From mboxrd@z Thu Jan 1 00:00:00 1970 From: Maxim Cournoyer Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Date: Mon, 14 Oct 2019 12:37:49 -0400 Message-ID: <87sgnvp9k2.fsf@gmail.com> References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:42513) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iK3ME-0005IM-Ko for bug-guix@gnu.org; Mon, 14 Oct 2019 12:38:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iK3MD-0004iY-IM for bug-guix@gnu.org; Mon, 14 Oct 2019 12:38:06 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:32774) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iK3MD-0004iR-FB for bug-guix@gnu.org; Mon, 14 Oct 2019 12:38:05 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1iK3MA-00021u-QT for bug-guix@gnu.org; Mon, 14 Oct 2019 12:38:05 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87y2xno85o.fsf@nckx> (Tobias Geerinckx-Rice's message of "Mon, 14 Oct 2019 13:53:35 +0200") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Tobias Geerinckx-Rice Cc: 37744@debbugs.gnu.org, GNU Guix maintainers , guix-security@gnu.org Hello, Tobias Geerinckx-Rice writes: > Ludo', > > Thanks for your report :-p > > The 1777 is obviously very bad, no question. However: question: > > Ludovic Court=C3=A8s =E5=86=99=E9=81=93=EF=BC=9A >> I don=E2=80=99t see how to let the daemon create =E2=80=98per-user/$USER= =E2=80=99 on behalf >> of >> the client for clients connecting over TCP. Or we=E2=80=99d need to add= a >> challenge mechanism or authentication. > > I need more cluebat please: say I'm an attacker and connect to your > daemon (over TCP, why not), asking it to create an empty > =E2=80=98per-user/ludo=E2=80=99. > > Assuming the daemon creates it with sane permissions (say 0755) & > without any race conditions, what's my evil plan now? > > Kind regards, > > T G-R It's not yet clear to me how an actual attack would work, but IIUC when connecting over TCP there's no 'trusted' way to verify the user is actually the user it says they are; so they could impersonate at will (and make use of another user's local directory, perhaps arranging to write something nasty in there). Is my understanding correct? Maxim