From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Date: Thu, 17 Oct 2019 18:18:49 +0200 Message-ID: <87blufny52.fsf@gnu.org> References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:37555) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iL8VQ-00012o-A6 for bug-guix@gnu.org; Thu, 17 Oct 2019 12:20:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iL8VO-0004il-Pi for bug-guix@gnu.org; Thu, 17 Oct 2019 12:20:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:39983) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iL8VO-0004iZ-MV for bug-guix@gnu.org; Thu, 17 Oct 2019 12:20:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1iL8VO-00015G-2p for bug-guix@gnu.org; Thu, 17 Oct 2019 12:20:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <878spksty3.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Wed, 16 Oct 2019 15:25:56 +0200") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 37744@debbugs.gnu.org Cc: guix-security@gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi! Ludovic Court=C3=A8s skribis: > In addition to the news entry that =E2=80=98guix pull=E2=80=99 will displ= ay, we may want > to publicize the issue. In particular, should we: > > 1. Apply for a new CVE? > > 2. Post an article on the blog to explain in detail what happened? > That should probably include an analysis like that at > , given > that Guix does things not entirely like Nix here. > > 3. Email that analysis to oss-security? > > 4. Push a new release? > > I=E2=80=99m tempted to think that we should do 1 to 3, as quickly as we c= an. > Help welcome, in particular on #2! Attached is a draft based on =E2=80=98etc/news.scm=E2=80=99. Let me know what you think! Ludo=E2=80=99. --=-=-= Content-Type: text/plain; charset=utf-8 Content-Disposition: inline; filename=insecure-permissions.md Content-Transfer-Encoding: quoted-printable title: Insecure permissions on profile directory=20 date: 2019-10-05 14:30 author: Ludovic Court=C3=A8s tags: Security --- We have become aware of a security issue for Guix on multi-user systems [that we have just fixed](https://issues.guix.gnu.org/issue/37744). Anyone running Guix on a multi-user system is encouraged to upgrade `guix-daemon`=E2=80=94see below for instructions. # Context The default user profile, `~/.guix-profile`, points to `/var/guix/profiles/per-user/$USER`. Until now, `/var/guix/profiles/per-user` was world-writable, allowing the `guix` command to create the `$USER` sub-directory. On a multi-user system, this allowed a malicious user to create and populate that `$USER` sub-directory for another user that had not yet logged in. Since `/var/=E2=80=A6/$USER` is in `$PATH`, the target user cou= ld end up running attacker-provided code. See https://issues.guix.gnu.org/issue/37744 for more information. This issue was initially [reported by Michael Orlitzky for Nix](https://www.openwall.com/lists/oss-security/2019/10/09/4) ([CVE-2019-17365](https://nvd.nist.gov/vuln/detail?vulnId=3DCVE-2019-17365)= ). # Fix The [fix](https://issues.guix.gnu.org/issue/37744) consists in letting `guix-daemon` create these directories on behalf of users and removing the world-writable permissions on `per-user`. For [cluster setups](https://hpc.guix.info/blog/2017/11/installing-guix-on-a-cluster/) where clients connect to the daemon over TCP ([thanks to the `--listen` option of `guix-daemon`](https://guix.gnu.org/manual/en/html_node/Invoking-guix_002dd= aemon.html)), the fix _requires_ `guix-daemon` to be able to resolve user names so that it can create `/var/=E2=80=A6/per-user/$USER` with the right ownership. Note also that the `guix` command prior to this fix would not communicate the user name it=E2=80=99s running under to the daemon, thereby preventing it from creating that directory on its behalf. # Upgrading On multi-user systems, we recommend upgrading the daemon now. To upgrade the daemon on a =E2=80=9Cforeign distro=E2=80=9D, run something = along these lines: ``` sudo guix pull sudo systemctl restart guix-daemon.service ``` On Guix System, run: ``` guix pull sudo guix system reconfigure /etc/config.scm sudo herd restart guix-daemon ``` Once you=E2=80=99ve run `guix build hello` or any other `guix` command, you should see that `/var/guix/profiles/per-user` is no longer world-writable: ``` $ ls -ld /var/guix/profiles/per-user drwxr-xr-x 5 root root 4096 Jun 23 2017 /var/guix/profiles/per-user ``` Please report any issues you may have to [`guix-devel@gnu.org`](https://guix.gnu.org/contact/). See the [security web page](https://guix.gnu.org/security/) for information on how to report security issues. #### About GNU Guix [GNU=C2=A0Guix](https://www.gnu.org/software/guix) is a transactional packa= ge manager and an advanced distribution of the GNU system that [respects user freedom](https://www.gnu.org/distros/free-system-distribution-guidelines.ht= ml). Guix can be used on top of any system running the kernel Linux, or it can be used as a standalone operating system distribution for i686, x86_64, ARMv7, and AArch64 machines. In addition to standard package management features, Guix supports transactional upgrades and roll-backs, unprivileged package management, per-user profiles, and garbage collection. When used as a standalone GNU/Linux distribution, Guix offers a declarative, stateless approach to operating system configuration management. Guix is highly customizable and hackable through [Guile](https://www.gnu.org/software/guile) programming interfaces and extensions to the [Scheme](http://schemers.org) language. --=-=-=--