From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Why is /gnu/store writable by the guixbuild group? Date: Sat, 23 Jan 2016 21:56:46 +0100 Message-ID: <878u3gui9d.fsf@gnu.org> References: <20160122231756.GA2284@stebalien.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:45032) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aN5Es-0003yV-BW for help-guix@gnu.org; Sat, 23 Jan 2016 15:56:55 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aN5En-0000s6-MR for help-guix@gnu.org; Sat, 23 Jan 2016 15:56:54 -0500 In-Reply-To: <20160122231756.GA2284@stebalien.com> (Steven Allen's message of "Fri, 22 Jan 2016 18:17:56 -0500") List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org To: Steven Allen Cc: help-guix Steven Allen skribis: > On 01-22-16, Ludovic Court=C3=A8s wrote: >> What=E2=80=99s TPE (sorry for asking) and how does it complain exactly? > > Nevermind. This is a false positive and I've reported it to the > grsecurity people (although they may not fix it...). > > FYI... > > TPE is Trusted Path Execution. Basically, it means that unprivileged > users can only execute files that are not writable, or in directories > writable, by users other than the current user or root. This is to help > make it harder to trick users into executing files written by a > malicious user. OK. > However, after thinking about it, I this case is a false positive > because: > > 1. The /gnu/store/xxx/ directories and all files under them are not > group writable and are owned by root. > 2. /gnu/store has the sticky bit set. > > This means that any files in /gnu/store that are owned by root must have > "blessed" by root (either linked-in or chowned by root). Therefore, the > "no group/other writable parent directory" constraint is unnecessary. Indeed. The mental model is that /gnu/store is populated by root, on behalf of other users. The build users act as a poor way to enforce the principle of least authority. >> > Guix on Arch keeps on trying to build gcc on my poor laptop even >> > though I've enabled substitutes but that's another issue...) >>=20 >> That shouldn=E2=80=99t happen, unless you=E2=80=99re using an old versio= n of Guix for >> which substitutes are no longer available at hydra.gnu.org. > > I'm using guix from git and I'll look into it. In my build logs, it > appears that tar is complaining about an invalid flat ("--sort=3Dname") so > I think guix is having trouble extracting the substitutes. I don=E2=80=99t think this is related. >> That=E2=80=99s because initially build processes write to their chroot, = but when >> the build completes, the build process moves the outputs (the results) >> back to the store.=20 > ... >> If you look at =E2=80=98strace -f -p $(pidof guix-daemon)=E2=80=99 while= running =E2=80=98guix >> build grue-hunter=E2=80=99, the above lines of code translate to: >>=20 >> --8<---------------cut here---------------start------------->8--- >> 7519 --- SIGCHLD {si_signo=3DSIGCHLD, si_code=3DCLD_EXITED, si_pid=3D75= 44, si_status=3D0, si_utime=3D0, si_stime=3D0} --- >> 7519 lstat("/gnu/store/660hdld3sc7laz8kw871pd3yyg9khs5m-grue-hunter-1.0= .drv.chroot/gnu/store/h6sdfqzv4xbydwiafiqvrw0d5505l1l8-grue-hunter-1.0", {s= t_mode=3DS_IFDIR|0755, st_size=3D4096, ...}) =3D 0 >> 7519 rename("/gnu/store/660hdld3sc7laz8kw871pd3yyg9khs5m-grue-hunter-1.= 0.drv.chroot/gnu/store/h6sdfqzv4xbydwiafiqvrw0d5505l1l8-grue-hunter-1.0", "= /gnu/store/h6sdfqzv4xbydwiafiqvrw0d5505l1l8-grue-hunter-1.0") =3D 0 >> --8<---------------cut here---------------end--------------->8--- > > I just did a local experiment (running pstree alongside strace) and, > unless I'm mistaken, 7519 is running as root. Hmm, I think you=E2=80=99re right. In that case the thing does not need to= be world-writable, we should try and check! Thanks, Ludo=E2=80=99.