From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Re: Can unprivileged users corrupt the store with bad tarballs? Date: Fri, 04 Apr 2014 08:21:12 -0400 Message-ID: <87eh1dgu9z.fsf@yeeloong.lan> References: <87zjk2gsoc.fsf@yeeloong.lan> <87eh1ep5id.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:58182) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WW38a-0001WT-3e for guix-devel@gnu.org; Fri, 04 Apr 2014 08:22:29 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WW38U-0008TL-M9 for guix-devel@gnu.org; Fri, 04 Apr 2014 08:22:24 -0400 In-Reply-To: <87eh1ep5id.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Thu, 03 Apr 2014 21:39:06 +0200") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel@gnu.org ludo@gnu.org (Ludovic Court=C3=A8s) writes: > Mark H Weaver skribis: > >> I was thinking about the security implications of giving out shell >> access to one of my systems running Guix. >> >> When I ask guix-daemon to build package 'foo', it will use as an input >> the source for package 'foo', usually a tarball. If the tarball is >> already in the store, it won't download it again, because it is >> effectively cached in the store. >> >> It is possible for another user on the same system to corrupt the cache, >> but manually adding a bad tarball for 'foo' to the store, in such a way >> that it would be used to build 'foo' when I ask for it? > > No. > > Tarballs are fixed-output derivations, so the hash of the tarball is > known in advance. Thus, when building a package, you=E2=80=99re sure to = use the > tarball whose hash is in the recipe. What about things that aren't fixed-output derivations? Are the results of 'origin' forms with included patches or snippets "fixed-output"? Could an unprivileged user add one of these to the store that wasn't authentic? Mark