From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tobias Geerinckx-Rice via Bug reports for GNU Guix Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Date: Tue, 15 Oct 2019 16:31:40 +0200 Message-ID: <87mue2nkrj.fsf@nckx> References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> Reply-To: Tobias Geerinckx-Rice Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:37676) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iKNrt-0002KB-7o for bug-guix@gnu.org; Tue, 15 Oct 2019 10:32:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iKNro-00020k-AM for bug-guix@gnu.org; Tue, 15 Oct 2019 10:32:09 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:35847) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iKNro-00020g-82 for bug-guix@gnu.org; Tue, 15 Oct 2019 10:32:04 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1iKNrl-0005Yn-Sv for bug-guix@gnu.org; Tue, 15 Oct 2019 10:32:04 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-reply-to: <87d0eyuqzd.fsf@gnu.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 37744@debbugs.gnu.org, guix-security@gnu.org --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Ludo', Thanks for your answer. Ludovic Court=C3=A8s =E5=86=99=E9=81=93=EF=BC=9A >> I need more cluebat please: say I'm an attacker and connect to=20 >> your >> daemon (over TCP, why not), asking it to create an empty >> =E2=80=98per-user/ludo=E2=80=99. > > You wouldn=E2=80=99t be able to do that because over TCP because the=20 > daemon > can=E2=80=99t tell what user you are. No, I ask it nicely: =E2=80=98hullo daemon, I'm, er, "ludo"=E2=80=99. Of course the remote daemon doesn't trust me beyond pre-creating=20 an empty per-user directory owned by the local "ludo" user only if=20 such a user exists. It doesn't even report succes or failure to=20 avoid leaking valid user names. You already trust the network not to DoS you with webkitgtks, how=20 does this new step decrease security? Sure, it bumps the protocol version; I'm aware of that. > It=E2=80=99s meant for cluster setups where you have one > head node that clients connect to from remote nodes. And likely some kind of centralised user management so it's not=20 unreasonable to handle this differently/manually. Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl2l2EwACgkQ2Imw8BjF STzSrg//STsCmgYG7y1rrXkImrbsS3ueh522GvPjHvSEfn4WFJrxRk2VeIi9T0Ln RY7BnOwEDoD7tLsJNH/t6RZYVTyNHpNBQr13UPQW59VMz2W32lIgpmxaiAKySZVR quuX9nQPeKSTHT1h0bDwtiXvFbxE2pcBm+fAMNwTT1nsLiEWyw5DodaCKKo/lPCI +o0XbJs6/klXrPyHFSOjB5xd17olKT1O/mHRx78cpW2ZxwaIN6kdO/eXONuajrUb gb+cMcLIp8Y0MMkJuB9uPyC1gJq84SpxbcrMY2M2VuRnA4usoPs8RB2CQ9ek35wz bWPwPpBz2unE0juh/yE9hleGBlRLBpsLQQhP/Z4Fb+mNo/SMlViWWHEbLzDRrsIX mtlfz81nWqbMaSGMttDW3FRZnQS479Snh+SgxUI6kxnpYC12u7iJ5CCLidAxBoCr 0zx5Qjt0zOUFet4Qb70QZil2jEU3pK6WrAgD3avSEnUsjcULCgfuIXEG6YYS6nnn fqnp9B4M6j3h46BAF6MGDZoYnQaDJn2EPt9XmIiZow1MMZtOZSX7hCInvvamVYD4 aAN96ri+yladlm3dregzrYY3S1NxyvzKWY6q28Oj1PhNV7pNHwTDJmzYLIGU5gaj RaymzSVVbWusNygkQ14EdwdZ3ncms1Wwt+JBwrvVKbWuf1Ao9l8= =TyMl -----END PGP SIGNATURE----- --=-=-=--