unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / Atom feed
* bug#51833: SECURITY: Sanitize the permissions for guix daemon socket?
@ 2021-11-14  9:18 Jacob Hrbek
  2021-11-14  9:49 ` bug#51833: (No Subject) Jacob Hrbek
  0 siblings, 1 reply; 2+ messages in thread
From: Jacob Hrbek @ 2021-11-14  9:18 UTC (permalink / raw)
  To: 51833


[-- Attachment #1.1.1: Type: text/plain, Size: 445 bytes --]

The /var/guix/daemon-socket/socket is by default set to be owned by root:root with chmod 0666 that allows **ALL** users on the system to interact with guix daemon to write in the store directory.

Proposing to define a group (or use guixbuild group?) to by default deny access to the socket to all users without the group as i see this being a security issue waiting to happen.

-- Jacob "Kreyren" Hrbek

Sent with ProtonMail Secure Email.

[-- Attachment #1.1.2.1: Type: text/html, Size: 746 bytes --]

[-- Attachment #1.2: publickey - kreyren@rixotstudio.cz - 0x1677DB82.asc --]
[-- Type: application/pgp-keys, Size: 737 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 249 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* bug#51833: (No Subject)
  2021-11-14  9:18 bug#51833: SECURITY: Sanitize the permissions for guix daemon socket? Jacob Hrbek
@ 2021-11-14  9:49 ` Jacob Hrbek
  0 siblings, 0 replies; 2+ messages in thread
From: Jacob Hrbek @ 2021-11-14  9:49 UTC (permalink / raw)
  To: 51833


[-- Attachment #1.1.1: Type: text/plain, Size: 521 bytes --]

Discussed on IRC/Matrix https://matrix.to/#/!sHzxAiaYPGfEPSGCzf:libera.chat/$TNunZ_vCWYxNGw-XDyCgKyKobccakb2A9noppM8kkTo?via=libera.chat&via=matrix.org&via=tchncs.de concluded to not be a security issue.

My concern was malicious user caching a malicious derivation trying to force root user to invoke it to unleash the payload, but that is not possible due to the use of GPG with the guix repo to prevent injection of malicious DNS server through DHCP.

-- Jacob "Kreyren" Hrbek

Sent with ProtonMail Secure Email.

[-- Attachment #1.1.2.1: Type: text/html, Size: 994 bytes --]

[-- Attachment #1.2: publickey - kreyren@rixotstudio.cz - 0x1677DB82.asc --]
[-- Type: application/pgp-keys, Size: 737 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 249 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-11-14  9:50 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-14  9:18 bug#51833: SECURITY: Sanitize the permissions for guix daemon socket? Jacob Hrbek
2021-11-14  9:49 ` bug#51833: (No Subject) Jacob Hrbek

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).