From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id MA1jI2STaGCxTAAAgWs5BA (envelope-from ) for ; Sat, 03 Apr 2021 18:10:12 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id WOgPHmSTaGA5fAAAbx9fmQ (envelope-from ) for ; Sat, 03 Apr 2021 16:10:12 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id F294620C25 for ; Sat, 3 Apr 2021 18:10:11 +0200 (CEST) Received: from localhost ([::1]:36686 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSiqg-0006Ir-CY for larch@yhetil.org; Sat, 03 Apr 2021 12:10:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38436) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSiqY-0006IV-Jb for bug-guix@gnu.org; Sat, 03 Apr 2021 12:10:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:51027) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lSiqY-0005ne-Cl for bug-guix@gnu.org; Sat, 03 Apr 2021 12:10:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lSiqY-0002DY-7X for bug-guix@gnu.org; Sat, 03 Apr 2021 12:10:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47584: Race condition in =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99:?= possible privilege escalation. Resent-From: Maxime Devos Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 03 Apr 2021 16:10:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 47584 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 47584@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16174661838483 (code B ref -1); Sat, 03 Apr 2021 16:10:02 +0000 Received: (at submit) by debbugs.gnu.org; 3 Apr 2021 16:09:43 +0000 Received: from localhost ([127.0.0.1]:34340 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSiqE-0002Cl-Ga for submit@debbugs.gnu.org; Sat, 03 Apr 2021 12:09:42 -0400 Received: from lists.gnu.org ([209.51.188.17]:38296) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSiqC-0002Cc-0z for submit@debbugs.gnu.org; Sat, 03 Apr 2021 12:09:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38384) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSiq8-0006Gb-1b for bug-guix@gnu.org; Sat, 03 Apr 2021 12:09:38 -0400 Received: from andre.telenet-ops.be ([2a02:1800:120:4::f00:15]:55356) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lSiq2-0005Pv-0v for bug-guix@gnu.org; Sat, 03 Apr 2021 12:09:35 -0400 Received: from butterfly.local ([213.132.158.53]) by andre.telenet-ops.be with bizsmtp id oG9N2400A19Qjf101G9Ppo; Sat, 03 Apr 2021 18:09:23 +0200 Message-ID: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> From: Maxime Devos Date: Sat, 03 Apr 2021 18:09:16 +0200 Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-dbxZ7pU2+iz3DVCXnVex" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1617466163; bh=Wc2nYGPfvJRxWlFIhxd7xBBDHNTSegovXy8fTwBZQKU=; h=Subject:From:To:Date; b=sl6ikeK39CFtUYOQts38qeioSJL/9Io2+VA5tiCnoysDw9KPeO+2voA4OhvNEg03I Gho4iIX+K8phwgMYaKyJXgX9Xz3DnoFJ8fdXOQDZPNaVO2Bo1lFQkOBcKq4eiI0ik4 mM9pcjjJR8l0ZnMY0mEaOw8iBvF0XsBIYbQkKwmEkWE+FvlRpaZCM56DudDA+EO5tY rTxsxVp3LITeE/yzbYH/MKI0QAk+SJK6rNWVKoctg6LBM32Z6KBHJXrzNt993QqPL7 akdIuYmC0LBDoz5GG5HnWEoZxLmhuKnrTeG9JE9WlEnW0KP+YqRsav4Bi0DwA0ax7k qi1lNJ3JmNzhA== Received-SPF: pass client-ip=2a02:1800:120:4::f00:15; envelope-from=maximedevos@telenet.be; helo=andre.telenet-ops.be X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617466212; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:list-id:list-help:list-unsubscribe:list-subscribe: list-post:dkim-signature; bh=Wc2nYGPfvJRxWlFIhxd7xBBDHNTSegovXy8fTwBZQKU=; b=CFz8mCueoO5OuzNzl5iNdnlaTmnPsrYU4eu8lC/5dRQMgF6OTWXgB45It5xTIaidEPy/Fo YgayOpggLAim/1D1lAAJ0/8fkqtPJ0QgRRWWSqIxbHC91sq5N/c6aoxNhbQg6VTGE8FzIR 5gZoDms3uNWxnOspDCv09gT2ZN0oyM8RDNRBd2ZRrauPfu8MhXE2Uy3rp+3ZKYtB5nYru6 IvGNVp0IlgJUZOCbVV+BxrW1Ui/GLJYOtKs6LUs/0pE7fri9WxjXq3oKYmrEi3xoVuqr+t 0iMwFkj+wp9KbDQfQDS9xiE8V2xTSM8PjVgn8HfMNoKnOIzSiOTJzi/n2aerQQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617466212; a=rsa-sha256; cv=none; b=pjbpDqk0zuNoXaYDGRA0I9gZt3TlkJCxWaR0bq9U6o2b4HzJ16Jp62k/cDVaN9PEjn5gA6 MVc2YKOz/v0PHCui0DAZnIFJAzzGqBTMxloyC4ORxPAUprVdHM0kW+URJJHvIQCESoLrut kgqzUaMm85Fr2dlcyyDZ0iZ+y4x+LpYwuQH17PE33D3IjF4Kcptymz8Mi/lgRFo3qtUbA/ QLdu6zeptFQMKpR4CVrqaeAVk9TfFLUTtheslgRXpe7nyZ/7diarf31TUkmAlh9EKGJ9zy 5v8fiMFIz8HL0ubitCT7To6Vs4eMicSn2ObAEck0P83hmL83BrKq+HdYi8/BvQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r21 header.b=sl6ikeK3; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -3.43 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r21 header.b=sl6ikeK3; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: F294620C25 X-Spam-Score: -3.43 X-Migadu-Scanner: scn0.migadu.com X-TUID: d1hj/J8D0MBn --=-dbxZ7pU2+iz3DVCXnVex Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable A TOCTTOU (time-of-check to time-of-use) vulnerability has been found in the activation code of user accounts, more specifically in the code that copies the account skeletons. * Vulnerability The attack consists of the user being logged in after the account skeletons have been copied to the home directory, but before the owner of the account skeletons have been set. The user then deletes a copied account skeleton (e.g. @file{$HOME/.gdbinit}) and replaces it with a symbolic link to a file not owned by the user, such as @file{/etc/shadow}. The activation code then changes the ownership of the file the symbolic link points to instead of the symbolic link itself. At that point, the user has read-write access to the target file. * Where in the code does this happen? Module: (gnu build activation). Procedures: 'copy-account-skeletons' and 'activate-user-home'. 'copy-account-skeletons' creates the home directory, sets it owner, copies the account skeletons, and chowns the copied skeletons, in that order. The bug is that it dereferences symbolic links. It is called from 'activate-user-home' if the home directory does not already exist. * Fix The fix consist of initially creating the home directory root-owned and onl= y changing the owner of the home directory once all skeletons have been copie= d and their owner has been set. * Extra notes A blog post, a news entry and a fix have been prepared and will be posted and hopefully merged soon. The following tests succeeded: $ make check-system TESTS=3D'switch-to-system upgrade-services install-boot= loader basic' $ make check --=-dbxZ7pU2+iz3DVCXnVex Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYGiTLBccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7sOVAQDo/Y4CM3KbVCPqLFr/YOjdA6T2 tOoO8lB90ciLuXdB+AEAtWcTB6Y5+G8r2Dbp6bl2HnFHILDSNQns1H/c80B67A0= =xuhu -----END PGP SIGNATURE----- --=-dbxZ7pU2+iz3DVCXnVex--