From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id eEKwA76lxV73YQAA0tVLHw (envelope-from ) for ; Wed, 20 May 2020 21:48:46 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id MGvtOr2lxV5+XwAAbx9fmQ (envelope-from ) for ; Wed, 20 May 2020 21:48:45 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 7FEE3940415 for ; Wed, 20 May 2020 21:48:45 +0000 (UTC) Received: from localhost ([::1]:40606 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jbWZw-0004kb-DI for larch@yhetil.org; Wed, 20 May 2020 17:48:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51436) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jbWZH-0003Qp-So for guix-patches@gnu.org; Wed, 20 May 2020 17:48:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:43006) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jbWZH-0003Nf-HU for guix-patches@gnu.org; Wed, 20 May 2020 17:48:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jbWZH-00063o-GC for guix-patches@gnu.org; Wed, 20 May 2020 17:48:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#41425] [PATCH 5/5] pull: Protect against downgrade attacks. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 20 May 2020 21:48:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 41425 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 41425@debbugs.gnu.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 41425-submit@debbugs.gnu.org id=B41425.159001127523254 (code B ref 41425); Wed, 20 May 2020 21:48:03 +0000 Received: (at 41425) by debbugs.gnu.org; 20 May 2020 21:47:55 +0000 Received: from localhost ([127.0.0.1]:54548 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jbWZ8-00062z-RJ for submit@debbugs.gnu.org; Wed, 20 May 2020 17:47:55 -0400 Received: from eggs.gnu.org ([209.51.188.92]:43974) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jbWZ2-000625-JM for 41425@debbugs.gnu.org; Wed, 20 May 2020 17:47:52 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59462) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jbWYx-0003M6-AT; Wed, 20 May 2020 17:47:43 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56656 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1jbWYv-0007cZ-TH; Wed, 20 May 2020 17:47:42 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Date: Wed, 20 May 2020 23:47:25 +0200 Message-Id: <20200520214725.2437-5-ludo@gnu.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200520214725.2437-1-ludo@gnu.org> References: <20200520214725.2437-1-ludo@gnu.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Spam-Score: -3.3 (---) X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Spam-Score: 3.99 X-TUID: go6Yh6SW/lF2 * guix/scripts/pull.scm (%default-options): Add 'validate-pull'. (%options, show-help): Add '--allow-downgrades'. (warn-about-backward-updates): New procedure. (guix-pull): Pass #:current-channels and #:validate-pull to 'latest-channel-instances'. * guix/channels.scm (ensure-forward-channel-update): Add hint for when (channel-commit channel) is true. * doc/guix.texi (Invoking guix pull): Document '--allow-downgrades'. --- doc/guix.texi | 15 +++++++++++++++ guix/channels.scm | 34 +++++++++++++++++++--------------- guix/scripts/pull.scm | 35 ++++++++++++++++++++++++++++++++--- 3 files changed, 66 insertions(+), 18 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index eef5b703fe..79ed260a85 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -3900,6 +3900,21 @@ Use @var{profile} instead of @file{~/.config/guix/current}. Show which channel commit(s) would be used and what would be built or substituted but do not actually do it. +@item --allow-downgrades +Allow pulling older or unrelated revisions of channels than those +currently in use. + +@cindex downgrade attacks, protection against +By default, @command{guix pull} protects against so-called ``downgrade +attacks'' whereby the Git repository of a channel would be reset to an +earlier or unrelated revision of itself, potentially leading you to +install older, known-vulnerable versions of software packages. + +@quotation Note +Make sure you understand its security implications before using +@option{--allow-downgrades}. +@end quotation + @item --system=@var{system} @itemx -s @var{system} Attempt to build for @var{system}---e.g., @code{i686-linux}---instead of diff --git a/guix/channels.scm b/guix/channels.scm