From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Can unprivileged users corrupt the store with bad tarballs? Date: Fri, 04 Apr 2014 19:07:32 +0200 Message-ID: <87sipt81m3.fsf@gnu.org> References: <87zjk2gsoc.fsf@yeeloong.lan> <87eh1ep5id.fsf@gnu.org> <87eh1dgu9z.fsf@yeeloong.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:41899) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WW7ad-0001YS-LS for guix-devel@gnu.org; Fri, 04 Apr 2014 13:07:43 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WW7aZ-0007R5-9X for guix-devel@gnu.org; Fri, 04 Apr 2014 13:07:39 -0400 Received: from hera.aquilenet.fr ([2a01:474::1]:60400) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WW7aZ-0007Qx-2h for guix-devel@gnu.org; Fri, 04 Apr 2014 13:07:35 -0400 In-Reply-To: <87eh1dgu9z.fsf@yeeloong.lan> (Mark H. Weaver's message of "Fri, 04 Apr 2014 08:21:12 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Mark H Weaver Cc: guix-devel@gnu.org Mark H Weaver skribis: > ludo@gnu.org (Ludovic Court=C3=A8s) writes: > >> Mark H Weaver skribis: >> >>> I was thinking about the security implications of giving out shell >>> access to one of my systems running Guix. >>> >>> When I ask guix-daemon to build package 'foo', it will use as an input >>> the source for package 'foo', usually a tarball. If the tarball is >>> already in the store, it won't download it again, because it is >>> effectively cached in the store. >>> >>> It is possible for another user on the same system to corrupt the cache, >>> but manually adding a bad tarball for 'foo' to the store, in such a way >>> that it would be used to build 'foo' when I ask for it? >> >> No. >> >> Tarballs are fixed-output derivations, so the hash of the tarball is >> known in advance. Thus, when building a package, you=E2=80=99re sure to= use the >> tarball whose hash is in the recipe. > > What about things that aren't fixed-output derivations? Are the results > of 'origin' forms with included patches or snippets "fixed-output"? No, these are normal derivations. > Could an unprivileged user add one of these to the store that wasn't > authentic? No, because unprivileged users have to make RPCs to guix-daemon to populate the store (the daemon is a =E2=80=9Csecurity kernel=E2=80=9D.) Th= e daemon ensures that .drv files added to the store are valid, that is, that the output directories that they claim to build have a valid hash. Then, whether or not substitutes or offloading are used (and which substitute servers or build machines are used) is configured by root. Thus, an unprivileged user cannot maliciously inject derivation outputs in the store other than those built/substituted in a way approved by the system administrator. Eelco=E2=80=99s discusses this in more detail (Nix and Guix use what the paper refers to as the =E2=80=9Cextensional model,=E2=80=9D although fixed-output derivatio= ns look more like the =E2=80=9Cintensional model=E2=80=9D.) A recommended read! :-) Ludo=E2=80=99.