From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id 4PkUOTXhiGKpxgAAbAwnHQ (envelope-from ) for ; Sat, 21 May 2022 14:55:18 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id IH8EOTXhiGJWCQEA9RJhRA (envelope-from ) for ; Sat, 21 May 2022 14:55:17 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id AD7E182C5 for ; Sat, 21 May 2022 14:55:17 +0200 (CEST) Received: from localhost ([::1]:36424 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nsOdY-0006tR-BL for larch@yhetil.org; Sat, 21 May 2022 08:55:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53406) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nsOdK-0006t4-Da for bug-guix@gnu.org; Sat, 21 May 2022 08:55:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:47021) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nsOdK-0000jl-4n for bug-guix@gnu.org; Sat, 21 May 2022 08:55:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nsOdK-0002m6-0q for bug-guix@gnu.org; Sat, 21 May 2022 08:55:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#55361: [Installer] Extra unprivileged =?UTF-8?Q?=E2=80=9Croot=E2=80=9D?= account added Resent-From: bokr@bokr.com Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 21 May 2022 12:55:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 55361 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 55361@debbugs.gnu.org, ludo@gnu.org Received: via spool by 55361-submit@debbugs.gnu.org id=B55361.165313769810650 (code B ref 55361); Sat, 21 May 2022 12:55:01 +0000 Received: (at 55361) by debbugs.gnu.org; 21 May 2022 12:54:58 +0000 Received: from localhost ([127.0.0.1]:40918 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nsOdG-0002li-Iy for submit@debbugs.gnu.org; Sat, 21 May 2022 08:54:58 -0400 Received: from mailout.easymail.ca ([64.68.200.34]:56414) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nsOdE-0002lU-Cl for 55361@debbugs.gnu.org; Sat, 21 May 2022 08:54:57 -0400 Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id E8730A4E67; Sat, 21 May 2022 12:54:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bokr.com; s=easymail; t=1653137690; bh=sWZ8tCDV+gz4svMPvD2ThJ2wKGBdR0wBWA/+v9Ah5LA=; h=From:Date:To:Subject:Reply-To:References:In-Reply-To:From; b=Z+b+a4QZNh9dc93uxhelkEzs1DHOP+nkG0Zfaq7CIn0mRP2fS4d8lCWVGY55LT6xf p1mkeGeJfYEaXtJjmNU+YcVvlQk7RbGlglkoHpWE2Dms03RPjOS/0Mm7EZ+NictCQT Pf6VB8J6Utok2BirpAvcK+9aeifg5FRh9JkI3qDbxM3xdt/Yo4i/kiWdA4IB2/t4Kr 10MkcDnOyiQPO+AX5YizIkaA3Lq8NfS4IJe/Lr/7mKMcRvJ4ACmGjyi+DrdI864zD9 1znnG7zGdz3Yn8H99wLUz9ik+Ws3ZC3En4xTKJ6U5rdULM0s1i7ax4wdiGTOIFM23k cb5k2JIgrZuFg== X-Virus-Scanned: Debian amavisd-new at emo03-pco.easydns.vpn Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (emo03-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kvWsd3QNFxAA; Sat, 21 May 2022 12:54:50 +0000 (UTC) Received: from localhost (m83-185-41-1.cust.tele2.se [83.185.41.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id 0416CA4E57; Sat, 21 May 2022 12:54:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bokr.com; s=easymail; t=1653137690; bh=sWZ8tCDV+gz4svMPvD2ThJ2wKGBdR0wBWA/+v9Ah5LA=; h=From:Date:To:Subject:Reply-To:References:In-Reply-To:From; b=Z+b+a4QZNh9dc93uxhelkEzs1DHOP+nkG0Zfaq7CIn0mRP2fS4d8lCWVGY55LT6xf p1mkeGeJfYEaXtJjmNU+YcVvlQk7RbGlglkoHpWE2Dms03RPjOS/0Mm7EZ+NictCQT Pf6VB8J6Utok2BirpAvcK+9aeifg5FRh9JkI3qDbxM3xdt/Yo4i/kiWdA4IB2/t4Kr 10MkcDnOyiQPO+AX5YizIkaA3Lq8NfS4IJe/Lr/7mKMcRvJ4ACmGjyi+DrdI864zD9 1znnG7zGdz3Yn8H99wLUz9ik+Ws3ZC3En4xTKJ6U5rdULM0s1i7ax4wdiGTOIFM23k cb5k2JIgrZuFg== From: bokr@bokr.com Date: Sat, 21 May 2022 14:54:34 +0200 Message-ID: <20220521125434.GA2334@LionPure> References: <87ee10o1g1.fsf@inria.fr> <87h75jvodh.