unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
From: "Ludovic Courtès" <ludo@gnu.org>
To: Maxime Devos <maximedevos@telenet.be>
Cc: 47584@debbugs.gnu.org
Subject: bug#47584: Race condition in ‘copy-account-skeletons’: possible privilege escalation.
Date: Sat, 03 Apr 2021 22:45:51 +0200	[thread overview]
Message-ID: <87czvbw0zk.fsf@gnu.org> (raw)
In-Reply-To: <9c0c5f5906e45e83ecae84ae8858ddaf4ea78569.camel@telenet.be> (Maxime Devos's message of "Sat, 03 Apr 2021 18:26:53 +0200")

Maxime Devos <maximedevos@telenet.be> skribis:

> From 7937b9f18085569e5d7cb8a3c4dc08e1088a94a9 Mon Sep 17 00:00:00 2001
> From: Maxime Devos <maximedevos@telenet.be>
> Date: Sat, 3 Apr 2021 18:02:05 +0200
> Subject: [PATCH] =?UTF-8?q?website:=20Add=20post=20about=20vulnerability?=
>  =?UTF-8?q?=20in=20=E2=80=98copy-account-skeletons=E2=80=99.?=
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
>
> * website/posts/home-symlink.md: New post.

It’s unfortunate that this is going out during a week-end, and a
three-day week-end on top of that in some regions of the world, with
many people not seeing the message and not being able to act upon it for
three days.

> +title: Risk of local privilege escalation in account creation
> +date: 2021-04-03 17:30
> +author: Maxime Devos
> +tags: Security Advisory
> +---
> +
> +A security vulnerability that can lead to local privilege escalation
> +has been found in the activation code of user accounts (excluding
> +system accounts).  It does not affect users on foreign distros
> +and is only exploitable during system reconfiguration.

How about this, taken from the news.scm entry I tweaked:

  A security vulnerability that can lead to local privilege
  escalation has been found in the code that creates user accounts on Guix
  System—Guix on other distros is unaffected.  The system is only vulnerable
  during the activation of non-system user accounts that do not already exist.

(This is more upfront about who’s affected and avoids the technical term
“activation code” which makes no sense outside the circle of Guix System
and NixOS hackers.)

> +This exploit is _not_ impossible on machines where the Linux [protected
> +symlinks](https://sysctl-explorer.net/fs/protected_symlinks/) feature
> +is enabled.  It is believed the attack can also be performed using hard
> +links.

Please mention that protected symlinks are enabled by default on Guix
System since a March 16th commit, with a link to
<https://issues.guix.gnu.org/47013#13>.

> +# Conclusions
> +
> +The activation code in Guix System originally was written with the
> +assumption that no other code was running at the same time in mind.
> +However, this is not a reasonable assumption in practice, as this
> +vulnerability demonstrates.  Thus, it may be worthwhile to look
> +over other activation code for similar issues.

That’s an interesting conclusion for us developers, but not necessarily
for the users this is targeting.  It also sounds unnecessarily scary and
casual.

> +While investigating how to fix the issue, it became apparent GNU Guile,
> +the implementation of the Algorithmic Language Scheme GNU Guix is
> +written in, is lacking in primitives that usually are used to avoid
> +these kind of issues, such `openat` and `O_NOFOLLOW`.
> +
> +While these primitives turned out not to be necessary to fix the
> +issue and a [patch series](<https://lists.gnu.org/archive/html/guile-devel/2021-03/msg00026.html>)
> +to GNU Guile has been submitted that adds these primitives, this does
> +serve as a remainder that GNU Guile is a critical component of
> +Guix System and working around missing primitives will not always be possible.

All this is true but also probably too detailed (or not enough,
depending on the reader).  How about just mentioning that work is
ongoing to support the `openat` family of POSIX functions in Guile,
which, when used, while help address this class of vulnerability?

Otherwise LGTM, thanks!

Ludo’.




  reply	other threads:[~2021-04-03 20:47 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-03 16:09 bug#47584: Race condition in ‘copy-account-skeletons’: possible privilege escalation Maxime Devos
2021-04-03 16:22 ` Maxime Devos
2021-04-03 16:32   ` Maxime Devos
2021-04-03 20:15   ` Ludovic Courtès
2021-04-03 16:26 ` Maxime Devos
2021-04-03 20:45   ` Ludovic Courtès [this message]
2021-04-03 20:49   ` Ludovic Courtès
2021-04-04 13:29   ` Maxime Devos
2021-04-03 20:27 ` Ludovic Courtès
2021-04-03 20:33 ` Ludovic Courtès
2021-04-04  7:36   ` Maxime Devos
2021-04-05 19:54     ` Ludovic Courtès
2021-04-06  9:56       ` Maxime Devos
2021-04-06 11:57         ` Ludovic Courtès
2021-04-07 18:28           ` Maxime Devos
2022-10-21  9:31 ` Maxime Devos
2022-10-28 16:03 ` bug#47584: [DRAFT PATCH v2 0/4] Fix race condition in mkdir-p/perms Maxime Devos
2022-10-28 16:04 ` bug#47584: [PATCH 1/3] guile-next: Update to 3.0.8-793fb46 Maxime Devos
2022-10-28 16:04   ` bug#47584: [PATCH 2/3] WIP gnu: Change the Guile used for activation to one that has 'openat' Maxime Devos
2022-10-28 16:04   ` bug#47584: [PATCH 3/3] activation: Fix TOCTTOU in mkdir-p/perms Maxime Devos
2022-10-28 16:05   ` bug#47584: [PATCH 1/3] guile-next: Update to 3.0.8-793fb46 Maxime Devos

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87czvbw0zk.fsf@gnu.org \
    --to=ludo@gnu.org \
    --cc=47584@debbugs.gnu.org \
    --cc=maximedevos@telenet.be \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).