From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <bug-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp1 ([2001:41d0:2:bcc0::])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id aHo8LEPRaGAo0AAAgWs5BA
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sat, 03 Apr 2021 22:34:11 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1 with LMTPS
	id ADshJkPRaGASKQAAbx9fmQ
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sat, 03 Apr 2021 20:34:11 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id D47948569
	for <larch@yhetil.org>; Sat,  3 Apr 2021 22:34:10 +0200 (CEST)
Received: from localhost ([::1]:50354 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1lSmy9-0005IG-KB
	for larch@yhetil.org; Sat, 03 Apr 2021 16:34:09 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:49846)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lSmy2-0005Hx-7Q
 for bug-guix@gnu.org; Sat, 03 Apr 2021 16:34:02 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:51181)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lSmy1-00087b-Vj
 for bug-guix@gnu.org; Sat, 03 Apr 2021 16:34:01 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1lSmy1-0006Xp-Ps
 for bug-guix@gnu.org; Sat, 03 Apr 2021 16:34:01 -0400
X-Loop: help-debbugs@gnu.org
Subject: bug#47584: Race condition in
 =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99:?= possible privilege
 escalation.
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-guix@gnu.org
Resent-Date: Sat, 03 Apr 2021 20:34:01 +0000
Resent-Message-ID: <handler.47584.B47584.161748200725113@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 47584
X-GNU-PR-Package: guix
X-GNU-PR-Keywords: security patch
To: Maxime Devos <maximedevos@telenet.be>
Received: via spool by 47584-submit@debbugs.gnu.org id=B47584.161748200725113
 (code B ref 47584); Sat, 03 Apr 2021 20:34:01 +0000
Received: (at 47584) by debbugs.gnu.org; 3 Apr 2021 20:33:27 +0000
Received: from localhost ([127.0.0.1]:34494 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1lSmxS-0006Wy-S7
 for submit@debbugs.gnu.org; Sat, 03 Apr 2021 16:33:27 -0400
Received: from eggs.gnu.org ([209.51.188.92]:56836)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@gnu.org>) id 1lSmxR-0006Wk-9y
 for 47584@debbugs.gnu.org; Sat, 03 Apr 2021 16:33:26 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:59347)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>)
 id 1lSmxM-0007qA-2f; Sat, 03 Apr 2021 16:33:20 -0400
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=40606 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1lSmxL-0006CL-GT; Sat, 03 Apr 2021 16:33:19 -0400
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be>
Date: Sat, 03 Apr 2021 22:33:18 +0200
In-Reply-To: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be>
 (Maxime Devos's message of "Sat, 03 Apr 2021 18:09:16 +0200")
Message-ID: <87mtufw1kh.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-guix@gnu.org
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Cc: 47584@debbugs.gnu.org
Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1617482051;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:resent-cc:
	 resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post; bh=8amI0UqMMdXiY37C4x/AYUYSBc99DiWPAvz62lXR0gA=;
	b=pbRKySqVYDQpwvwU09smxY83PmxN8L0SQGSbDkWIMVOcPqdq1T8NWSFmzt1M247Hd3ZTdT
	CP3B/KGoXmO5cXSZteht4fkSH33+r1F7Qmkhd+JhNhg+oCI5BULk3ZG9mJeyJhX2TB1XVI
	TRRVWnZlC6TdqZAIvsQhaiiEY3xaRbFPAx9I6JiwRTGj+ej33m3SL2nVqN/hCRZahDKt/H
	IiB+XWz0Dxaa1aY0L143xLnAJqkLK56u/zBjCandRXVx7MMImc5VPWS54O+Jj2dngysGTJ
	tmJMyRSokTeoUJmYXLiRXa+YYWqnLYyWXXMs/fC/J/MBKdHAGNnKslAifrXHxA==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617482051; a=rsa-sha256; cv=none;
	b=M27748yyzqo2+o7+4LxSa2bfo1i6orUvOklwZBHj0uVR2JQVZDPzQdy3UVATji2upb62rO
	2EN/N+Etf7Yl3JVzsNdG+Ge8GAL/XthrSNS3sJqD7Hx0xTaHlpKiZRsjLSI7TlMfFpaI+3
	YNS7Oj6IwSsjjgrHQ/rmrZlKmxC0hE9ev2ow4x2s64ezSqrjaNRfB56U1nKt9nHT/f1nI9
	JifNP+QKl6/cGWTgAEvA0GqxH5m3j71yWR8wRlX+WMPCdG30lhTLyrWpK0e35AfhhbmqJh
	dHVNXrq93j08qWpb5yEhh+TOI9FEnHarfEMhqhEiZtYmVoJ9oD1k6LBtPOlX5w==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=none;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Spam-Score: -2.93
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org
X-Migadu-Queue-Id: D47948569
X-Spam-Score: -2.93
X-Migadu-Scanner: scn0.migadu.com
X-TUID: pJiKuZxaa8EE

Maxime Devos <maximedevos@telenet.be> skribis:

> The attack consists of the user being logged in after the account
> skeletons have been copied to the home directory, but before the
> owner of the account skeletons have been set.  The user then deletes
> a copied account skeleton (e.g. @file{$HOME/.gdbinit}) and replaces
> it with a symbolic link to a file not owned by the user, such as
> @file{/etc/shadow}.
>
> The activation code then changes the ownership
> of the file the symbolic link points to instead of the symbolic
> link itself.  At that point, the user has read-write access
> to the target file.

In the draft blog post, you mention that the attack cannot be carried
out when protected symlinks are enabled.  This is now the case by
default on Guix System=C2=B9, so in that case, a system upgraded from a
commit after March 16th is unaffected.

Ludo=E2=80=99.

=C2=B9 https://issues.guix.gnu.org/47013#13