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87h75jvodh.fsf@gnu.org> User-Agent: Mutt/1.10.1 (2018-07-13) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: bokr@bokr.com Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1653137717; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=39DFfwcPaOz9VYNAokXeeTRQOl3wudgqwqRBtboYYio=; b=g5x7wqNXsZI8aXjasHTD3YwKiMbk6YEy1QS0yWA+LZxs9NWLuVTlR8oljxXXepB4jKegWh gP/QFqNVSAqKA2eBac0A6qqIZc021SHOthBjDGTqrkHOXSIcL5ADC0L4VGpZ8P5vktCe/2 5QKVEmU12dLCrXBSjQ+ZmtJg65M+dxA9Mz4eB7FUjSQNHJXOBVv8h33u6DMW8j3f04uRKJ x3pz1iIdv4JF2t3C7zIU2Vl+KewB7Sqsq80UILyeWqAwzPncBQFpQrPE8ZLs+ja5lZUQlC Q7DNyXBNckr9cfuJpcRZPBEc3qZba3ya5rAuqiwb5jpmYa77T1aKCJ+RnFj5tQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1653137717; a=rsa-sha256; cv=none; b=T4fdQUEGv26toyW7zyjoEqW5XC9X/Fpx6IYx9nr6/rTp3nIGfSx3UcBWeRRbR84vk2aGI+ MW5EGDviqrxWloVA0YGeSFHxsl7ShoaOmmZeCMHGGU8qlRirotIrsLkdNDnvVMKKrFOpux 0KcJLPAJGlF910x9pQ6IuQI5aZTfokQFgPdsk/TA2anQsfvVGq0c6BSFRN85n3sxTOQKaV lE9sOvT00HpHI2KuQkfuK8rutjN6yN6AX9v+pTcNn7pojJQPlP2hTWfkSE9+t6ExvWCoQp brY8yonGeSGAFGJu7AU8Hsc/epLTCj3wNvkSjQlFfL4hWFNhh5Go65H7dfHJWg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=bokr.com header.s=easymail header.b=Z+b+a4QZ; dkim=fail ("headers rsa verify failed") header.d=bokr.com header.s=easymail header.b=Z+b+a4QZ; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 0.15 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=bokr.com header.s=easymail header.b=Z+b+a4QZ; dkim=fail ("headers rsa verify failed") header.d=bokr.com header.s=easymail header.b=Z+b+a4QZ; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: AD7E182C5 X-Spam-Score: 0.15 X-Migadu-Scanner: scn0.migadu.com X-TUID: HI0E4iQ8MO5W Hello, On +2022-05-21 00:19:06 +0200, Ludovic Courtès wrote: > Ludovic Courtès skribis: > > > The installer built from: > > > > Generation 214 May 02 2022 21:44:14 (current) > > guix 6b588da > > repository URL: https://git.savannah.gnu.org/git/guix.git > > branch: master > > commit: 6b588da368c77cde82ea2f22ca315116228777ad > > > > … adds an unprivileged “root” account to the ‘users’ section of the OS > > config. > > Fixed in 48c748226e2a94d2dec9bfdf84601455f00d6f5e, which reverts > c2125e59d0774cda3e559adeb056459a5f23586b. > > Ludo’. > > > --8<---------------cut here---------------start------------->8--- commit c2125e59d0774cda3e559adeb056459a5f23586b Author: Mathieu Othacehe Date: Mon Apr 4 16:38:09 2022 +0200 installer: user: Remove useless filtering. --8<---------------cut here---------------end--------------->8--- --8<---------------cut here---------------start------------->8--- commit 48c748226e2a94d2dec9bfdf84601455f00d6f5e Author: Ludovic Courtès Date: Fri May 20 20:41:02 2022 +0200 Revert "installer: user: Remove useless filtering." This reverts commit c2125e59d0774cda3e559adeb056459a5f23586b. Fixes . --8<---------------cut here---------------end--------------->8--- Assuming my date-diff hack worked: --8<---------------cut here---------------start------------->8--- ~/wb/guix]$ date-diff '2022-04-04 16:38:09' '2022-05-20 20:41:02' 46days 4hrs 2min 53sec --8<---------------cut here---------------end--------------->8--- Is this like coming home from 46day vacation and noticing that, oops, someone left the kitchen door open, and hoping no ++ungoodniks noticed? Or meh? Is. or should there be, a required signoff on an exploitability assessment in the commit, when it has that scent? (e.g. anything possibly opening a door to root privilges). Personally, I am happy to see "fixed," but I would be happier seeing a signed exploitability assessment, esp if by someone concentrating on that aspect of things. Thoughts? -- Regards, Bengt Richter