAfJXONfxKvGF9i+bYdGfJhjugm0TX
sX+w1ICdmUgH26RWvkoOI7/0ApEFmwRUdNFCqBVDLg==
X-ME-Sender: <xms:RinoZ91UGx00X3uIGFy2GTTIlIjbNVGg18xN5iIhyb0WopJh7IEeIw>
<xme:RinoZ0HMkxyPt51FLjr1htq4506KMR9e6oYzmkRw-k8kPZNO8Sd2N3iuisk_yXc_5
dnyz9fmIbgkXb1Jsw>
X-ME-Received: <xmr:RinoZ961vJWvLZ-u6Gk-BDrQY7EUMzD65d2xJ1BhIODVPSlE9IFaXLVfAUN_Fk5XKduu8fCdVRk1-hzlCPRzWPOJN8Ucsg21hf2UhUxF7A>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddujeegjeefucetufdoteggodetrf
dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv
pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefhvf
evufgffffkgggtgfesthhqredttderjeenucfhrhhomhepkfgrnhcugfhurhgvuceoihgr
nhesrhgvthhrohhsphgvtgdrthhvqeenucggtffrrghtthgvrhhnpedtteekfffffeeihf
eukedvieeugeeigefftdfhleevlefgtddvhfdtudehffeuvdenucevlhhushhtvghrufhi
iigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehirghnsehrvghtrhhoshhpvggtrd
htvhdpnhgspghrtghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohep
jeejvddtudesuggvsggsuhhgshdrghhnuhdrohhrghdprhgtphhtthhopehruhhthhgvrh
hthhgvrhesughithhighgrlhdrgiihii
X-ME-Proxy: <xmx:RinoZ61PSr5AxivJZUzIP6jn3qdHSq7iQLyzOOCVjRBfBJS5B7ZAhg>
<xmx:RinoZwEf-X5-VanDP43GDnBCYTEx9Gp6lFvcisvGl8wd0958Y5Fiyg>
<xmx:RinoZ7-1v9VLAnTrzltEYpEJdhaudaTtDwPEOlBfv9WNd6dA2Ksqzg>
<xmx:RinoZ9mNm-C1qipQLJ5D7GwvV8DnvGHLLLjYWvxeF-c9mqPTO3LtKA>
<xmx:RynoZ1SrTu9OEcehwb5qb9L7e8qZMQK9pVkWApLqVvX7FoOWDiKb1gEM>
Feedback-ID: id9014242:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat,
29 Mar 2025 13:09:26 -0400 (EDT)
From: Ian Eure <ian@HIDDEN>
User-Agent: mu4e 1.12.9; emacs 29.4
Date: Sat, 29 Mar 2025 10:09:24 -0700
Message-ID: <87jz87darf.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 1.3 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Hi Rutherther, Rutherther <rutherther@HIDDEN> writes:
> One possible solution for an issue when /etc/guix/acl file > exists, but
points > to a non-existent location. This can for example happen if one >
is > reinitializing the system, and remove only /gn [...]
Content analysis details: (1.3 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
[URI: ditigal.xyz (xyz)]
-0.0 SPF_PASS SPF: sender matches SPF record
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE:
The query to Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243
for more information.
[202.12.124.157 listed in sa-trusted.bondedsender.org]
0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
query to Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243
for more information.
[202.12.124.157 listed in bl.score.senderscore.com]
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/,
low trust [202.12.124.157 listed in list.dnswl.org]
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.3 (/)
Hi Rutherther,
Rutherther <rutherther@HIDDEN> writes:
> One possible solution for an issue when /etc/guix/acl file=20
> exists, but points
> to a non-existent location. This can for example happen if one=20
> is
> reinitializing the system, and remove only /gnu/store and=20
> /var/guix, keep the
> rest okay. This is a major advantage of guix as compared to=20
> other distros that
> usually need you to reinitialize the whole root partition. But=20
> this will leave
> the user with acl file pointing to non-existent location. The=20
> file-exists?
> procedure will return #f for broken symbolic links.