index 70e2d7f07c..84c47fc0d0 100644 --- a/guix/channels.scm +++ b/guix/channels.scm @@ -246,25 +246,29 @@ This procedure implements a channel update policy meant to be used as a ('ancestor #t) ('self #t) (_ - (raise (apply make-compound-condition - (condition - (&message (message - (format #f (G_ "\ + (raise (make-compound-condition + (condition + (&message (message + (format #f (G_ "\ aborting update of channel '~a' to commit ~a, which is not a descendant of ~a") - (channel-name channel) - (channel-instance-commit instance) - start)))) + (channel-name channel) + (channel-instance-commit instance) + start)))) - ;; Don't show the hint when the user explicitly specified a - ;; commit in CHANNEL. - (if (channel-commit channel) - '() - (list (condition - (&fix-hint - (hint (G_ "This could indicate that the channel has + ;; If the user asked for a specific commit, they might want + ;; that to happen nevertheless, so tell them about the + ;; relevant 'guix pull' option. + (if (channel-commit channel) + (condition + (&fix-hint + (hint (G_ "Use @option{--allow-downgrades} to force +this downgrade.")))) + (condition + (&fix-hint + (hint (G_ "This could indicate that the channel has been tampered with and is trying to force a roll-back, preventing you from getting the latest updates. If you think this is not the case, explicitly -allow non-forward updates."))))))))))) +allow non-forward updates.")))))))))) (define* (latest-channel-instances store channels #:key diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm index dfe7ee7ad5..c386d81b8e 100644 --- a/guix/scripts/pull.scm +++ b/guix/scripts/pull.scm @@ -81,7 +81,8 @@ (multiplexed-build-output? . #t) (graft? . #t) (debug . 0) - (verbosity . 1))) + (verbosity . 1) + (validate-pull . ,ensure-forward-channel-update))) (define (show-help) (display (G_ "Usage: guix pull [OPTION]... @@ -94,6 +95,8 @@ Download and deploy the latest version of Guix.\n")) --commit=COMMIT download the specified COMMIT")) (display (G_ " --branch=BRANCH download the tip of the specified BRANCH")) + (display (G_ " + --allow-downgrades allow downgrades to earlier channel revisions")) (display (G_ " -N, --news display news compared to the previous generation")) (display (G_ " @@ -158,6 +161,10 @@ Download and deploy the latest version of Guix.\n")) (option '("branch") #t #f (lambda (opt name arg result) (alist-cons 'ref `(branch . ,arg) result))) + (option '("allow-downgrades") #f #f + (lambda (opt name arg result) + (alist-cons 'validate-pull warn-about-backward-updates + result))) (option '(#\p "profile") #t #f (lambda (opt name arg result) (alist-cons 'profile (canonicalize-profile arg) @@ -188,6 +195,21 @@ Download and deploy the latest version of Guix.\n")) %standard-build-options)) +(define (warn-about-backward-updates channel start instance relation) + "Warn about non-forward updates of CHANNEL from START to INSTANCE, without +aborting." + (match relation + ((or 'ancestor 'self) + #t) + ('descendant + (warning (G_ "rolling back channel '~a' from ~a to ~a~%") + (channel-name channel) start + (channel-instance-commit instance))) + ('unrelated + (warning (G_ "moving channel '~a' from ~a to unrelated commit ~a~%") + (channel-name channel) start + (channel-instance-commit instance))))) + (define* (display-profile-news profile #:key concise? current-is-newer?) "Display what's up in PROFILE--new packages, and all that. If @@ -749,7 +771,9 @@ Use '~/.config/guix/channels.scm' instead.")) (substitutes? (assoc-ref opts 'substitutes?)) (dry-run? (assoc-ref opts 'dry-run?)) (channels (channel-list opts)) - (profile (or (assoc-ref opts 'profile) %current-profile))) + (profile (or (assoc-ref opts 'profile) %current-profile)) + (current-channels (profile-channels profile)) + (validate-pull (assoc-ref opts 'validate-pull))) (cond ((assoc-ref opts 'query) (process-query opts profile)) ((assoc-ref opts 'generation) @@ -766,7 +790,12 @@ Use '~/.config/guix/channels.scm' instead.")) (ensure-default-profile) (honor-x509-certificates store) - (let ((instances (latest-channel-instances store channels))) + (let ((instances + (latest-channel-instances store channels + #:current-channels + current-channels + #:validate-pull + validate-pull))) (format (current-error-port) (N_ "Building from this channel:~%" "Building from these channels:~%" -- 2.26.2