* Can unprivileged users corrupt the store with bad tarballs?
@ 2014-04-03 18:43 Mark H Weaver
2014-04-03 19:39 ` Ludovic Courtès
0 siblings, 1 reply; 4+ messages in thread
From: Mark H Weaver @ 2014-04-03 18:43 UTC (permalink / raw)
To: guix-devel
I was thinking about the security implications of giving out shell
access to one of my systems running Guix.
When I ask guix-daemon to build package 'foo', it will use as an input
the source for package 'foo', usually a tarball. If the tarball is
already in the store, it won't download it again, because it is
effectively cached in the store.
It is possible for another user on the same system to corrupt the cache,
but manually adding a bad tarball for 'foo' to the store, in such a way
that it would be used to build 'foo' when I ask for it?
Mark
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: Can unprivileged users corrupt the store with bad tarballs?
2014-04-03 18:43 Can unprivileged users corrupt the store with bad tarballs? Mark H Weaver
@ 2014-04-03 19:39 ` Ludovic Courtès
2014-04-04 12:21 ` Mark H Weaver
0 siblings, 1 reply; 4+ messages in thread
From: Ludovic Courtès @ 2014-04-03 19:39 UTC (permalink / raw)
To: Mark H Weaver; +Cc: guix-devel
Mark H Weaver <mhw@netris.org> skribis:
> I was thinking about the security implications of giving out shell
> access to one of my systems running Guix.
>
> When I ask guix-daemon to build package 'foo', it will use as an input
> the source for package 'foo', usually a tarball. If the tarball is
> already in the store, it won't download it again, because it is
> effectively cached in the store.
>
> It is possible for another user on the same system to corrupt the cache,
> but manually adding a bad tarball for 'foo' to the store, in such a way
> that it would be used to build 'foo' when I ask for it?
No.
Tarballs are fixed-output derivations, so the hash of the tarball is
known in advance. Thus, when building a package, you’re sure to use the
tarball whose hash is in the recipe.
Ludo’.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Can unprivileged users corrupt the store with bad tarballs?
2014-04-03 19:39 ` Ludovic Courtès
@ 2014-04-04 12:21 ` Mark H Weaver
2014-04-04 17:07 ` Ludovic Courtès
0 siblings, 1 reply; 4+ messages in thread
From: Mark H Weaver @ 2014-04-04 12:21 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
ludo@gnu.org (Ludovic Courtès) writes:
> Mark H Weaver <mhw@netris.org> skribis:
>
>> I was thinking about the security implications of giving out shell
>> access to one of my systems running Guix.
>>
>> When I ask guix-daemon to build package 'foo', it will use as an input
>> the source for package 'foo', usually a tarball. If the tarball is
>> already in the store, it won't download it again, because it is
>> effectively cached in the store.
>>
>> It is possible for another user on the same system to corrupt the cache,
>> but manually adding a bad tarball for 'foo' to the store, in such a way
>> that it would be used to build 'foo' when I ask for it?
>
> No.
>
> Tarballs are fixed-output derivations, so the hash of the tarball is
> known in advance. Thus, when building a package, you’re sure to use the
> tarball whose hash is in the recipe.
What about things that aren't fixed-output derivations? Are the results
of 'origin' forms with included patches or snippets "fixed-output"?
Could an unprivileged user add one of these to the store that wasn't
authentic?
Mark
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: Can unprivileged users corrupt the store with bad tarballs?
2014-04-04 12:21 ` Mark H Weaver
@ 2014-04-04 17:07 ` Ludovic Courtès
0 siblings, 0 replies; 4+ messages in thread
From: Ludovic Courtès @ 2014-04-04 17:07 UTC (permalink / raw)
To: Mark H Weaver; +Cc: guix-devel
Mark H Weaver <mhw@netris.org> skribis:
> ludo@gnu.org (Ludovic Courtès) writes:
>
>> Mark H Weaver <mhw@netris.org> skribis:
>>
>>> I was thinking about the security implications of giving out shell
>>> access to one of my systems running Guix.
>>>
>>> When I ask guix-daemon to build package 'foo', it will use as an input
>>> the source for package 'foo', usually a tarball. If the tarball is
>>> already in the store, it won't download it again, because it is
>>> effectively cached in the store.
>>>
>>> It is possible for another user on the same system to corrupt the cache,
>>> but manually adding a bad tarball for 'foo' to the store, in such a way
>>> that it would be used to build 'foo' when I ask for it?
>>
>> No.
>>
>> Tarballs are fixed-output derivations, so the hash of the tarball is
>> known in advance. Thus, when building a package, you’re sure to use the
>> tarball whose hash is in the recipe.
>
> What about things that aren't fixed-output derivations? Are the results
> of 'origin' forms with included patches or snippets "fixed-output"?
No, these are normal derivations.
> Could an unprivileged user add one of these to the store that wasn't
> authentic?
No, because unprivileged users have to make RPCs to guix-daemon to
populate the store (the daemon is a “security kernel”.) The daemon
ensures that .drv files added to the store are valid, that is, that the
output directories that they claim to build have a valid hash.
Then, whether or not substitutes or offloading are used (and which
substitute servers or build machines are used) is configured by root.
Thus, an unprivileged user cannot maliciously inject derivation outputs
in the store other than those built/substituted in a way approved by the
system administrator.
Eelco’s <http://nixos.org/~eelco/pubs/secsharing-ase2005-final.pdf>
discusses this in more detail (Nix and Guix use what the paper refers to
as the “extensional model,” although fixed-output derivations look more
like the “intensional model”.) A recommended read! :-)
Ludo’.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-04-04 17:07 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-04-03 18:43 Can unprivileged users corrupt the store with bad tarballs? Mark H Weaver
2014-04-03 19:39 ` Ludovic Courtès
2014-04-04 12:21 ` Mark H Weaver
2014-04-04 17:07 ` Ludovic Courtès
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).