From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Can unprivileged users corrupt the store with bad tarballs? Date: Thu, 03 Apr 2014 14:43:31 -0400 Message-ID: <87zjk2gsoc.fsf@yeeloong.lan> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:53428) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WVmd8-0003gL-4v for guix-devel@gnu.org; Thu, 03 Apr 2014 14:44:58 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WVmcz-0004jG-I6 for guix-devel@gnu.org; Thu, 03 Apr 2014 14:44:50 -0400 Received: from world.peace.net ([96.39.62.75]:44806) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WVmcz-0004j0-Dk for guix-devel@gnu.org; Thu, 03 Apr 2014 14:44:41 -0400 List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: guix-devel@gnu.org I was thinking about the security implications of giving out shell access to one of my systems running Guix. When I ask guix-daemon to build package 'foo', it will use as an input the source for package 'foo', usually a tarball. If the tarball is already in the store, it won't download it again, because it is effectively cached in the store. It is possible for another user on the same system to corrupt the cache, but manually adding a bad tarball for 'foo' to the store, in such a way that it would be used to build 'foo' when I ask for it? Mark