From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id yP1QL3IqGGBcBQAA0tVLHw (envelope-from ) for ; Mon, 01 Feb 2021 16:21:06 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id OHXcKnIqGGBUCgAAB5/wlQ (envelope-from ) for ; Mon, 01 Feb 2021 16:21:06 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3C68994059B for ; Mon, 1 Feb 2021 16:21:02 +0000 (UTC) Received: from localhost ([::1]:56186 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l6bwj-0006eS-2O for larch@yhetil.org; Mon, 01 Feb 2021 11:21:01 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:49300) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l6bvr-0006cM-O8 for guix-devel@gnu.org; Mon, 01 Feb 2021 11:20:08 -0500 Received: from xavier.telenet-ops.be ([2a02:1800:120:4::f00:14]:49360) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1l6bvj-0005Qn-RO for guix-devel@gnu.org; Mon, 01 Feb 2021 11:20:07 -0500 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by xavier.telenet-ops.be with bizsmtp id PsKs2400A0mfAB401sKsmU; Mon, 01 Feb 2021 17:19:52 +0100 Message-ID: Subject: Re: Potential security weakness in Guix services From: Maxime Devos To: Julien Lepiller , guix-devel@gnu.org, Ludovic =?ISO-8859-1?Q?Court=E8s?= , Leo Famulari Date: Mon, 01 Feb 2021 17:19:45 +0100 In-Reply-To: <08F0CD76-DDCF-4CFA-AE8D-5FB165A62B25@lepiller.eu> References: <87k0rrls0z.fsf@gnu.org> <08F0CD76-DDCF-4CFA-AE8D-5FB165A62B25@lepiller.eu> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-uDOoYr/KEdKbJVu/4JtT" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1612196392; bh=kPykdV8RFGhFEXejyGsJdJSclM3l185fKK2/KTm8Xkk=; h=Subject:From:To:Date:In-Reply-To:References; b=QWlY8SYOL08gWAKz2WhpzW+V7LFu5sXwSJAV8Ehi5PN4c/W8BAhJqwz7omDrvMK7h ZbhkWklFT7UqvHYf2yzqVRG49DINF3tqO8QRoftmlGGCEQhJqbk1R0Q78qSmJ0uaxT iR8Gw6Q/wuI9E0J8eZf6NHfCr6by4PZZBL9dQTjO2A3jSylY9vwCT/Yy3uyjLDvigi WrO37+9BC9rbqctXJfkbD9ZR0qAZGCo3b1NUuq95BADSFulBaIRAPT1g6f2Wj6kMet AZ4Wd4LeYT/YH2aOdio5Kqpwh3qiwpQ6Hgr7vRU8BwnoNc+sUnRtoV0rH4HMQfA2/5 YvALWsW1NxDsw== Received-SPF: pass client-ip=2a02:1800:120:4::f00:14; envelope-from=maximedevos@telenet.be; helo=xavier.telenet-ops.be X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -5.16 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=telenet.be header.s=r21 header.b=QWlY8SYO; dmarc=pass (policy=none) header.from=telenet.be; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 3C68994059B X-Spam-Score: -5.16 X-Migadu-Scanner: scn1.migadu.com X-TUID: GoOD0gWyBqpD --=-uDOoYr/KEdKbJVu/4JtT Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > > I=E2=80=99m not sure I understand the threat model. If Knot has a RCE > > vulnerability, it can be exploited to run anything on behalf of the > > =E2=80=98knot=E2=80=99 user. > >=20 > > At that point, all the state associated with Knot in /var/lib should be > > considered tainted; new keys should be generated, and so on. > >=20 > > Why focus on the permissions on /var/lib/knot? >=20 > My understanding is that, in case of an RCE in knot, the attacker can > replace /var/lib/knot/* with symlinks to arbitrary files in the FS. When > the activation procedure is run afterwards, the files being linked to > are chowned to the knot user, and the attacker can access them. That's exactly what I had in mind! Though I would like to stress that =E2=80=98access=E2=80=99 here is both reading and writing. Maxime. --=-uDOoYr/KEdKbJVu/4JtT Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYBgqIhccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7qe4AQCv7VIIewI+U/M9tjA/ptmVvdfc hPT4fN9aw8nDyznzoQD+M5SBZqzCzSfkSx8lUgUI+riImuNA62bpHAZLAS/hZww= =rsRY -----END PGP SIGNATURE----- --=-uDOoYr/KEdKbJVu/4JtT--