From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id mLsEGyLNaGCHxgAAgWs5BA (envelope-from ) for ; Sat, 03 Apr 2021 22:16:34 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id eMnvFCLNaGDxJwAAbx9fmQ (envelope-from ) for ; Sat, 03 Apr 2021 20:16:34 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A4BED26BBC for ; Sat, 3 Apr 2021 22:16:33 +0200 (CEST) Received: from localhost ([::1]:41430 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSmh6-0000Nt-NQ for larch@yhetil.org; Sat, 03 Apr 2021 16:16:32 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:47502) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSmgc-0000Mf-Gi for bug-guix@gnu.org; Sat, 03 Apr 2021 16:16:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:51166) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lSmgb-00088P-Rn for bug-guix@gnu.org; Sat, 03 Apr 2021 16:16:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lSmgb-00066q-MT for bug-guix@gnu.org; Sat, 03 Apr 2021 16:16:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47584: Race condition in =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99:?= possible privilege escalation. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 03 Apr 2021 20:16:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47584 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security patch To: Maxime Devos Received: via spool by 47584-submit@debbugs.gnu.org id=B47584.161748095523469 (code B ref 47584); Sat, 03 Apr 2021 20:16:01 +0000 Received: (at 47584) by debbugs.gnu.org; 3 Apr 2021 20:15:55 +0000 Received: from localhost ([127.0.0.1]:34479 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSmgU-00066S-FT for submit@debbugs.gnu.org; Sat, 03 Apr 2021 16:15:54 -0400 Received: from eggs.gnu.org ([209.51.188.92]:54496) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSmgS-00066G-Vi for 47584@debbugs.gnu.org; Sat, 03 Apr 2021 16:15:53 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59075) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSmgN-00082b-LI; Sat, 03 Apr 2021 16:15:47 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=40540 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lSmgN-0002lt-5e; Sat, 03 Apr 2021 16:15:47 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> <63fbd9e37cc3582daf265277e64f0a99b20e05ec.camel@telenet.be> Date: Sat, 03 Apr 2021 22:15:45 +0200 In-Reply-To: <63fbd9e37cc3582daf265277e64f0a99b20e05ec.camel@telenet.be> (Maxime Devos's message of "Sat, 03 Apr 2021 18:22:12 +0200") Message-ID: <87y2dzw2dq.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 47584@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617480993; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=sO10Rh30Ec/A62MRsYGPhMysWSiVugjTnsd6ybg8g6U=; b=EJ9oGik2M1/HnpTN06AZXxf+wcAMfEDHvs6tUmg8PUzYgZ3Izmm2PLXZtLZ8QI8w06qCHm v9pm8OmbTExApA+VLV5KtCjQbv/JPfivNyKb3Ewd9G1TTz6zC1UpB2OY5gAK7tGkHmqWQC NkQhsQbNBtUobsc83yuDZX1ZbiVEwbipcDMAQ2WnxDcV90UPiagXlQFRYvoudvzuf582mn MRl15USs+rp9i7TzSgZ0JPr4eKesnDZ3g+rurNupJ2HjPkYGtJ1wPEQhbPxVTJ65uC6j9A +LeVJWNjD5tydW3RCaFagIdWFhLqm0l9axuePE4yhJIVBM+B0tVLaVF4fmxprA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617480993; a=rsa-sha256; cv=none; b=ZoFRLfnrTOuskFR2PpwfW96kQShAK4tZoSc7pL3wyyt28oD5qYCgpILEzttiTktrty20Ch TnLb0AlAKeS64KAOeBblGs3p6UqY8RPMkQNAtlBIy82ak66S5lZgeSNiE2W4eNFBU6czsT MLwnuoy/imbg6Js4Jw3QdByLqbpcga7HdjK9eLS7jP/b4mwbpGerojb6Z8akSacK4hokWb A7GR33x++EjRfiUd2MR4KdsaMi2TRUBTVcxdGB9hGdhOEJudeTr132Q91dVO62f2Ggw3uY dLM3YiixHO72LpGQBJbj8MHrabFH/tZZN1t68qg6Jg/fzY+7q2nlXYtmrb75vg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -2.93 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: A4BED26BBC X-Spam-Score: -2.93 X-Migadu-Scanner: scn0.migadu.com X-TUID: Twoen/bqXJ6o Hi Maxime, Maxime Devos skribis: > From 9672bd37bf50db1e0989d0b84035c4788422bd31 Mon Sep 17 00:00:00 2001 > From: Maxime Devos > Date: Tue, 30 Mar 2021 22:36:14 +0200 > Subject: [PATCH 1/2] activation: Do not dereference symlinks in home dire= ctory > creation. > MIME-Version: 1.0 > Content-Type: text/plain; charset=3DUTF-8 > Content-Transfer-Encoding: 8bit > > Fixes . > > * gnu/build/activation.scm > (copy-account-skeletons): Do not chown the home directory; leave this > to 'activate-user-home'. > (activate-user-home): Only chown the home directory after the account > skeletons have been copied. > > Co-authored-by: Ludovic Court=C3=A8s . Pushed: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=3D2161820ebbbab62a5= ce76c9101ebaec54dc61586 > From d071ee3aff5be1a6d7876d7411e70f7283dce1fb Mon Sep 17 00:00:00 2001 > From: Maxime Devos > Date: Sat, 3 Apr 2021 12:19:10 +0200 > Subject: [PATCH 2/2] news: Add entry for user account activation > vulnerability. > > TODO for guix committer: correct the commit id appropriately. > > * etc/news.scm: Add entry. I tweaked it to (1) make it clear upfront that only Guix System is affected, (2) to explicitly recommend an upgrade on Guix System, and (3) to clarify when the attack can happen. Thanks for finding the issue, for reporting it at guix-security, and for preparing these patches! Ludo=E2=80=99.