From: Divan Santana <divan@santanas.co.za>
To: help-guix@gnu.org
Subject: Security questions around using Guix to package apps
Date: Tue, 27 Jun 2017 11:19:24 +0200 [thread overview]
Message-ID: <8737alaiub.fsf@santanas.co.za> (raw)
Hi All,
Firstly love the work the Guix community is going and hoping to start
using it more.
I don't know too much about Guix but we considering using it and
switching from the typical RPM/yum solution we have implemented in our
large corporation here.
* Our problem
So our team manages a few thousand Linux systems for customers.
We don't allow full root access for the customes/users of the systems.
Though the customers/users require to ship applications. They normally do this
with something like RPMs and a yum repository.
The problem with this is:
1. yum/rpm requires root to install/upgrade/remove packages.
2. One can ship certain files in an RPM install it via yum and gain full root.
3. One can therefore use the RPMs/yum to gain full root.
* Consider Guix as a solution
The question is if Guix could solve the above?
I know it doesn't require root so that solves problem 1.
Though I think 2 is still a problem. Is it?
* Getting to the actual question
Therefore can one ship files in a guix package and as nonroot install this
package. Then use the files the package provided as a nonroot user to gain root?
Or written another way, if guix is installed on a system and configured to point
to substitutes that the same nonroot user has access to submit and approve
packages in, can that nonroot user on the system gain root. Therefore would one
need to review the submitted packages to avoid the user gaining root.
** Some theoretical examples of doing this
1.
One example to do this would be to create a shell script with =sudo su -= (or
similar problematic) contents then byte compile it and ship that in the
application with setuid permission bit set on it?
If this was possible with Guix, putting =/gnu= on it's own FS with mount option
of =setuid=0= should solve this.
2.
Ship a sudo file and install it in =/etc/sudoers.d= though I'm not sure if
that's possible with Guix since it's kind of it it's own chroot. Unless it
supports post-scripts section and that gets executed as root (doubt it).
Hope the above makes sense.
Greetings from South Africa
--
Divan Santana
next reply other threads:[~2017-06-27 9:50 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-27 9:19 Divan Santana [this message]
2017-06-27 14:29 ` Security questions around using Guix to package apps Leo Famulari
2017-06-30 9:38 ` Divan Santana
2017-06-30 12:54 ` Ludovic Courtès
2017-06-30 13:22 ` Divan Santana
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8737alaiub.fsf@santanas.co.za \
--to=divan@santanas.co.za \
--cc=help-guix@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.