Hi Zack,
"Zack Weinberg" <z...@owlfolio.org> writes:
> I just switched my Guix System-based server over to unprivileged guix-
> daemon, after which I was unable to ssh into it. From the client, the
> syndrome looks like this (shell variables indicate redactions):
[...]
> 2025-04-25 20:27:40 localhost shepherd[1]: Service sshd-69 running
> with value #<<process> id: 234 command:
> ("/gnu/store/8kman284vvlzk2hgy1bv1xzys3rfdzlr-openssh-10.0p1/sbin/sshd"
> "-D" "-f" "/gnu/store/vwy5d5mj35rh147iwzkzxijld0gx06mb-sshd_config"
> "-i")>.
> 2025-04-25 20:27:40 localhost sshd[234]: fatal:
> /gnu/store/8kman284vvlzk2hgy1bv1xzys3rfdzlr-openssh-10.0p1/var/empty
> must be owned by root and not group or world-writable.
D’oh. The fix here is to tell OpenSSH to use /var/empty instead. Do
you know how to do that via sshd_config?
> `chown root:root
> /gnu/store/8kman284vvlzk2hgy1bv1xzys3rfdzlr-openssh-10.0p1/var/empty`
> is sufficient to fix ssh, but I wonder if store contents in general should
> maybe remain
> owned by root regardless of whether the daemon is running as an unprivileged
> user.
> It seems likely to me that this will not be the only such problem.
You should never manually modify files in the store or change their
ownership. In the case above, the daemon will now be unable to delete
this store item when you run ‘guix gc’.
Thanks for the bug report,
Ludo’.
