From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 0PpJNsuYaGB3VgAAgWs5BA (envelope-from ) for ; Sat, 03 Apr 2021 18:33:15 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id WCQXMMuYaGCLDAAAbx9fmQ (envelope-from ) for ; Sat, 03 Apr 2021 16:33:15 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 41D08215E2 for ; Sat, 3 Apr 2021 18:33:15 +0200 (CEST) Received: from localhost ([::1]:44046 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSjCz-0002JN-QP for larch@yhetil.org; Sat, 03 Apr 2021 12:33:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41664) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSjCo-0002Is-Ba for bug-guix@gnu.org; Sat, 03 Apr 2021 12:33:05 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:51055) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lSjCo-0003Rn-4F for bug-guix@gnu.org; Sat, 03 Apr 2021 12:33:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lSjCo-0002pS-0V for bug-guix@gnu.org; Sat, 03 Apr 2021 12:33:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47584: Race condition in =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99:?= possible privilege escalation. Resent-From: Maxime Devos Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 03 Apr 2021 16:33:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47584 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 47584@debbugs.gnu.org Received: via spool by 47584-submit@debbugs.gnu.org id=B47584.161746758010867 (code B ref 47584); Sat, 03 Apr 2021 16:33:01 +0000 Received: (at 47584) by debbugs.gnu.org; 3 Apr 2021 16:33:00 +0000 Received: from localhost ([127.0.0.1]:34368 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSjCm-0002pD-Gs for submit@debbugs.gnu.org; Sat, 03 Apr 2021 12:33:00 -0400 Received: from baptiste.telenet-ops.be ([195.130.132.51]:41568) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSjCj-0002p2-5p for 47584@debbugs.gnu.org; Sat, 03 Apr 2021 12:32:58 -0400 Received: from butterfly.local ([213.132.158.53]) by baptiste.telenet-ops.be with bizsmtp id oGYu2400D19Qjf101GYvVU; Sat, 03 Apr 2021 18:32:55 +0200 Message-ID: <67e04c1c532d4553c5456ebf581d7d3d3d59733c.camel@telenet.be> From: Maxime Devos Date: Sat, 03 Apr 2021 18:32:54 +0200 In-Reply-To: <63fbd9e37cc3582daf265277e64f0a99b20e05ec.camel@telenet.be> References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> <63fbd9e37cc3582daf265277e64f0a99b20e05ec.camel@telenet.be> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1617467575; bh=Sw/UfKzDCrSltxYl/oPfddr3GjoJV0OoFTZcWIAll7c=; h=Subject:From:To:Date:In-Reply-To:References; b=ZlErvDbK0rZxPgnpY8PyDoNp/xTxYUruL/L1za+Oml+85nc0FCCqup9cZ+f/BUwP3 OnId5chxG7KkrK10H+KnkBJ68YH5mvfEKTl6iBPhD+KA805+hVdeB3YUwMFwOyUhfs iEocylNsYI+2vq/f6NbtVSNlJ7zmM9cKH9gx0B7WNz7oMeyPP+f4LRsIG+djdec3sL ljrFYYafj75U97JTjVRFgvpLvLV7b1ukt2IXn4JY54cDbAP5K8gLO9IKbAoGNjXx0n /XL62UdwRLfUzyc/goegwFh+SGjwOOgdxQJ02sCuRkmdJJzU6yVMosRiRkXW/IVfF6 L5Vr3Em+njZXg== X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617467595; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=Sw/UfKzDCrSltxYl/oPfddr3GjoJV0OoFTZcWIAll7c=; b=Mg+YicHQqR5JlDTYXNm8V5i07Kj4k48QbrmlNz6jc+YW9y3DLx4asAkNK4JrnM6CdydqsI J3E/vr6S4FXs47B2cMIp1hXebHqPbVkaKrp0kCxBXO0yOl6ldv31DAVCJ6igL+Td15v5dn TAMUAzrdJ/utwaTNcMErxdt1giXfJy/z7aB/OQ09QC9arQHL+xBchGFaaSbClkwl0iC/NR Vydq2pT8Trap6rAKnjhSNtIsMEWhRphaTjVe3T7qbL7n87XCIc8NY8ju24TvaKzbVwkX+F rZGxrUYlua67rtxJiKwYBbafVyXAR4xKZQoWe0DzVQ4LbBQmbjdgyv0eBr/sUQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617467595; a=rsa-sha256; cv=none; b=iiEoFWjkgZOseGPVexO112+ADFz6mihvmyMV/g6k6oVKslp4/dSm0Xcsztj+1taYmE9FfY zAb7V6YwEXdIoycI2gG1doA6Gj522MCKgjohJAhghcadVeQ1JknpplhrMDiDraZRKZlt+X rsSD4izkJCIDO58eyO8Zg4AWMBKo0TE1fn1U+D/Diw8NIUwikgHE+nK0Y8b52bY/L5DHAt hre07UoHIjeomN0kdZ/M/qDq/egvbW3FfJN6ZGBLlvhAKbLz4RwWELFrASXpwJQC5nebJD TWuoCLz5RVwcLFqPa4NdoyDtFkJLCjwcRI7U/+YssE+wEbUMo22FEFydnnwU0A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r21 header.b=ZlErvDbK; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -1.33 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r21 header.b=ZlErvDbK; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 41D08215E2 X-Spam-Score: -1.33 X-Migadu-Scanner: scn0.migadu.com X-TUID: lwgAgp+2aiyN On Sat, 2021-04-03 at 18:22 +0200, Maxime Devos wrote: > + ;; It is important 'chown' is called after 'copy-account-skeletons' > + ;; Otherwise, a malicious user with good timing could > + ;; create a symlink in HOME that would be dereferenced by > + ;; 'copy-account-skeletons'. Oops please add a period after 'copy-account-skeletons';