A security vulnerability that can lead to local privilege escalation has been found in ’guix-daemon’. It affects multi-user setups in which ’guix-daemon’ runs locally. It does not affect multi-user setups where ‘guix-daemon’ runs on a separate machine and is accessed over the network, via ‘GUIX_DAEMON_SOCKET’, as is customary on cluster setups. Machines where the Linux “protected hardlink”[*] feature is enabled, which is common, are also unaffected—this is the case when the contents of /proc/sys/fs/protected_hardlinks are 1. [*] https://www.kernel.org/doc/Documentation/sysctl/fs.txt Vulnerability ~~~~~~~~~~~~~ The attack consists in having an unprivileged user spawn a build process, for instance with ‘guix build’, that makes its build directory world-writable. The user then creates a hardlink within the build directory to a root-owned file from outside of the build directory, such as ‘/etc/shadow’. If the user passed the ‘--keep-failed’ option and the build eventually fails, the daemon changes ownership of the whole build tree, including the hardlink, to the user. At that point, the user has write access to the target file. Fix ~~~ The fix (patch attached) consists in adding a root-owned “wrapper” directory in which the build directory itself is located. If the user passed the ‘--keep-failed’ option and the build fails, the ‘guix-daemon’ first changes ownership of the build directory, and then, in two stages, moves the build directory into the location where users expect to find failed builds, roughly like this: 1. chown -R USER /tmp/guix-build-foo.drv-0/top 2. mv /tmp/guix-build-foo.drv-0{,.pivot} 3. mv /tmp/guix-build-foo.drv-0.pivot/top /tmp/guix-build-foo.drv-0 In step #1, /tmp/guix-build-foo.drv-0 remains root-owned, with permissions of #o700. Thus, only root can change directory into it or into ‘top’. Likewise in step #2. The build tree becomes accessible to the user once step #3 has succeeded, not before. These steps are performed after the package build scripts have stopped running. Additionally, the patch at enables protected hardlinks and symlinks by default on Guix System, which will protect against this class of vulnerability from now on. Credit ~~~~~~ We are grateful to Nathan Nye of WhiteBeam Security for reporting this bug and discussing fixes with us! Timeline ~~~~~~~~ We learned about this bug on the private guix-security@gnu.org list on February 7th, and discussed and prepared fixes in the interim. Ludo’ & Leo Famulari.