>
> I think that another reason one would get this issue is, if one=20
> was booted in
> a live iso, chrooted, fixing their system. They would switch=20
> generations to
> one with different acl file, delete other generations gc rooting=20
> the original
> acl file and then gc. One could do this approach for example=20
> when recovering
> from file corruptions in the store, to get rid of the=20
> unsubstitutable paths
> that can't be repaired with guix gc --verify.
>
> I don't know if there is a better way as I am not that=20
> proficient in guile,
> but I definitely think this should be fixed and it should be=20
> checked if
> anything exists in that place, not that the link points to a=20
> known location.
> Does Guile have a procedure for that that I am missing? If not,=20
> shouldn't
> we create one in Guix? I can imagine this being a common=20
> mistake, where we
> want to check if something exists at place 'x', without caring=20
> if it's
> actually an accessible file. I was looking online and someone=20
> made themselves
> a function 'file-exists??' that checked basically this what I=20
> did here - that
> it's either a valid file on the disk, or a broken symlink.
>
> During debugging this issue I also noticed similar issue can=20
> occur in special
> files and /run/current-system with the .new files that are=20
> created with
> symlink procedure without checking for their existence. While=20
> it's not likely
> (especially because the symlink is moved the second it's=20
> created)
> the user would have /run/current-system.new nor /bin/sh.new=20
> etc., I still
> think it would be worth fixing to make sure the system can boot=20
> even in cases
> where something goes horribly wrong.
Thanks for the explanation.
> * gnu/services/base.scm (substitute-key-authorization): Check if=20
> acl file is a
> (broken) symbolic link
>
> Change-Id: I2f8170606b2f4afeea48f04acfd738b04cafc7cf
> ---
> gnu/services/base.scm | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/gnu/services/base.scm b/gnu/services/base.scm
> index 0d2bb31190..e419d043ae 100644
> --- a/gnu/services/base.scm
> +++ b/gnu/services/base.scm
> @@ -1845,7 +1845,7 @@ (define (substitute-key-authorization keys=20
> guix)
> ;; If the ACL already exists, move it out of the way.=20
> Create a backup
> ;; if it's a regular file: it's likely that the user=20
> manually updated
> ;; it with 'guix archive --authorize'.
> - (if (file-exists? acl-file)
> + (if (or (file-exists? acl-file) (symbolic-link?=20
> acl-file))
Guile semantics are unhelpful here: `file-exists?' returns #f for=20
a broken symlink, but `symbolic-link?' raises an exception if=20
given a nonexistent path. The means that if /etc/guix/acl doesn=E2=80=99t=
=20
exist, an exception will be raised. There doesn=E2=80=99t appear to be a=20
simple way to determine if a file exists which doesn=E2=80=99t resolve=20
symlinks, which I think is a Guile bug.
Thinking through the possible situations here:
If /etc/guix/acl is a good symlink pointing into /gnu/store ->=20
delete it.
If /etc/guix/acl is a broken symlink pointing anywhere -> delete=20
it.
If /etc/guix/acl is a file -> rename it to ".bak"
else /etc/guix/acl must be missing -> mkdir-p /etc/acl.
...then populate /etc/guix/acl.
I think the right move here is to refactor the nested `if's into a=20
cond to simplify the logic, and wrap `symbolic-link?' in=20
`with-exception-handler' (possibly `let=E2=80=99-binding its result, since=
=20
multiple things need it).
