From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id yP4LN9/UkGFZggEAgWs5BA (envelope-from ) for ; Sun, 14 Nov 2021 10:20:31 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id kKG+Mt/UkGGCfwAA1q6Kng (envelope-from ) for ; Sun, 14 Nov 2021 09:20:31 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 762FD38C52 for ; Sun, 14 Nov 2021 10:20:31 +0100 (CET) Received: from localhost ([::1]:42618 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mmBgc-0001j6-GG for larch@yhetil.org; Sun, 14 Nov 2021 04:20:30 -0500 Received: from eggs.gnu.org ([209.51.188.92]:36734) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mmBgA-0001ig-Cx for bug-guix@gnu.org; Sun, 14 Nov 2021 04:20:04 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:37573) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mmBgA-0000gr-3t for bug-guix@gnu.org; Sun, 14 Nov 2021 04:20:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mmBg9-0002rM-Uu for bug-guix@gnu.org; Sun, 14 Nov 2021 04:20:01 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#51833: SECURITY: Sanitize the permissions for guix daemon socket? Resent-From: Jacob Hrbek Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sun, 14 Nov 2021 09:20:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 51833 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 51833@debbugs.gnu.org X-Debbugs-Original-To: "bug-guix@gnu.org" Received: via spool by submit@debbugs.gnu.org id=B.163688154610902 (code B ref -1); Sun, 14 Nov 2021 09:20:01 +0000 Received: (at submit) by debbugs.gnu.org; 14 Nov 2021 09:19:06 +0000 Received: from localhost ([127.0.0.1]:49116 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mmBfG-0002pm-93 for submit@debbugs.gnu.org; Sun, 14 Nov 2021 04:19:06 -0500 Received: from lists.gnu.org ([209.51.188.17]:44266) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mmBfE-0002pe-2b for submit@debbugs.gnu.org; Sun, 14 Nov 2021 04:19:04 -0500 Received: from eggs.gnu.org ([209.51.188.92]:36644) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mmBfC-0001gX-MH for bug-guix@gnu.org; Sun, 14 Nov 2021 04:19:03 -0500 Received: from mail-4022.proton.ch ([185.70.40.22]:49210) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mmBf9-0000cX-Eu for bug-guix@gnu.org; Sun, 14 Nov 2021 04:19:02 -0500 Date: Sun, 14 Nov 2021 09:18:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rixotstudio.cz; s=protonmail2; t=1636881528; bh=cDY5CZVm3ULMnQCGJHrEVh9P1Wmmt8zxSBtoVL0C4dk=; h=Date:To:From:Reply-To:Subject:From; b=tKvAJrFec9IfmnAPXR9+iXkkIA6aoFa8CQMklJND6bJWfc3aArhV6E9MZS9Co5Fp5 XstDM6HO3Wk/4jCHVAnursYKJ15Rh5fegogRw8qZoreVTRj4uflOpLcMkqE283gN2c 9uO6ua/kpWisLPuS9n2Wt+bWa0tzJ9wcMLInC5H1eILiX7p/jCk7r757Hl9Jfd+3rX kSTq/bYb1jJeWB/PG8A9xXoh6XMdPgUsNGJMs+jhrJCGzeboPVB+bfucS9cd4r9+k7 e8fyBK6dwoT20Q1QdBv6NnbxcyKR9wkmsn3wXCwVaou2O+N0Fi4OLLB7tFOmuUiC+p PO1K+fwOWZHDw== From: Jacob Hrbek Message-ID: <0vikmU8M7HlOsjRKej0siT0rJjlgmN5Asnd1HpGeH_8xYz_okK-KtukDg6vO9U3wtmQrAd5FHhooRjJ__yE1jlcoQ17TqGPrYNiD6Bjk01w=@rixotstudio.cz> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha512; boundary="------af5ea483aa1ab4846c5c7ad1463fe8640811c066beb44b898fe78159e101e926"; charset=utf-8 