(Due to email issues, I’m sending the message below on behalf of Reepca Russelstein .) For a very long time, guix-daemon has helpfully made the outputs of failed derivation builds available at the same location they were at in the build container (see https://git.savannah.gnu.org/cgit/guix.git/tree/nix/libstore/build.cc?id=e951a375a01262dfd470ee343baf7c41dbc6ff58#n1371). This has proven quite useful for debugging of various packages, but unfortunately it is implemented by a plain "rename" of the top-level store items from the chroot's store to the real store. This does not change the permissions or ownership of these files, which allows a setuid / setgid binary created by a malicious build to become exposed to the rest of the users, who can then use it to gain control over that build user. They can exploit this control to overwrite the output of any builds run by that user using /proc/PID/fd and SIGSTOP. Also, there is a window of time for /successful/ build outputs between when they are moved from the chroot and when their permissions are canonicalized, which likewise allows for setuid / setgid binaries to be exposed to other users (see https://git.savannah.gnu.org/cgit/guix.git/tree/nix/libstore/build.cc?id=e951a375a01262dfd470ee343baf7c41dbc6ff58#n2343). The first patch fixes the former, the second patch fixes the latter. We then need to update the guix package to use these new commits, which I leave to whoever applies this to do since my local repository is in a rather unclean state and a fresh work tree may take some time to be ready to run 'make update-guix-package'.