From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id eKTyGPrBU2A5NwAA0tVLHw (envelope-from ) for ; Thu, 18 Mar 2021 21:11:22 +0000 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id SKS4FPrBU2DbTAAA1q6Kng (envelope-from ) for ; Thu, 18 Mar 2021 21:11:22 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8E3FB21406 for ; Thu, 18 Mar 2021 22:11:21 +0100 (CET) Received: from localhost ([::1]:36812 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lMzvL-0003Yi-5N for larch@yhetil.org; Thu, 18 Mar 2021 17:11:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33192) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMzv5-0003YS-82 for bug-guix@gnu.org; Thu, 18 Mar 2021 17:11:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:36668) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lMzv4-0005eR-Ka for bug-guix@gnu.org; Thu, 18 Mar 2021 17:11:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lMzv4-0001Mn-FY; Thu, 18 Mar 2021 17:11:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47229: Local privilege escalation via guix-daemon and =?UTF-8?Q?=E2=80=98--keep-failed=E2=80=99?= Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 18 Mar 2021 21:11:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47229 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security fixed To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 47229-submit@debbugs.gnu.org id=B47229.16161018595244 (code B ref 47229); Thu, 18 Mar 2021 21:11:02 +0000 Received: (at 47229) by debbugs.gnu.org; 18 Mar 2021 21:10:59 +0000 Received: from localhost ([127.0.0.1]:48214 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMzv1-0001MW-CN for submit@debbugs.gnu.org; Thu, 18 Mar 2021 17:10:59 -0400 Received: from wout4-smtp.messagingengine.com ([64.147.123.20]:44155) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMzuz-0001MJ-Ok for 47229@debbugs.gnu.org; Thu, 18 Mar 2021 17:10:58 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id DFFEC1032; Thu, 18 Mar 2021 17:10:51 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Thu, 18 Mar 2021 17:10:52 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=8TLljeB3SoeHAoBN+XuZKK0D 8txlXCK4cAEQbusTF/c=; b=RkAwBBAjbcjeGbkd4Ml5sdtYTxIP6XjMnSZG7Wmk uIKFSOQgY9Zt+msrh6yWQcFBxzQM+Lk4CUlTQdT65fWDgjxfgTn3hnkiaFUhOqnc LeVUVRjHalXKGLwmIBReeDo6mwbUDuljt+uhosHTm9liZjBSGkyEkq6kqXF31T2N 5xo= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=8TLlje B3SoeHAoBN+XuZKK0D8txlXCK4cAEQbusTF/c=; b=QeVYIT7H732MtS+4jgh5jw rKimPuCwx02hmihDSF5h/ozmGdsEKh7BwZoAhBcXn0twamGllc9Lv7I6V2bB5RQL pXsqWsZpN0EIyQK/vy+/5uRkhxNqI3kfj7gnZkk53/8QC8KJp4G+h5YGkmgjS3Tk ZehMBrjmmuRQ+Nm+KxaF5j2yiuOUfqIJKrljRfgWilE5FdKWEBhF4KQg2mGKGQCi mya6XTIFy75YybLi9vtldUq12moOLP/dEgrhhV/pNUtCabXtk7JwlOEX1HQX62Su vyliRw74de6wF5s2ksA3tG7dYKFVqwE72e0m9PcI35OtPehauCFl8JVqrarI1iYw == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudefiedgudegkecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpeffhffvuffkfhggtggujgesghdtreertddtjeenucfhrhhomhepnfgvohcu hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth htvghrnhephfekvdduieehfedttdduledvgfehleevleejheettddvffevgeejgeetueff keetnecuffhomhgrihhnpehgnhhurdhorhhgnecukfhppedutddtrdduuddrudeiledrud dukeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehl vghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 31B7B24005D; Thu, 18 Mar 2021 17:10:51 -0400 (EDT) Date: Thu, 18 Mar 2021 17:10:49 -0400 From: Leo Famulari Message-ID: References: <87lfaksock.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="dzF1svFDk/IQH/JI" Content-Disposition: inline In-Reply-To: <87lfaksock.fsf@gnu.