Received-SPF: pass client-ip=185.70.40.22; envelope-from=kreyren@rixotstudio.cz; helo=mail-4022.proton.ch X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Jacob Hrbek Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1636881631; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:list-id:list-help:list-unsubscribe:list-subscribe: list-post:dkim-signature; bh=NMmt3relrQNMBdt22Zw7TD3EHLr5iX20S0fB91UG2z0=; b=sV9ShDhA9W0XO5D43lvs2FAr81FhA0DNYJf+8FpwkPdch60UEwauvgCf6kRUMkF68SyiSj Sp/XLfQ91jyBS/w5JdO0mWhuhD/6NWubggmcpKP1MlphZIJbpuydIPcZ7sRLXc3DfW9Khb wPB0rlSUs9mQeXLEkMLDCq/HZr9oXzS3l3MvLCgRdyVgkTmI+8RXJhj+yqYcNtyCXSdRhY KK0k5Fc9J/ob+/Su0V5MsERwZgk4nECEPAseQ76juntVRyCYnMEWWrBGZ6TIvamRRexT6o CpSOJSMN5aSXYx+tpnhXoaOP2Fz/SXrVp6SE1qxfGEPkB0c9tLNbhat5GSj1bw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1636881631; a=rsa-sha256; cv=none; b=UvUSo6cHANKRyWL487aSQOYYvUmYlk642IQJoO0FJcSsG/Iy1t1CzUwlMUjRD0ZJkmwDOh KRlco6EAkE0HB3reiiOXqlAEL3HeOFrkGYOt8R2eaEiZhqfhCUCfwZr+umXYzr8oe5aL6L vrfqLW8TDvbbRxEmLEyOwYtGtX/4tpSGMgvk53ECrAyWLI8fHRrIvxifvaUe4eIIdsecZH TOfREfp/splcPufXhTp7Yw9JafhJuBbRBvVRv+PSI1/Lt1raZsGdfBG5KV1bkycBKuLt7z rePzXd0KTH7YQwU25uAvLPM623LGxKWjtbI95GHzPEYPOSuCYIuZInbIsCQksw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("body hash did not verify") header.d=rixotstudio.cz header.s=protonmail2 header.b=tKvAJrFe; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -1.94 Authentication-Results: aspmx1.migadu.com; dkim=fail ("body hash did not verify") header.d=rixotstudio.cz header.s=protonmail2 header.b=tKvAJrFe; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 762FD38C52 X-Spam-Score: -1.94 X-Migadu-Scanner: scn0.migadu.com X-TUID: haVK7+9j8F2+ This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------af5ea483aa1ab4846c5c7ad1463fe8640811c066beb44b898fe78159e101e926 Content-Type: multipart/mixed;boundary=---------------------ef56143b9da6f7e2cd11ba36f5bac124 -----------------------ef56143b9da6f7e2cd11ba36f5bac124 Content-Type: multipart/alternative;boundary=---------------------26841d8c5c7cfff2b82294c019007d49 -----------------------26841d8c5c7cfff2b82294c019007d49 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain;charset=utf-8 The /var/guix/daemon-socket/socket is by default set to be owned by root:r= oot with chmod 0666 that allows **ALL** users on the system to interact wi= th guix daemon to write in the store directory. Proposing to define a group (or use guixbuild group?) to by default deny a= ccess to the socket to all users without the group as i see this being a s= ecurity issue waiting to happen. -- Jacob "Kreyren" Hrbek Sent with ProtonMail Secure Email. -----------------------26841d8c5c7cfff2b82294c019007d49 Content-Type: multipart/related;boundary=---------------------67480e8879ff56967e9c14f9e38a0578 -----------------------67480e8879ff56967e9c14f9e38a0578 Content-Type: text/html;charset=utf-8 Content-Transfer-Encoding: