From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Re: Security questions around using Guix to package apps
Date: Tue, 27 Jun 2017 10:29:45 -0400
Message-ID: <20170627142945.GA24687@jasmine.lan>
References: <8737alaiub.fsf@santanas.co.za>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="AhhlLboLdkugWU4S"
Return-path: <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:47387)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1dPrVg-0005xr-R9
	for help-guix@gnu.org; Tue, 27 Jun 2017 10:30:34 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1dPrVd-00085W-JP
	for help-guix@gnu.org; Tue, 27 Jun 2017 10:30:32 -0400
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:56379)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <leo@famulari.name>) id 1dPrVd-0007zY-7o
	for help-guix@gnu.org; Tue, 27 Jun 2017 10:30:29 -0400
Content-Disposition: inline
In-Reply-To: <8737alaiub.fsf@santanas.co.za>
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/help-guix/>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
To: Divan Santana <divan@santanas.co.za>
Cc: help-guix@gnu.org


--AhhlLboLdkugWU4S
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hello!

On Tue, Jun 27, 2017 at 11:19:24AM +0200, Divan Santana wrote:
> Though the customers/users require to ship applications. They normally do=
 this
> with something like RPMs and a yum repository.
>=20
> The problem with this is:
> 1. yum/rpm requires root to install/upgrade/remove packages.
> 2. One can ship certain files in an RPM install it via yum and gain full =
root.
> 3. One can therefore use the RPMs/yum to gain full root.

[...]

> * Getting to the actual question
> Therefore can one ship files in a guix package and as nonroot install this
> package. Then use the files the package provided as a nonroot user to gai=
n root?
>=20
> Or written another way, if guix is installed on a system and configured t=
o point
> to substitutes that the same nonroot user has access to submit and approve
> packages in, can that nonroot user on the system gain root. Therefore wou=
ld one
> need to review the submitted packages to avoid the user gaining root.
>=20
> ** Some theoretical examples of doing this
>=20
> 1.
> One example to do this would be to create a shell script with =3Dsudo su =
-=3D (or
> similar problematic) contents then byte compile it and ship that in the
> application with setuid permission bit set on it?
>=20
> If this was possible with Guix, putting =3D/gnu=3D on it's own FS with mo=
unt option
> of =3Dsetuid=3D0=3D should solve this.

There are two ways to deploy Guix: Guix on another distro, or GuixSD.

On GuixSD, only privileged users can create setuid binaries.

For Guix on another distro, nobody can create setuid binaries from
Guix packages, at least not without root privileges, and not without
some hacks. As far as I know, while using Guix on a foreign distro,
setuid programs are not supported at all.

See the manual section Setuid Programs for more information:

https://www.gnu.org/software/guix/manual/html_node/Setuid-Programs.html

> 2.
> Ship a sudo file and install it in =3D/etc/sudoers.d=3D though I'm not su=
re if
> that's possible with Guix since it's kind of it it's own chroot. Unless it
> supports post-scripts section and that gets executed as root (doubt it).

Guix packages don't touch the filesystem outside of /gnu/store and /tmp
(while building). And on GuixSD, only root can add users to the sudo
group. So, we don't need to worry about this scenario.

Of course, there may be bugs. But Guix has been designed to prevent
the sort of privilege escalation you describe.

Does that answer your questions? Does anyone else have anything to add?

--AhhlLboLdkugWU4S
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllSa9QACgkQJkb6MLrK
fwgo8A/9Hy/kLL7rUWENs87zI5MKI7S6bdnYLZ/KoYE9V0rcj30At5DeVfrXof36
/Z4l37c3LiEUFYgPMEUASdfliHIH9vUTSvlVkRW01RoAgxB1vElTjpZqKkS/9yw2
LqDA2rhug0MDdk0m9cKbHYUQ4RGZYjH/DvleRY5PCS+zY5LggpDL8jp6fQhHFxdp
ZoRnwqg59hHuR9pJNwyMKxvZPRolfyt5mK/mkZqboFas5NZ9pEEMn5bfzhIsCB0/
EzevZ100R38dTMjlUi4Dhw+p7akUA4Jz3837ZnQcif0aizlLLNta6n3SS0883kiP
WMiu8GS1c6f1ABopRfPzASxnHI5LpMgzkeW6nPiiLLL7o4C2gu42gJAwVrWcG+sS
H/g4/rsCQaQ1VhSn3jzZVN08DRvXjizmZnZOSnXGLHcKW3TLJLAfPtNM+oBwdD/l
ZKgwN+gB6wFGyz5DPt9Ia3l0e/OJ+nJ7vD1nUktTiwcQFuRiAKZPbn6xHdy8ZFXf
c7ZNBrQFPFkpG06GbnPpU5V88uYDaqvz2GdtiEFEK083YgKz1kI5+2sg8+2CcqlM
yVjSV1OCP4aHKglhnwWQS+3ivmxcGXFqiLxUKmIZpfABc8Chy0dMQ0S/UMEZmyGf
oVEqsr1PR86nJ4LY5C8GLZXeJx6gvoRyt02J3aK+Yrk2AcBcpIY=
=4oB6
-----END PGP SIGNATURE-----

--AhhlLboLdkugWU4S--