On Mon, May 5, 2025, at 8:58 AM, Ludovic Courtès wrote:
>> 2025-04-25 20:27:40 localhost sshd[234]: fatal:
>> /gnu/store/8kman284vvlzk2hgy1bv1xzys3rfdzlr-openssh-10.0p1/var/empty
>> must be owned by root and not group or world-writable.
>
> D’oh. The fix here is to tell OpenSSH to use /var/empty instead. Do
> you know how to do that via sshd_config?
I don't see any way to do that in `man sshd_config`, but there is a
relevant AC_ARG_WITH option:
> PRIVSEP_PATH=/var/empty
> AC_ARG_WITH([privsep-path],
> [ --with-privsep-path=xxx Path for privilege separation chroot
> (default=/var/empty)],
> [
> if test -n "$withval" && test "x$withval" != "xno" && \
> test "x${withval}" != "xyes"; then
> PRIVSEP_PATH=$withval
> fi
> ]
> )
> AC_SUBST([PRIVSEP_PATH])
https://github.com/openssh/openssh-portable/blob/61525ba967ac1bb7394ea0792aa6030bcbbad049/configure.ac#L4984-L4994
... But maybe all we need to do is *remove* the 'reset-/var/empty stanza from
here?
https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/ssh.scm#n277
> You should never manually modify files in the store or change their
> ownership. In the case above, the daemon will now be unable to delete
> this store item when you run ‘guix gc’.
Good to know, thanks.
zw
