From 38e82ca727512754c4ac9b43353255c91cadab8c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
Date: Mon, 14 Jul 2025 13:08:48 +0200
Subject: [PATCH] pki: Always make /etc/guix/acl world-readable.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes guix/guix#664.

This is necessary when running ‘guix-daemon’ as an unprivileged user and
also when running ‘guix weather’ as an unprivileged user.

* guix/pki.scm (ensure-acl): Make ‘%acl-file’ #o644.
* guix/scripts/archive.scm (authorize-key): Likewise.
* guix/ssh.scm (remote-authorize-signing-key): Likewise.

Change-Id: I3c979b2cdf52e7cb657d8fafa244c58854e7fb67
---
 guix/pki.scm             | 5 +++--
 guix/scripts/archive.scm | 5 +++--
 guix/ssh.scm             | 5 +++--
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/guix/pki.scm b/guix/pki.scm
index 93932128cde..91c1be531a9 100644
--- a/guix/pki.scm
+++ b/guix/pki.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2016, 2022 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013-2014, 2016, 2022, 2025 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -87,7 +87,8 @@ element in KEYS must be a canonical sexp with type 'public-key'."
         (with-atomic-file-output %acl-file
           (lambda (port)
             (write-acl (public-keys->acl (list public-key))
-                       port)))))))
+                       port)))
+        (chmod %acl-file #o644)))))
 
 (define (write-acl acl port)
   "Write ACL to PORT in canonical-sexp format."
diff --git a/guix/scripts/archive.scm b/guix/scripts/archive.scm
index 2b5a55a23f4..cf2c045c2e5 100644
--- a/guix/scripts/archive.scm
+++ b/guix/scripts/archive.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019, 2020, 2021 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013-2017, 2019-2021, 2025 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -324,7 +324,8 @@ the input port."
     (let ((acl (public-keys->acl (cons key (acl->public-keys acl)))))
       (mkdir-p (dirname %acl-file))
       (with-atomic-file-output %acl-file
-        (cut write-acl acl <>)))))
+        (cut write-acl acl <>))
+      (chmod %acl-file #o644))))
 
 (define (list-contents port)
   "Read a nar from PORT and print the list of files it contains to the current
diff --git a/guix/ssh.scm b/guix/ssh.scm
index 9e504c054cc..20a35b2712f 100644
--- a/guix/ssh.scm
+++ b/guix/ssh.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2016-2021, 2023-2024 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2016-2021, 2023-2025 Ludovic Courtès <ludo@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -458,7 +458,8 @@ to the system ACL file if it has not yet been authorized."
         (let ((acl (public-keys->acl (cons key (acl->public-keys acl)))))
           (mkdir-p (dirname %acl-file))
           (with-atomic-file-output %acl-file
-            (cut write-acl acl <>)))))
+            (cut write-acl acl <>))
+          (chmod %acl-file #o644))))
    session
    become-command))