From: "Ludovic Courtès" <ludo@gnu.org>
To: Maxime Devos <maximedevos@telenet.be>
Cc: 47584@debbugs.gnu.org
Subject: bug#47584: Race condition in ‘copy-account-skeletons’: possible privilege escalation.
Date: Sat, 03 Apr 2021 22:49:24 +0200 [thread overview]
Message-ID: <878s5zw0tn.fsf@gnu.org> (raw)
In-Reply-To: <9c0c5f5906e45e83ecae84ae8858ddaf4ea78569.camel@telenet.be> (Maxime Devos's message of "Sat, 03 Apr 2021 18:26:53 +0200")
Maxime Devos <maximedevos@telenet.be> skribis:
> +The attack consists of the user being logged in after the account
> +skeletons have been copied to the home directory, but before the
> +owner of the account skeletons have been set. The user then deletes
> +a copied account skeleton (e.g. `$HOME/.gdbinit`) and replaces
> +it with a symbolic link to a file not owned by the user, such as
> +`/etc/shadow`.
Also… in this paragraph, it’s not entirely clear which user we’re
talking about it. In news.scm, I reworded it like so:
The attack can happen when @command{guix system reconfigure} is running.
Running @command{guix system reconfigure} can trigger the creation of new user
accounts if the configuration specifies new accounts. If a user whose account
is being created manages to log in after the account has been created but
before ``skeleton files'' copied to its home directory have the right
ownership, they may, by creating an appropriately-named symbolic link in the
home directory pointing to a sensitive file, such as @file{/etc/shadow}, get
root privileges.
It may also be worth mentioning that the user is likely unable to log in
at all at that point, as I wrote here:
https://issues.guix.gnu.org/47584#6
WDYT?
Ludo’.
next prev parent reply other threads:[~2021-04-03 20:50 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-03 16:09 bug#47584: Race condition in ‘copy-account-skeletons’: possible privilege escalation Maxime Devos
2021-04-03 16:22 ` Maxime Devos
2021-04-03 16:32 ` Maxime Devos
2021-04-03 20:15 ` Ludovic Courtès
2021-04-03 16:26 ` Maxime Devos
2021-04-03 20:45 ` Ludovic Courtès
2021-04-03 20:49 ` Ludovic Courtès [this message]
2021-04-04 13:29 ` Maxime Devos
2021-04-03 20:27 ` Ludovic Courtès
2021-04-03 20:33 ` Ludovic Courtès
2021-04-04 7:36 ` Maxime Devos
2021-04-05 19:54 ` Ludovic Courtès
2021-04-06 9:56 ` Maxime Devos
2021-04-06 11:57 ` Ludovic Courtès
2021-04-07 18:28 ` Maxime Devos
2022-10-21 9:31 ` Maxime Devos
2022-10-28 16:03 ` bug#47584: [DRAFT PATCH v2 0/4] Fix race condition in mkdir-p/perms Maxime Devos
2022-10-28 16:04 ` bug#47584: [PATCH 1/3] guile-next: Update to 3.0.8-793fb46 Maxime Devos
2022-10-28 16:04 ` bug#47584: [PATCH 2/3] WIP gnu: Change the Guile used for activation to one that has 'openat' Maxime Devos
2022-10-28 16:04 ` bug#47584: [PATCH 3/3] activation: Fix TOCTTOU in mkdir-p/perms Maxime Devos
2022-10-28 16:05 ` bug#47584: [PATCH 1/3] guile-next: Update to 3.0.8-793fb46 Maxime Devos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878s5zw0tn.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=47584@debbugs.gnu.org \
--cc=maximedevos@telenet.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.