Thanks,
-- Ian
X-Loop: help-debbugs@HIDDEN
Subject: [bug#77201] [PATCH] guix: substitute-key-authorization: Fix case when acl symlink is broken
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Tue, 15 Apr 2025 11:36:02 +0000
Resent-Message-ID: <handler.77201.B77201.174471690622057 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 77201
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Ian Eure <ian@HIDDEN>
Cc: Rutherther <rutherther@HIDDEN>, 77201 <at> debbugs.gnu.org
Received: via spool by 77201-submit <at> debbugs.gnu.org id=B77201.174471690622057
(code B ref 77201); Tue, 15 Apr 2025 11:36:02 +0000
Received: (at 77201) by debbugs.gnu.org; 15 Apr 2025 11:35:06 +0000
Received: from localhost ([127.0.0.1]:50969 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1u4eZF-0005jf-Vs
for submit <at> debbugs.gnu.org; Tue, 15 Apr 2025 07:35:06 -0400
Received: from hera.aquilenet.fr ([185.233.100.1]:33970)
by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1u4eZC-0005is-Ie
for 77201 <at> debbugs.gnu.org; Tue, 15 Apr 2025 07:35:03 -0400
Received: from localhost (localhost [127.0.0.1])
by hera.aquilenet.fr (Postfix) with ESMTP id EB91D449;
Tue, 15 Apr 2025 13:34:55 +0200 (CEST)
Authentication-Results: hera.aquilenet.fr;
none
X-Virus-Scanned: Debian amavis at hera.aquilenet.fr
Received: from hera.aquilenet.fr ([127.0.0.1])
by localhost (hera.aquilenet.fr [127.0.0.1]) (amavis, port 10024) with ESMTP
id HDAECDmRYJ2W; Tue, 15 Apr 2025 13:34:55 +0200 (CEST)
Received: from ribbon (nat-eduroam-36-gw-01-bso.bordeaux.inria.fr
[194.199.1.36])
by hera.aquilenet.fr (Postfix) with ESMTPSA id 66A373AA;
Tue, 15 Apr 2025 13:34:55 +0200 (CEST)
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
In-Reply-To: <87jz87darf.fsf@HIDDEN> (Ian Eure's message of "Sat, 29 Mar
2025 10:09:24 -0700")
References: <f56c393fa6872cb0142564061ee17e5e7f8131cc.1742723299.git.rutherther@HIDDEN>
<87jz87darf.fsf@HIDDEN>
Date: Tue, 15 Apr 2025 13:30:20 +0200
Message-ID: <877c3lhdbn.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Queue-Id: EB91D449
X-Spamd-Result: default: False [-6.07 / 15.00]; BAYES_HAM(-3.00)[99.99%];
NEURAL_HAM(-2.97)[-0.991]; MIME_GOOD(-0.10)[text/plain];
FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
RCVD_COUNT_TWO(0.00)[2]; ARC_NA(0.00)[];
TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_SOME(0.00)[];
RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_TLS_ALL(0.00)[];
FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3];
MID_RHS_MATCH_FROM(0.00)[]
X-Rspamd-Action: no action
X-Spamd-Bar: ------
X-Rspamd-Server: hera
X-Spam-Score: 0.7 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.3 (/)
Hello,
Ian Eure <ian@HIDDEN> writes:
>> - (if (file-exists? acl-file)
>> + (if (or (file-exists? acl-file) (symbolic-link? acl-file))
>
> Guile semantics are unhelpful here: `file-exists?' returns #f for a
> broken symlink, but `symbolic-link?' raises an exception if given a
> nonexistent path.
I would go back to the fundamentals:
(match (and=3D> (false-if-exception (lstat acl-file)) stat:type)
(#f ;file does not exist
=E2=80=A6)
('symlink
=E2=80=A6)
(_
=E2=80=A6))
HTH!
Ludo=E2=80=99.
X-Loop: help-debbugs@HIDDEN
Subject: [bug#77201] [PATCH] guix: substitute-key-authorization: Fix case when acl symlink is broken
Resent-From: Rutherther <rutherther@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Tue, 15 Apr 2025 18:27:02 +0000
Resent-Message-ID: <handler.77201.B77201.174474159332213 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 77201
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN>, Ian Eure <ian@HIDDEN>
Cc: 77201 <at> debbugs.gnu.org
Received: via spool by 77201-submit <at> debbugs.gnu.org id=B77201.174474159332213
(code B ref 77201); Tue, 15 Apr 2025 18:27:02 +0000
Received: (at 77201) by debbugs.gnu.org; 15 Apr 2025 18:26:33 +0000
Received: from localhost ([127.0.0.1]:55413 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1u4kzR-0008NU-2Y
