title: Risk of local privilege escalation in account creation
date: 2021-04-04 15:30
author: Maxime Devos, Ludovic Courtès
tags: Security Advisory
---

A security vulnerability that can lead to local privilege
escalation has been found in the code that creates user accounts on Guix
System—Guix on other distros is unaffected.  The system is only vulnerable
during the activation of non-system user accounts that do not already exist.

This exploit is _not_ prevented by the Linux [protected
symlinks](https://sysctl-explorer.net/fs/protected_symlinks/) feature.

# Vulnerability

The attack consists of the user being logged in after the account
skeletons have been copied to the home directory, but before the
owner of the account skeletons have been set.  The user then deletes
a copied account skeleton (e.g. `$HOME/.gdbinit`) and replaces
it with a symbolic link to a file not owned by the user, such as
`/etc/shadow`.

The activation code then changes the ownership of the file the symbolic
link points to instead of the symbolic link itself.  At that point, the
user has read-write access to the target file.

# Fix

This [bug](https://issues.guix.gnu.org/47584) has been
[fixed](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=2161820ebbbab62a5ce76c9101ebaec54dc61586).
See below for upgrade instructions.

The fix consist of initially creating the home directory root-owned and only
changing the owner of the home directory once all skeletons have been copied
and their owner has been set.

# Upgrading

To upgrade the Guix System, run something like:

```
guix pull
sudo guix system reconfigure /run/current-system/configuration.scm
sudo reboot
```

As the user account activation code is run as a shepherd service,
the last step is required to make sure the fixed activation code
is run in the future.

To avoid the vulnerability while upgrading the system, only declare
new user accounts in the configuration file after the Guix System
has been upgraded.

# Conclusions

Work is ongoing to support the `openat` family of POSIX functions in
Guile, which, when used, help address this class of vulnerabilities.

This issue is tracked as
[bug #47584](https://issues.guix.gnu.org/47584); you can read the thread
for more information.

Please report any issues you may have to
[`guix-devel@gnu.org`](https://guix.gnu.org/en/contact/).  See the
[security web page](https://guix.gnu.org/en/security/) for information
on how to report security issues.

#### About GNU Guix

[GNU Guix](https://guix.gnu.org) is a transactional package manager and
an advanced distribution of the GNU system that [respects user
freedom](https://www.gnu.org/distros/free-system-distribution-guidelines.html).
Guix can be used on top of any system running the Hurd or the Linux
kernel, or it can be used as a standalone operating system distribution
for i686, x86_64, ARMv7, and AArch64 machines.

In addition to standard package management features, Guix supports
transactional upgrades and roll-backs, unprivileged package management,
per-user profiles, and garbage collection.  When used as a standalone
GNU/Linux distribution, Guix offers a declarative, stateless approach to
operating system configuration management.  Guix is highly customizable
and hackable through [Guile](https://www.gnu.org/software/guile)
programming interfaces and extensions to the
[Scheme](http://schemers.org) language.