From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id qFrAN13UaGDU1wAAgWs5BA (envelope-from ) for ; Sat, 03 Apr 2021 22:47:25 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id gK9NMl3UaGB6SgAAB5/wlQ (envelope-from ) for ; Sat, 03 Apr 2021 20:47:25 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0E5848A26 for ; Sat, 3 Apr 2021 22:47:25 +0200 (CEST) Received: from localhost ([::1]:52556 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSnAy-0006rj-8m for larch@yhetil.org; Sat, 03 Apr 2021 16:47:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51498) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSnAb-0006r8-UQ for bug-guix@gnu.org; Sat, 03 Apr 2021 16:47:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:51186) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lSnAb-0005UV-N3 for bug-guix@gnu.org; Sat, 03 Apr 2021 16:47:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lSnAb-0006qK-JM for bug-guix@gnu.org; Sat, 03 Apr 2021 16:47:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47584: Race condition in =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99:?= possible privilege escalation. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 03 Apr 2021 20:47:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47584 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security patch To: Maxime Devos Received: via spool by 47584-submit@debbugs.gnu.org id=B47584.161748276426237 (code B ref 47584); Sat, 03 Apr 2021 20:47:01 +0000 Received: (at 47584) by debbugs.gnu.org; 3 Apr 2021 20:46:04 +0000 Received: from localhost ([127.0.0.1]:34499 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSn9g-0006p7-71 for submit@debbugs.gnu.org; Sat, 03 Apr 2021 16:46:04 -0400 Received: from eggs.gnu.org ([209.51.188.92]:58360) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSn9a-0006oM-Pp for 47584@debbugs.gnu.org; Sat, 03 Apr 2021 16:46:03 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59400) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSn9U-0004wN-TZ; Sat, 03 Apr 2021 16:45:52 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=40702 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lSn9U-0006yr-F2; Sat, 03 Apr 2021 16:45:52 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> <9c0c5f5906e45e83ecae84ae8858ddaf4ea78569.camel@telenet.be> Date: Sat, 03 Apr 2021 22:45:51 +0200 In-Reply-To: <9c0c5f5906e45e83ecae84ae8858ddaf4ea78569.camel@telenet.be> (Maxime Devos's message of "Sat, 03 Apr 2021 18:26:53 +0200") Message-ID: <87czvbw0zk.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 47584@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617482845; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=tDRfBHs4Dih+CME5JDcfc2BZ2YvRZaKi5udRAcSLRNY=; b=Vt1YzP/DfRtxDw12gKbtpPRhPfpFkM9pyCmsF61LkkeVrgS7AkRr8Bu5aa6Ir7ihMIzonI fYsWKWjz89sxj/v11P3luavm3o7OMYJNQ4tl9ILMOwu35OJ0gS25oVL0BFyb/Gi/SGo2CO OSaE2FMaVe2ypFaEZMS+GZJtzaqsa1zFqhieDlaf5wOi+gg6r4Wsy7V9EHw7L7dF3ZR5oq 5lGHV2KZvTKSHa2kQtQTMJS1Vi7h6pinOd/TC0gdYq1HoOcJYhUv8bHRO012nHMGaS09Wu vJyK79Lw0h90r7qsi1YxOlNZG3XhvR8VogOKe+DJZs3nJoKD5uBm+idqtDw6rw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617482845; a=rsa-sha256; cv=none; b=YyYDU7FXd/C1Cvn0QmLfpkUDwYvyoOn+2yQdLQXJgkjsC6yQeGu07ibwoe9rjk3BCSbbwb DQIdxdiK2mv4vcbGGLPl3mTnrXWgXw5IqfdjVQemQY/iBpOTJGLYTUF0ahudJtw7hdxJU1 yxKUOPLDPs5L9mUJc7Bm5jq6tX46npinsgXP8WVhYovzA+ArbNP4kGw8q+6m1sn3sMWQOj 7Dg/QS1bq1aV9d5L9x1vhB++DFuFN4+BL19Rj/J90ztT1ITzMmWcLTOmo8l6wT4eNQB/Sb ug7PceDf0NhrqjcUAhIf4Eg4cJoTx1u2MOj/OYjAAYrg2/m0v09+0NcTJwSsow== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -2.93 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 0E5848A26 X-Spam-Score: -2.93 X-Migadu-Scanner: scn0.migadu.com X-TUID: pxD4gkWeXBDL Maxime Devos skribis: > From 7937b9f18085569e5d7cb8a3c4dc08e1088a94a9 Mon Sep 17 00:00:00 2001 > From: Maxime Devos > Date: Sat, 3 Apr 2021 18:02:05 +0200 > Subject: [PATCH] =3D?UTF-8?q?website:=3D20Add=3D20post=3D20about=3D20vuln= erability?=3D > =3D?UTF-8?q?=3D20in=3D20=3DE2=3D80=3D98copy-account-skeletons=3DE2=3D80= =3D99.?=3D > MIME-Version: 1.0 > Content-Type: text/plain; charset=3DUTF-8 > Content-Transfer-Encoding: 8bit > > * website/posts/home-symlink.md: New post. It=E2=80=99s unfortunate that this is going out during a week-end, and a three-day week-end on top of that in some regions of the world, with many people not seeing the message and not being able to act upon it for three days. > +title: Risk of local privilege escalation in account creation > +date: 2021-04-03 17:30 > +author: Maxime Devos > +tags: Security Advisory > +--- > + > +A security vulnerability that can lead to local privilege escalation > +has been found in the activation code of user accounts (excluding > +system accounts). It does not affect users on foreign distros > +and is only exploitable during system reconfiguration. How about this, taken from the news.scm entry I tweaked: A security vulnerability that can lead to local privilege escalation has been found in the code that creates user accounts on Guix System=E2=80=94Guix on other distros is unaffected. The system is only v= ulnerable during the activation of non-system user accounts that do not already exi= st. (This is more upfront about who=E2=80=99s affected and avoids the technical= term =E2=80=9Cactivation code=E2=80=9D which makes no sense outside the circle o= f Guix System and NixOS hackers.) > +This exploit is _not_ impossible on machines where the Linux [protected > +symlinks](https://sysctl-explorer.net/fs/protected_symlinks/) feature > +is enabled. It is believed the attack can also be performed using hard > +links. Please mention that protected symlinks are enabled by default on Guix System since a March 16th commit, with a link to . > +# Conclusions > + > +The activation code in Guix System originally was written with the > +assumption that no other code was running at the same time in mind. > +However, this is not a reasonable assumption in practice, as this > +vulnerability demonstrates. Thus, it may be worthwhile to look > +over other activation code for similar issues. That=E2=80=99s an interesting conclusion for us developers, but not necessa= rily for the users this is targeting. It also sounds unnecessarily scary and casual. > +While investigating how to fix the issue, it became apparent GNU Guile, > +the implementation of the Algorithmic Language Scheme GNU Guix is > +written in, is lacking in primitives that usually are used to avoid > +these kind of issues, such `openat` and `O_NOFOLLOW`. > + > +While these primitives turned out not to be necessary to fix the > +issue and a [patch series]() > +to GNU Guile has been submitted that adds these primitives, this does > +serve as a remainder that GNU Guile is a critical component of > +Guix System and working around missing primitives will not always be pos= sible. All this is true but also probably too detailed (or not enough, depending on the reader). How about just mentioning that work is ongoing to support the `openat` family of POSIX functions in Guile, which, when used, while help address this class of vulnerability? Otherwise LGTM, thanks! Ludo=E2=80=99.