for submit <at> debbugs.gnu.org; Tue, 15 Apr 2025 14:26:33 -0400
Received: from ditigal.xyz ([2a01:4f8:1c1b:6a1c::]:41254 helo=mail.ditigal.xyz)
by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.84_2) (envelope-from <rutherther@HIDDEN>)
id 1u4kzN-0008N7-B5
for 77201 <at> debbugs.gnu.org; Tue, 15 Apr 2025 14:26:30 -0400
Received: by cerebrum (OpenSMTPD) with ESMTPSA id 43bceb4c
(TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO);
Tue, 15 Apr 2025 18:26:21 +0000 (UTC)
From: Rutherther <rutherther@HIDDEN>
In-Reply-To: <877c3lhdbn.fsf@HIDDEN>
References: <f56c393fa6872cb0142564061ee17e5e7f8131cc.1742723299.git.rutherther@HIDDEN>
<87jz87darf.fsf@HIDDEN> <877c3lhdbn.fsf@HIDDEN>
Date: Tue, 15 Apr 2025 20:26:19 +0200
Message-ID: <871ptt8eno.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ditigal.xyz;
i=@ditigal.xyz; q=dns/txt; s=20240917; t=1744741581; h=from : to : cc
: subject : in-reply-to : references : date : message-id :
mime-version : content-type : content-transfer-encoding : from;
bh=XS9V5RV8GZb4Pvv1MZW3MgjYUSQx2OhXSBNm07sTTTY=;
b=YTZsJjfTtjidVcivmKGH5C1ghnhaC/rpzxbA8VhU4gZE+nmIVGpJVSZVyWZugCJmwyx+z
k5AxK7ojWpH4AG8jAEVzPsgJ8w8yg65uREnIsrpbPcgSvCd4hnXWJ+LVFhG1S+jcPDoMV/F
xUK8N5vTfme9RV2RrQCoVjySsd7v3Qw=
X-Spam-Score: 2.5 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Hi Ludo, Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN> writes: > Hello,
> > Ian Eure <ian@HIDDEN> writes: > >>> - (if (file-exists? acl-file)
>>> + (if (or (file-exists? acl-file) (symbolic-link? acl-file)) >> >> Guile
semantics are unhelpful here: `file-ex [...]
Content analysis details: (2.5 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
[URI: ditigal.xyz (xyz)]
-0.0 SPF_PASS SPF: sender matches SPF record
0.5 FROM_SUSPICIOUS_NTLD From abused NTLD
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 2.5 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Hi Ludo, Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN> writes: > Hello,
> > Ian Eure <ian@HIDDEN> writes: > >>> - (if (file-exists? acl-file)
>>> + (if (or (file-exists? acl-file) (symbolic-link? acl-file)) >> >> Guile
semantics are unhelpful here: `file-ex [...]
Content analysis details: (2.5 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
[URI: ditigal.xyz (xyz)]
-0.0 SPF_PASS SPF: sender matches SPF record
1.0 BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD
0.5 FROM_SUSPICIOUS_NTLD From abused NTLD
-1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
manager
Hi Ludo,
Ludovic Court=C3=A8s <ludo@HIDDEN> writes:
> Hello,
>
> Ian Eure <ian@HIDDEN> writes:
>
>>> - (if (file-exists? acl-file)
>>> + (if (or (file-exists? acl-file) (symbolic-link? acl-file))
>>
>> Guile semantics are unhelpful here: `file-exists?' returns #f for a
>> broken symlink, but `symbolic-link?' raises an exception if given a
>> nonexistent path.
>
> I would go back to the fundamentals:
>
> (match (and=3D> (false-if-exception (lstat acl-file)) stat:type)
> (#f ;file does not exist
> =E2=80=A6)
> ('symlink
> =E2=80=A6)
> (_
> =E2=80=A6))
This definitely helps, thanks, I am still not that skilled in Scheme, so
I wouldn't think about false-if-exception, and using match would also be
hard for me to figure out.
I have this now (untested for now)
```
(match (and=3D> (false-if-exception (lstat acl-file)) stat:type)
(#f #f) ; File doesn't exist
('symlink ; Delete symlink pointing to store; backup otherwise.
(if (or (store-file-name? (readlink acl-file)) ; Store symlink
(not (file-exists? acl-file))) ; Broken symlink
(delete-file acl-file)
(rename-file acl-file (string-append acl-file ".bak"))))
(_ ; Backup
(rename-file acl-file (string-append acl-file ".bak"))))
```
I will probably also make this into a reusable function in guix utils
build, but I have been thinking about a good name and couldn't come up with
one for a week! Programmers problems, I guess.
WDYT
Thanks,
Rutherther
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.