From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tobias Geerinckx-Rice via Bug reports for GNU Guix Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Date: Wed, 16 Oct 2019 16:12:50 +0200 Message-ID: <87imoook2l.fsf@nckx> References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> Reply-To: Tobias Geerinckx-Rice Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:37874) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iKk3v-0007Bi-31 for bug-guix@gnu.org; Wed, 16 Oct 2019 10:14:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iKk3u-0000et-2s for bug-guix@gnu.org; Wed, 16 Oct 2019 10:14:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:37512) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iKk3t-0000en-Uh for bug-guix@gnu.org; Wed, 16 Oct 2019 10:14:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1iKk3t-0001L7-O8 for bug-guix@gnu.org; Wed, 16 Oct 2019 10:14:01 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-reply-to: <87tv89rnva.fsf@gnu.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 37744@debbugs.gnu.org, guix-security@gnu.org --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Ludo', That was swift, thanks! IANAC++. Ludovic Court=C3=A8s =E5=86=99=E9=81=93=EF=BC=9A > diff --git a/nix/libstore/local-store.cc=20 > b/nix/libstore/local-store.cc > index 3b08492c64..3793382361 100644 > --- a/nix/libstore/local-store.cc > +++ b/nix/libstore/local-store.cc > @@ -88,8 +88,9 @@ LocalStore::LocalStore(bool reserveSpace) >=20=20 > Path perUserDir =3D profilesDir + "/per-user"; > createDirs(perUserDir); > - if (chmod(perUserDir.c_str(), 01777) =3D=3D -1) > - throw SysError(format("could not set permissions on=20 > '%1%' to 1777") % perUserDir); > + if (chmod(perUserDir.c_str(), 0755) =3D=3D -1) > + throw SysError(format("could not set permissions on=20 > '%1%' to 755") > + % perUserDir); >=20=20 > mode_t perm =3D 01775; This is inside if (getuid() =3D=3D 0 && settings.buildUsersGroup !=3D "") { =E2=80=A6 } It's not clear to me why the second condition here is relevant,=20 but I don't have the big picture. Nor do I suspect I want it. Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl2nJWIACgkQ2Imw8BjF STwOGQ//cEyN0EMnK+iPMgVrc0DvagCDnyJ4VnVpTF0hOf+ltfPgB65/Nki+NpRP q5ErZj9pz4oXkZT2GSwot5v8GxhKt82FBckWKVZ8Lxoi6hR7/voPHpDzLnid5TDx XVqNaZUjvUk2jmcbD1fwozswLOma8qD7QPjoVQ9Awp0MU74JGkGW4AUUgwa8BXt1 49BhnCWpl3nh0tKYLCtyhVuK5jIk0U/dkzMXjxx6QM4GmalmnLAYDgOpTZpORmaD 1VrabVBMModfDG+8C1RWClpFrPgVRwqvmBK4Zkopomp+cXB4vDUZ1Sm3vsDMfhvO hst4dvEeesA4npjeq+3nzFqcY1VvMkmHur1tTmrVvOJ7IbmMuyPPIWUTdixeH1OE PJExpaJ3/X1fzVPaoOc5hXQFDOI3VXSgZwqA8K7yE1DUUtt+ZBtldKNUqWz1+Qsb Nf7jYOYC5ftPryax9HULNlQlrW6Ak9f5rNavaHAm/zDrPLmBN0kpaBkAWrT4WTqn 2xVDgF7sroZ9RLOL6AJhfLeXsKi9KOvPshghTVv/NtBxBmlyU5/I4ZZDCcd8S55m Q3afU41ALG1z7vsgVwz7/TkuZ1bpffmGV4n8DHhgc7EgkOJl5gBVg3IoQy+pVbUW jw78Cdet8LgERD+c/aN4ITAJ9hysooby/nADTfEGJznfcs1S1pA= =gjOy -----END PGP SIGNATURE----- --=-=-=--