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 47229@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616101882; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=8TLljeB3SoeHAoBN+XuZKK0D8txlXCK4cAEQbusTF/c=; b=f3eWwtY5hNJaJFncPLYUtj6beNTYPsTAToCvO4sHytAHxsg+PoEYW7y73zFsD+Vfl/RRdv lp9hgPTVSWMIVA+Nv38XKzaPh7yE0ZMLGb1itUeXU4bZM3+yzEJSyWp7wPYVMZWCklmY9j 4HJzpTANuSSMN3y4ShS2sqvaDbJ3kxguEGWEtynORoRPGK3QSYLY15cPzPvVvvjtYVZe9t SgRnEcne0Dy1fgH+JesAmrEaDAwYOtO3slH5W+iC/5r7LCdOfblZlLHAqgUHC0Qfzi5O8R z6UXQvVBWqtQKOnUMjoaaA1CksFa6FdFasXi+CdY0qnjX7zkgfgEHI05La5/Vw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616101882; a=rsa-sha256; cv=none; b=EpDLA1Ib+2Wy7OzAftO3Zs/relcHwdpECQRgGJ+yIQ8UpydQ7L4jvpZcx6h1oj6u0GI1Va SKwKQPWB63YcJqRzF/gd1C7xBIdc7sSuatovXdGjvilTCi7Hw46xpa7VFW0A8pT8Y2AhkV wCSmjFZNkTT3HEXO3uLLBSXCp5g6Amq0H/w3H1WMhviYLkHEyAH0qHqdOo2ZqKBTazyN5q vpR/CN/7cUfgjDomL1vNy/DWKGfvyRB2srM2jA3dNqmYJf72JNNjzUyyUOS1ZASkuKHUZ6 58BvdXR49bDk6ITetJvp2arW/ITzvFbFxzIY4I0TJv7bc77f5DVLfI4Vm3QqGg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=RkAwBBAj; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=QeVYIT7H; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -3.51 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=RkAwBBAj; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=QeVYIT7H; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 8E3FB21406 X-Spam-Score: -3.51 X-Migadu-Scanner: scn0.migadu.com X-TUID: KqsOY9usOQu5 --dzF1svFDk/IQH/JI Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 18, 2021 at 12:17:15PM +0100, Ludovic Court=C3=A8s wrote: > It does not affect multi-user setups where =E2=80=98guix-daemon=E2=80=99 = runs on a > separate machine and is accessed over the network, via > =E2=80=98GUIX_DAEMON_SOCKET=E2=80=99, as is customary on cluster setups. = Machines where > the Linux =E2=80=9Cprotected hardlink=E2=80=9D[*] feature is enabled, whi= ch is common, > are also unaffected=E2=80=94this is the case when the contents of > /proc/sys/fs/protected_hardlinks are 1. After publishing the advisory, we received a clarification about the impact of "protected hardlinks". When using a guix-daemon that does not include the fix [0] for the bug reported here, it is still possible for rogue build scripts to escape the build environment, even when protected hardlinks are enabled. Protected hardlinks do make exploitation significantly more difficult, but not impossible. For this reason, we continue to recommend that all Guix users upgrade their guix-daemons, as described in the original advisory. [0] https://git.savannah.gnu.org/cgit/guix.git/commit/?id=3Dec7fb669945bfb47c5e= 1fdf7de3a5d07f7002ccf --dzF1svFDk/IQH/JI Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBTwdkACgkQJkb6MLrK fwhRjhAA7Q1QD4rjWsQv3r83DUZs2lGrH7lh8nJQTevij6xmFBNda4g+aFicdmq9 mHOeQLqnZKw/KOdVAcND1IXghKrjq0fiLA8cwxUG0XcrVAQjwCv58KLQMfjYbYfs L99rbFWLUbw6T9PlarWsiNOZSKfW0i8rycNGaWoYpNqhWczR4cdSWOcAjkt6u6Ps Wqk3PZmALPnT3gSMP4b6j8Ra/H8jgpo4RT4DmleMtt6aiVrA9r+ssRN8z2UwAVMg UZ2afiHyaQWN1flUzwCM0mVgaGhMUWAUriIWLTykRBZnI0hoboNrBvHrLa0lge81 oZBQ5cFepFMshTRLHXjP44A7KGRAH5WJlUGXCNlTr6s2ATxyfD6ZkcsU/a2HPxOj BJVvgZuSa78yNo3uHNzwkGsU6Ghi0muYFiet/gqUytH/BCHR44PyosKKRrChgfPa p/hnaA752w5bwYpUs10KcGjRGFsTLBlLl+cFqVGBa+oRT1Aq7DbdPFh1bBSREDfg piMX+L+4tweC0isOy7SaM2dnj1BNfg05hYwjDY4lY1uCTZ98dGRXaYElEev1h35c LHdunj8xM5HOJ18uNJ8pPxtyheR5WwSE4bb5IVOHRzfi7MXJja8ofrx7CBfb9IiO PWmmwrXWsSaLg+OjI1NXIfGgCFH+sH3uzmNaT4hs63IysIYKEo0= =QbGk -----END PGP SIGNATURE----- --dzF1svFDk/IQH/JI--