From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tobias Geerinckx-Rice via Bug reports for GNU Guix <bug-guix@gnu.org>
Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)
Date: Wed, 16 Oct 2019 21:50:22 +0200
Message-ID: <87d0ewo4g1.fsf@nckx>
References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org>
 <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx>
 <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org>
 <20191016142221.qys2y2cb4spmwscq@pelzflorian.localdomain>
 <87ftjsoh40.fsf@nckx>
 <20191016151922.5fanqbt6kiv4offx@pelzflorian.localdomain>
 <87eezcogtf.fsf@nckx> <87ftjsk4d3.fsf@gnu.org>
Reply-To: Tobias Geerinckx-Rice <me@tobias.gr>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:36434)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1iKpK3-0000Ic-Dj
 for bug-guix@gnu.org; Wed, 16 Oct 2019 15:51:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1iKpK2-0001cP-9K
 for bug-guix@gnu.org; Wed, 16 Oct 2019 15:51:03 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:37764)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1iKpK2-0001cI-6X
 for bug-guix@gnu.org; Wed, 16 Oct 2019 15:51:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1iKpK2-0001Iq-3j
 for bug-guix@gnu.org; Wed, 16 Oct 2019 15:51:02 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.37744.B37744.15712554374974@debbugs.gnu.org>
In-reply-to: <87ftjsk4d3.fsf@gnu.org>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: 37744@debbugs.gnu.org

--=-=-=
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Ludo',

Ludovic Court=C3=A8s =E5=86=99=E9=81=93=EF=BC=9A
> Taking that into account, I propose this (I=E2=80=99ve also changed the=20
> title to
> make it hopefully clearer):

Here's my NL translation:

       (nl "Onveilige=20
       @file{/var/guix/profiles/per-user}-rechten"))
	 (nl "Het standaard gebruikersprofiel,=20
	 @file{~/.guix-profile}, verwijst
naar @file{/var/guix/profiles/per-user/$USER}.  Tot op heden kon=20
om het evenwie
in @file{/var/guix/profiles/per-user} schrijven, wat het=20
@command{guix}-commando
toestond de @code{$USER} submap aan te maken.

Op systemen met meerdere gebuikers kon hierdoor een kwaadaardige=20
gebruiker een
@code{$USER} submap met inhoud aanmaken voor een andere gebruiker=20
die nog niet
was ingelogd.  Omdat @code{/var/@dots{}/$USER} zich in=20
@code{$PATH} bevindt,
kon het doelwit zo code uitvoeren die door de aanvaller zelf werd=20
aangeleverd.
Zie @uref{https://issues.guix.gnu.org/issue/37744} voor meer=20
informatie.

Dit probleem is nu verholpen: schrijven door iedereen in=20
@code{per-user} is niet
meer toegestaan en @command{guix-daemon} maakt zelf submappen aan=20
namens de
gebruiker.  Op systemen met meerdere gebruikers raden we aan om
@code{guix-daemon} nu bij te werken.  Op Guix System kan dit met
@code{guix pull && sudo guix system reconfigure @dots{}}, op=20
andere distributies
met @code{sudo guix pull}.  Herstart vervolgens in beide gevallen
@code{guix-daemon} met @code{herd} of @code{systemctl}.")

Kind regards,

T G-R

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl2ndH4ACgkQ2Imw8BjF
STwonA//XCCZD5qBwQ52rNYuQy+RMveNpvfyABGciNqtnacohV/JpMhK4soEFkZc
PcRTlGbZdQqDMag0y5ZxpDCXboCaHJNr3Uv6t8UhDUY1kv6wOPXePAUlhn85YbEO
pbt6LPp0WNnw8CWkPjl1U5HT7fhiQdfV6NDtTTUKJLOVkbUMNYtkidJK9ycykXQk
o4mF+xuEVzdwibJ5bLJCSKN+3hIyFPFxOHcbGP96ocFtZeXXFki3ppkJ9Mv9OWxW
4aRl2L+7+aiQpiPytt8/RFjmzAt5uk8Ojf6l0VDMQ+8v2oJTyufp7zFHskKP6MOO
I8fqvh1RCMpBM1Ddi0Rlwke4OSFmKcDlMZZtooH4Q9Czqu/pq4/U48RlM+JRryJC
JsNMcAITRsRlLirRwzeX4XBOmTHV5OxXxMSEAss2xBgcz57AXDOQ2p7M7SNk072T
n8jVU8LvDPk51g+x3+MmnriT24NZ+2OdWyAC63HfjaAdBJqTsFcfZXp7YvNGgde3
rYNJVzjHh62dE2bzmz5riiOZ5PxayMLlLSsqVQL7gkjFr5E0ZqKncdyhnkOiq3G2
LBI618smiGKzeCYbQ4ReRJx7xC59DJbFzu6Uxxe1ItLUhGH43EM33DbTQQu32AeD
htiKQDkxv+POKHegOKwKX161mHNHUF/tPEGCCE5P7bHt+CjiDQk=
=//rT
-----END PGP SIGNATURE-----
--=-=-=--