[SECURITY] Setuid binaries created in /gnu/store on GuixSD

unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed

* [SECURITY] Setuid binaries created in /gnu/store on GuixSD
@ 2017-10-08 19:37 Ludovic Courtès
  0 siblings, 0 replies; only message in thread
From: Ludovic Courtès @ 2017-10-08 19:37 UTC (permalink / raw)
  To: Guix-devel, help-guix; +Cc: guix-security

[-- Attachment #1: Type: text/plain, Size: 2277 bytes --]

GuixSD Security Advisory
========================

On GuixSD, ‘activate-setuid-programs’ in (gnu build activation) would
create setuid-root binaries under /gnu/store for all the programs listed
under ‘setuid-programs’ in the ‘operating-system’ declaration.

Consequently, any program that appeared in ‘setuid-programs’ in a
previous OS generation would remain setuid-root in /gnu/store.  A local
user could thus run previous setuid programs, possibly taking advantage
of old local exploits for those programs.

The bug can also hamper build reproducibility in some cases, as reported
in <https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00060.html>.

Limitations
-----------

  1. This issue only affects GuixSD, not Guix on another distro.

  2. Systems where /gnu/store and / are separate partitions are
     unaffected.

  3. The setuid bit in files under /gnu/store cannot propagate to other
     machines via substitutes (‘guix publish’), offloading, or remote
     copy (‘guix copy’).

  4. The issue matters most on multi-user GuixSD machines.

Details
-------

‘activate-setuid-programs’ in (gnu build activation) did this:

  (define (make-setuid-program prog)
    (let ((target (string-append %setuid-directory
                                 "/" (basename prog))))
      (link-or-copy prog target)
      (chown target 0 0)
      (chmod target #o6555)))

which amounts to:

  1. ln /gnu/store/…/bin/su /run/setuid-programs/su
  2. chmod +s /run/setuid-programs/su

meaning that *both* ‘su’ files become setuid root.

Fix
---

The issue is fixed by this commit:

  https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5e66574a128937e7f2fcf146d146225703ccfd5d

The corresponding bug report is:

  https://bugs.gnu.org/28751

We recommend that you upgrade and then remove setuid files from the
store, in this order:

  1. guix pull

  2. guix system reconfigure config.scm

  3. reboot

  4. As root, run:
       mount -o remount,rw /gnu/store && \
       find /gnu/store -perm -6000 -exec chmod -v a-s {} \; ; \
       mount -o remount,ro /gnu/store

Don’t hesitate to ask if you have any questions.

Ludo' & the fine guix-security@gnu.org folks.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2017-10-08 19:37 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-10-08 19:37 [SECURITY] Setuid binaries created in /gnu/store on GuixSD Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).