base64 PGRpdj5UaGUgL3Zhci9ndWl4L2RhZW1vbi1zb2NrZXQvc29ja2V0IGlzIGJ5IGRlZmF1bHQgc2V0 IHRvIGJlIG93bmVkIGJ5IHJvb3Q6cm9vdCB3aXRoIGNobW9kIDA2NjYgdGhhdCBhbGxvd3MgKipB TEwqKiB1c2VycyBvbiB0aGUgc3lzdGVtIHRvIGludGVyYWN0IHdpdGggZ3VpeCBkYWVtb24gdG8g d3JpdGUgaW4gdGhlIHN0b3JlIGRpcmVjdG9yeS48YnI+PGJyPlByb3Bvc2luZyB0byBkZWZpbmUg YSBncm91cCAob3IgdXNlIGd1aXhidWlsZCBncm91cD8pIHRvIGJ5IGRlZmF1bHQgZGVueSBhY2Nl c3MgdG8gdGhlIHNvY2tldCB0byBhbGwgdXNlcnMgd2l0aG91dCB0aGUgZ3JvdXAgYXMgaSBzZWUg dGhpcyBiZWluZyBhIHNlY3VyaXR5IGlzc3VlIHdhaXRpbmcgdG8gaGFwcGVuLjxicj48L2Rpdj48 ZGl2Pjxicj48L2Rpdj48ZGl2IGNsYXNzPSJwcm90b25tYWlsX3NpZ25hdHVyZV9ibG9jayI+PGRp diBjbGFzcz0icHJvdG9ubWFpbF9zaWduYXR1cmVfYmxvY2stdXNlciI+PGRpdj4tLSBKYWNvYiAi S3JleXJlbiIgSHJiZWs8YnI+PC9kaXY+PC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdiBjbGFzcz0i cHJvdG9ubWFpbF9zaWduYXR1cmVfYmxvY2stcHJvdG9uIj5TZW50IHdpdGggPGEgcmVsPSJub29w ZW5lciBub3JlZmVycmVyIiBocmVmPSJodHRwczovL3Byb3Rvbm1haWwuY29tLyIgdGFyZ2V0PSJf YmxhbmsiPlByb3Rvbk1haWw8L2E+IFNlY3VyZSBFbWFpbC48L2Rpdj48L2Rpdj48ZGl2Pjxicj48 L2Rpdj4= -----------------------67480e8879ff56967e9c14f9e38a0578-- -----------------------26841d8c5c7cfff2b82294c019007d49-- -----------------------ef56143b9da6f7e2cd11ba36f5bac124 Content-Type: application/pgp-keys; filename="publickey - kreyren@rixotstudio.cz - 0x1677DB82.asc"; name="publickey - kreyren@rixotstudio.cz - 0x1677DB82.asc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="publickey - kreyren@rixotstudio.cz - 0x1677DB82.asc"; name="publickey - kreyren@rixotstudio.cz - 0x1677DB82.asc" LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tDQpWZXJzaW9uOiBPcGVuUEdQLmpz IHY0LjEwLjEwDQpDb21tZW50OiBodHRwczovL29wZW5wZ3Bqcy5vcmcNCg0KeGpNRVlBbDNGaFlK S3dZQkJBSGFSdzhCQVFkQVFLQXBtZFI4dEc5YUtFZHh3SEovWktPMkN2Wk1SV1B0DQpCTk5HcUpV aHAyTE5MMnR5WlhseVpXNUFjbWw0YjNSemRIVmthVzh1WTNvZ1BHdHlaWGx5Wlc1QWNtbDQNCmIz UnpkSFZrYVc4dVkzbyt3bzhFRUJZS0FDQUZBbUFKZHhZR0N3a0hDQU1DQkJVSUNnSUVGZ0lCQUFJ Wg0KQVFJYkF3SWVBUUFoQ1JDdDAzMFVxMEw4cVJZaEJCWjMyNEtUaktobGM0RWpCNjNUZlJTclF2 eXA1N1FBDQovMHRsYmRuQ0l6cmVLWG12VzJYU1lYekFKb3RKZHhDekUrWEFUTStxUERLekFRQ2Ni SHA3eXc2K0FybmcNCmVTdEdGbi9vbGh4VFBkcHU2NDFDTEdpZ1BtRW9CYzQ0QkdBSmR4WVNDaXNH QVFRQmwxVUJCUUVCQjBEYQ0KaUkzalFmU29pM0RaNC9OZm14R2RzUnN2OS9CcU1nVzVqNmpkQnFr eUlBTUJDQWZDZUFRWUZnZ0FDUVVDDQpZQWwzRmdJYkRBQWhDUkN0MDMwVXEwTDhxUlloQkJaMzI0 S1RqS2hsYzRFakI2M1RmUlNyUXZ5cEhjRUINCkFPUXhTL0ovVU0wZWU4azJqYmxpV2QvUTBJZCtY OFVIQlhoeXFWUmMyMnFyQVFETEhjVzk3V1FiU0pGbw0KMTlrd3Q3ME95SGVwRjZMV3BERDBQdUlT WkQ2SUNnPT0NCj05a1pnDQotLS0tLUVORCBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tDQo= -----------------------ef56143b9da6f7e2cd11ba36f5bac124-- --------af5ea483aa1ab4846c5c7ad1463fe8640811c066beb44b898fe78159e101e926 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: ProtonMail wnUEARYKAAYFAmGQ1GQAIQkQrdN9FKtC/KkWIQQWd9uCk4yoZXOBIwet030U q0L8qXVyAP9SJOqWoeZxwMvNRtwXa2VzXpgg6dfTCUzl5deWEW4cIQEApaoK JGYcRwlAtrE0K0jT6WMMbVvS0vhB19s80jzDsgY= =ghwj -----END PGP SIGNATURE----- --------af5ea483aa1ab4846c5c7ad1463fe8640811c066beb44b898fe78159e101e926--