Duncan Overbruck reported on guix-security on Jan. 30th that on
Guix System, programs listed in ‘setuid-programs’ all end up being
setuid-root *and* setgid-root (this issue is only relevant to Guix
System users; users of Guix on “foreign” distros are unaffected).

The latter could potentially lead to local privilege escalation because
these programs are usually designed to be setuid-root, but not
setgid-root.  As Duncan wrote:

> The issue is that if those programs like ping are not aware of being
> installed with setgid and then fail to drop full privileges.
>
> In case someone finds a vulnerability in ping, that happens somewhere after
> the privileges should have been dropped then you have a privilege escalation
> issue and not just a buffer overflow in code running as the user.
>
> Another case would be as example dbus-launch-helper usually owned by
> root:dbus and is not executable by others, but in guix is root:root
> and readable/executable by others, this could potentially open more
> attack surface.
>
> With forcing every single setuid binary to be just root:root 06555 you
> deviate from the developers intended permission and there could be something
> that is going to be exploitable just because guix deviates from that.

We do not know of any exploitation of this issue.  For completeness,
here is the list of setuid programs one may get on Guix System by using
the settings and services currently provided (‘service-types/setuid’
comes from the attached file):

--8<---------------cut here---------------start------------->8---
scheme@(guile-user)> ,use(gnu system)
scheme@(guile-user)> ,pp %setuid-programs
$32 = (#<file-append #<package shadow@4.8.1 gnu/packages/admin.scm:662 7fb1abb9a960> "/bin/passwd">
 #<file-append #<package shadow@4.8.1 gnu/packages/admin.scm:662 7fb1abb9a960> "/bin/sg">
 #<file-append #<package shadow@4.8.1 gnu/packages/admin.scm:662 7fb1abb9a960> "/bin/su">
 #<file-append #<package shadow@4.8.1 gnu/packages/admin.scm:662 7fb1abb9a960> "/bin/newgrp">
 #<file-append #<package shadow@4.8.1 gnu/packages/admin.scm:662 7fb1abb9a960> "/bin/newuidmap">
 #<file-append #<package shadow@4.8.1 gnu/packages/admin.scm:662 7fb1abb9a960> "/bin/newgidmap">
 #<file-append #<package inetutils@1.9.4 gnu/packages/admin.scm:613 7fb1abb9aa00> "/bin/ping">
 #<file-append #<package inetutils@1.9.4 gnu/packages/admin.scm:613 7fb1abb9aa00> "/bin/ping6">
 #<file-append #<package sudo@1.9.5p2 gnu/packages/admin.scm:1422 7fb1abb9a0a0> "/bin/sudo">
 #<file-append #<package sudo@1.9.5p2 gnu/packages/admin.scm:1422 7fb1abb9a0a0> "/bin/sudoedit">
 #<file-append #<package fuse@2.9.9 gnu/packages/linux.scm:2846 7fb1adb353c0> "/bin/fusermount">
 #<file-append #<package util-linux@2.35.1 gnu/packages/linux.scm:1507 7fb1adb2a8c0> "/bin/mount">
 #<file-append #<package util-linux@2.35.1 gnu/packages/linux.scm:1507 7fb1adb2a8c0> "/bin/umount">)
scheme@(guile-user)> ,pp (service-types/setuid)
$33 = (#<service-type screen-locker 7fb1ab2b6200>
 #<service-type singularity 7fb1a9c01640>
 #<service-type enlightenment-desktop 7fb1ab7fa5c0>
 #<service-type polkit 7fb1bce11e00>
 #<service-type dbus 7fb1bce11f00>)
--8<---------------cut here---------------end--------------->8---

The immediate fix is to not make those programs setgid-root (patch
attached).

(Incidentally, Chris Webber proposed to make it explicit, which we’ll do
eventually: <https://issues.guix.gnu.org/44700>.)

Many thanks to Duncan Overbruck for reporting the issue!

Ludo’.