bug#51833: SECURITY: Sanitize the permissions for guix daemon socket?

bug#51833: SECURITY: Sanitize the permissions for guix daemon socket?

[Jacob Hrbek]

[-- Attachment #1.1.1: Type: text/plain, Size: 445 bytes --]

The /var/guix/daemon-socket/socket is by default set to be owned by root:root with chmod 0666 that allows **ALL** users on the system to interact with guix daemon to write in the store directory.

Proposing to define a group (or use guixbuild group?) to by default deny access to the socket to all users without the group as i see this being a security issue waiting to happen.

-- Jacob "Kreyren" Hrbek

Sent with ProtonMail Secure Email.

[-- Attachment #1.1.2.1: Type: text/html, Size: 746 bytes --]

[-- Attachment #1.2: publickey - kreyren@rixotstudio.cz - 0x1677DB82.asc --]
[-- Type: application/pgp-keys, Size: 737 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 249 bytes --]

bug#51833: (No Subject)

[Jacob Hrbek]

[-- Attachment #1.1.1: Type: text/plain, Size: 521 bytes --]

Discussed on IRC/Matrix https://matrix.to/#/!sHzxAiaYPGfEPSGCzf:libera.chat/$TNunZ_vCWYxNGw-XDyCgKyKobccakb2A9noppM8kkTo?via=libera.chat&via=matrix.org&via=tchncs.de concluded to not be a security issue.

My concern was malicious user caching a malicious derivation trying to force root user to invoke it to unleash the payload, but that is not possible due to the use of GPG with the guix repo to prevent injection of malicious DNS server through DHCP.

-- Jacob "Kreyren" Hrbek

Sent with ProtonMail Secure Email.

[-- Attachment #1.1.2.1: Type: text/html, Size: 994 bytes --]

[-- Attachment #1.2: publickey - kreyren@rixotstudio.cz - 0x1677DB82.asc --]
[-- Type: application/pgp-keys, Size: 737 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 249 bytes --]