From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp0 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id 0MNiIiQgGGCxDAAA0tVLHw
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 01 Feb 2021 15:37:08 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id 6PvzHSQgGGCwUAAA1q6Kng
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 01 Feb 2021 15:37:08 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 24D9E9402C2
	for <larch@yhetil.org>; Mon,  1 Feb 2021 15:37:08 +0000 (UTC)
Received: from localhost ([::1]:46618 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1l6bGF-00063H-3s
	for larch@yhetil.org; Mon, 01 Feb 2021 10:37:07 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:39718)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>) id 1l6bFB-0005Q4-Ce
 for guix-devel@gnu.org; Mon, 01 Feb 2021 10:36:04 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e]:54207)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>)
 id 1l6bF9-0001bp-Rt; Mon, 01 Feb 2021 10:35:59 -0500
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=56252 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1l6bF8-0007bv-1J; Mon, 01 Feb 2021 10:35:59 -0500
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
To: Leo Famulari <leo@famulari.name>, Maxime Devos <maximedevos@telenet.be>
Subject: Re: Potential security weakness in Guix services
References: <YBMybeFOP0VfW6G7@jasmine.lan>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 13 =?utf-8?Q?Pluvi=C3=B4se?= an 229 de la
 =?utf-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Mon, 01 Feb 2021 16:35:56 +0100
In-Reply-To: <YBMybeFOP0VfW6G7@jasmine.lan> (Leo Famulari's message of "Thu,
 28 Jan 2021 16:53:49 -0500")
Message-ID: <87k0rrls0z.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Cc: guix-devel@gnu.org
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Migadu-Spam-Score: -2.86
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Queue-Id: 24D9E9402C2
X-Spam-Score: -2.86
X-Migadu-Scanner: scn0.migadu.com
X-TUID: fewYntnnlInJ

Hi,

Leo Famulari <leo@famulari.name> skribis:

> For clarification: the scenario I currently have in mind, is that noone
> has intentionally introduced a security hole in a service, but rather
> there's an accidental security bug somewhere in service package, that
> allows an attacker (I'm assuming the service is accessible from the
> network) arbitrary code execution *within* the service's process.
>
> As it is now, the attacker could overtake the service process, then chown
> and chmod arbitrary directories from there. As a particular example, I'm
> considering e.g. a hypothetical ipfs-service-type. A compromised IPFS pro=
cess
> shouldn't be able to change /etc/passwd entries. The security of the IPFS
> service itself shouldn't be critical to the security of the system as a
> whole.
> -----
>
> A more specific exapmle:
>
> ----- Forwarded message from Maxime Devos <maximedevos@telenet.be> -----
> I seem to have stumbled upon a potential security issue, it has to
> do with how some services use mkdir-p/perms. For example, in knot-activat=
ion:
>
>    (define (knot-activation config)
>      #~(begin
>          (use-modules (guix build utils))
>          (mkdir-p/perms #$(knot-configuration-run-directory config)
>                         (getpwnam "knot") #o755)
>          (mkdir-p/perms "/var/lib/knot" (getpwnam "knot") #o755)
>          (mkdir-p/perms "/var/lib/knot/keys" (getpwnam "knot") #o755)
>          (mkdir-p/perms "/var/lib/knot/keys/keys" (getpwnam "knot") #o755=
)))
>
> /var/lib/knot/keys/keys is chmodded and chowned, which seems innocent eno=
ugh.
> However, what if knot whas compromised at some point, and the compromised=
 knot
> process has replaced /var/lib/knot/keys with, say, a symlink to /gnu/stor=
e?

I=E2=80=99m not sure I understand the threat model.  If Knot has a RCE
vulnerability, it can be exploited to run anything on behalf of the
=E2=80=98knot=E2=80=99 user.

At that point, all the state associated with Knot in /var/lib should be
considered tainted; new keys should be generated, and so on.

Why focus on the permissions on /var/lib/knot?

Also, every time it=E2=80=99s possible and not redundant with measures alre=
ady
implemented by the daemon itself, we should consider using
=E2=80=98make-forkexec-constructor/container=E2=80=99 as a further mitigati=
on.

WDYT?

Ludo=E2=80=99.