From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id GJVTIp4PFGATbAAA0tVLHw (envelope-from ) for ; Fri, 29 Jan 2021 13:37:34 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id WPdLHp4PFGBffAAA1q6Kng (envelope-from ) for ; Fri, 29 Jan 2021 13:37:34 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E0D1B9401C0 for ; Fri, 29 Jan 2021 13:37:33 +0000 (UTC) Received: from localhost ([::1]:52798 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l5Txs-00074s-Rx for larch@yhetil.org; Fri, 29 Jan 2021 08:37:32 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:33142) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l5TuE-0003ce-JJ for guix-devel@gnu.org; Fri, 29 Jan 2021 08:33:47 -0500 Received: from andre.telenet-ops.be ([2a02:1800:120:4::f00:15]:51504) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1l5TuC-0003Rn-8q for guix-devel@gnu.org; Fri, 29 Jan 2021 08:33:46 -0500 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by andre.telenet-ops.be with bizsmtp id NdZd2400P0mfAB401dZdCh; Fri, 29 Jan 2021 14:33:38 +0100 Message-ID: Subject: Re: Potential security weakness in Guix services From: Maxime Devos To: Leo Famulari , guix-devel@gnu.org Date: Fri, 29 Jan 2021 14:33:33 +0100 In-Reply-To: References: Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-L/H8lEI6lsDE68EGeu+e" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1611927218; bh=YqO4GYsOKdUpeCucgcxZTit0bf01zkBT3+cXixskgL0=; h=Subject:From:Reply-To:To:Date:In-Reply-To:References; b=F37octOpU/dFrw99DNIltbzsFRNjw8d25mvPz7Au/ZRFZX+9y0darkYu2AnqozbB7 Ru8Fz8KwPSmh1nSNO+MecjScdlKNWMkAoKg+CtewWunIhTCOH/Hxe29Z2YJ+3Xm/ju 7lIlr4VOlNFDxt6aNh4wgyAp5gvQEiZAlDSpv3DYnGBQnOs6RZpNekkznHkYA7B2Ag lReXaPzUd/88S1+uTusORnfR7xdmfUAQlaOarte5WqNJGE4L1GfhWOw6V3gRBhUA3H vZj6SVQs5evp4w5XGLvP20+xmL5IqzuqSmZkkScuX+peUWxYaxDrCa9QnPEBP3GEZt ixxohhaTdVQrA== Received-SPF: pass client-ip=2a02:1800:120:4::f00:15; envelope-from=maximedevos@telenet.be; helo=andre.telenet-ops.be X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -5.15 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=telenet.be header.s=r21 header.b=F37octOp; dmarc=pass (policy=none) header.from=telenet.be; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: E0D1B9401C0 X-Spam-Score: -5.15 X-Migadu-Scanner: scn0.migadu.com X-TUID: 1wMx8MBD+HrA --=-L/H8lEI6lsDE68EGeu+e Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Guix, On Thu, 2021-01-28 at 16:53 -0500, Leo Famulari wrote: > On January 19 2021, we received a message from Maxime Devos describing a > potential attack vector on Guix System. >=20 > If an attacker can exploit a remote code execution vulnerability (RCE) > in a program used by a Guix service, they could use it to take over the > system in some cases. We have not deployed any mitigations for this. >=20 > Below is a summary of their messages, including a mitigation proposal. > Your feedback is requested! I'm writing a patch right now. It's a little more elaborate than my mkdir-p/own proposal. In the patch, directories with owner, group and permission bits are created via extensions to a =E2=80=98fs-entry-servi= ce-type=E2=80=99, which will perform various basic consistency checks at build time (e.g., no directory can be owned by multiple users). I'll post a draft when it's ready. Maxime --=-L/H8lEI6lsDE68EGeu+e Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYBQOrRccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7kEoAQDAPgFXt2SwiY7A7rT8Ihfqca7w B8H41Y8bCtq7OYIqMAEA7BmwMepMpfJRppl2RLZCuQujWNC6LM32CoBgdznUdwU= =HRA0 -----END PGP SIGNATURE----- --=-L/H8lEI6lsDE68EGeu+e--