!lymvtcwDJ7ZA9Npq:lix.systems

Lix Development

346 Members
(Technical) development of Lix, the package manager, a Nix implementation. Please be mindful of ongoing technical conversations in this channel.125 Servers

Load older messages

SenderMessageTime
22 Apr 2025
@k900:0upti.meK900Or maybe we should switch to libssh and just not have the hack05:47:56
@k900:0upti.meK900God this is not the snipe I was signing up for today05:48:06
@k900:0upti.meK900 
diff --git a/lix/libstore/ssh.cc b/lix/libstore/ssh.cc
index 80c11aea7..c8c2467cb 100644
--- a/lix/libstore/ssh.cc
+++ b/lix/libstore/ssh.cc
@@ -83,7 +83,7 @@ std::unique_ptr<SSH::Connection> SSH::startCommand(const std::string & command)
             addCommonSSHOpts(args);
         }

-        args.push_back(fmt("echo started; %s", command));
+        args.push_back(command);
         execvp(args.begin()->c_str(), stringsToCharPtrs(args).data());

         // could not exec ssh/bash
@@ -96,17 +96,17 @@ std::unique_ptr<SSH::Connection> SSH::startCommand(const std::string & command)

     // Wait for the SSH connection to be established,
     // So that we don't overwrite the password prompt with our progress bar.
-    {
-        std::string reply;
-        try {
-            reply = readLine(out.readSide.get());
-        } catch (EndOfFile & e) { }
+    // {
+    //     std::string reply;
+    //     try {
+    //         reply = readLine(out.readSide.get());
+    //     } catch (EndOfFile & e) { }

-        if (reply != "started") {
-            warn("SSH to '%s' failed, stdout first line: '%s'", host, reply);
-            throw Error("failed to start SSH connection to '%s'", host);
-        }
-    }
+    //     if (reply != "started") {
+    //         warn("SSH to '%s' failed, stdout first line: '%s'", host, reply);
+    //         throw Error("failed to start SSH connection to '%s'", host);
+    //     }
+    // }

     conn->out = std::move(out.readSide);
     conn->in = std::move(in.writeSide);
05:48:42
@k900:0upti.meK900Anyway this works05:48:44
@k900:0upti.meK900And I hate it05:48:50
@k900:0upti.meK900 
diff --git a/lix/libstore/ssh.cc b/lix/libstore/ssh.cc
index 80c11aea7..88a407afd 100644
--- a/lix/libstore/ssh.cc
+++ b/lix/libstore/ssh.cc
@@ -83,7 +83,7 @@ std::unique_ptr<SSH::Connection> SSH::startCommand(const std::string & command)
             addCommonSSHOpts(args);
         }

-        args.push_back(fmt("echo started; %s", command));
+        args.push_back(command);
         execvp(args.begin()->c_str(), stringsToCharPtrs(args).data());

         // could not exec ssh/bash
@@ -94,20 +94,6 @@ std::unique_ptr<SSH::Connection> SSH::startCommand(const std::string & command)
     in.readSide.reset();
     out.writeSide.reset();

-    // Wait for the SSH connection to be established,
-    // So that we don't overwrite the password prompt with our progress bar.
-    {
-        std::string reply;
-        try {
-            reply = readLine(out.readSide.get());
-        } catch (EndOfFile & e) { }
-
-        if (reply != "started") {
-            warn("SSH to '%s' failed, stdout first line: '%s'", host, reply);
-            throw Error("failed to start SSH connection to '%s'", host);
-        }
-    }
-
     conn->out = std::move(out.readSide);
     conn->in = std::move(in.writeSide);
05:49:24
@k900:0upti.meK900(edit: less ugly diff)05:49:31
@k900:0upti.meK900Does anyone have ideas05:49:36
@k900:0upti.meK900OK filed https://git.lix.systems/lix-project/lix/issues/80506:11:24
@k900:0upti.meK900So fucking cursed06:11:27
@piegames:flausch.socialpiegamesWait, so SSH simply assumes a shell when running commands and then Lix inherits that and thus may break?06:21:16
@piegames:flausch.socialpiegamesAren't there any SSH flags to (un)set the shell?06:21:38
@irenes:matrix.orgIrenessigh06:50:04
@irenes:matrix.orgIrenesthat'd be nice, wouldn't it06:50:08
@irenes:matrix.orgIrenesthat assumption was the cause of the shellshock vulnerability06:50:22
@irenes:matrix.orgIrenesor part of it06:50:24
@irenes:matrix.orgIrenesI honestly really doubt it was made more versatile since then, but I guess it's possible06:50:40
@irenes:matrix.orgIrenesit passes environment variables (that was the other half of the vuln), there might be something useful to be done with those06:51:22
@irenes:matrix.orgIrenesbut probably you should write code that runs a subshell06:51:31
@irenes:matrix.orgIrenesso that you can make sure it's a specific one06:51:38
@irenes:matrix.orgIrenes in the 90s it was common knowledge that you should never call the system() function, which invokes the default shell of the calling user, because it's impossible to fully secure something so open 06:52:29
@irenes:matrix.orgIrenesunfortunately if nobody talks about it, common knowledge stops being06:52:58
@k900:0upti.meK900AFAIUI the openssh people actually consider this intentional07:20:14
@k900:0upti.meK900As they consider the shell part of security posture07:20:24
@irenes:matrix.orgIrenessigh, yeah I bet07:22:42
@irenes:matrix.orgIrenesand the log4j people consider their famous series of vulns intentional, too07:22:59
@irenes:matrix.orgIrenes substantially the same vuln was headline news twice so far, about ten years apart 07:23:12
@irenes:matrix.orgIrenespeople forgot, and assumed it must have been fixed07:23:20
@irenes:matrix.orgIrenesalthough the actual project's communication was always quite clear that they don't consider it a bug and aren't going to change anything07:23:47
@irenes:matrix.orgIrenesboth times07:23:50

Show newer messages

Back to Room ListRoom Version: 10