unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Can unprivileged users corrupt the store with bad tarballs?
@ 2014-04-03 18:43 Mark H Weaver
  2014-04-03 19:39 ` Ludovic Courtès
  0 siblings, 1 reply; 4+ messages in thread
From: Mark H Weaver @ 2014-04-03 18:43 UTC (permalink / raw)
  To: guix-devel

I was thinking about the security implications of giving out shell
access to one of my systems running Guix.

When I ask guix-daemon to build package 'foo', it will use as an input
the source for package 'foo', usually a tarball.  If the tarball is
already in the store, it won't download it again, because it is
effectively cached in the store.

It is possible for another user on the same system to corrupt the cache,
but manually adding a bad tarball for 'foo' to the store, in such a way
that it would be used to build 'foo' when I ask for it?

      Mark

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2014-04-04 17:07 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-04-03 18:43 Can unprivileged users corrupt the store with bad tarballs? Mark H Weaver
2014-04-03 19:39 ` Ludovic Courtès
2014-04-04 12:21   ` Mark H Weaver
2014-04-04 17:07     ` Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).