From: "Ludovic Courtès" <ludo@gnu.org>
To: Maxime Devos <maximedevos@telenet.be>
Cc: guix-devel@gnu.org
Subject: Re: Potential security weakness in Guix services
Date: Tue, 02 Feb 2021 14:07:44 +0100 [thread overview]
Message-ID: <87o8h2ehy7.fsf@gnu.org> (raw)
In-Reply-To: <c7e82df3921fb0eaefb9db798d634f63f6eb0142.camel@telenet.be> (Maxime Devos's message of "Mon, 01 Feb 2021 17:19:45 +0100")
Hi,
Maxime Devos <maximedevos@telenet.be> skribis:
>> > I’m not sure I understand the threat model. If Knot has a RCE
>> > vulnerability, it can be exploited to run anything on behalf of the
>> > ‘knot’ user.
>> >
>> > At that point, all the state associated with Knot in /var/lib should be
>> > considered tainted; new keys should be generated, and so on.
>> >
>> > Why focus on the permissions on /var/lib/knot?
>>
>> My understanding is that, in case of an RCE in knot, the attacker can
>> replace /var/lib/knot/* with symlinks to arbitrary files in the FS. When
>> the activation procedure is run afterwards, the files being linked to
>> are chowned to the knot user, and the attacker can access them.
>
> That's exactly what I had in mind! Though I would like to stress that
> ‘access’ here is both reading and writing.
OK, I see. Roughly, this symlink chown story would be a local exploit
that the attacker can take advantage of after exploiting the RCE to
potentially get root access.
‘mkdir-p/perms’ could check that the directory is not a symlink, to
begin with. Is this what you had in mind, Maxime?
Thanks,
Ludo’.
next prev parent reply other threads:[~2021-02-02 13:21 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-28 21:53 Potential security weakness in Guix services Leo Famulari
2021-01-29 13:33 ` Maxime Devos
2021-01-29 15:25 ` Maxime Devos
2021-02-01 15:35 ` Ludovic Courtès
2021-02-01 15:47 ` Julien Lepiller
2021-02-01 16:19 ` Maxime Devos
2021-02-02 13:07 ` Ludovic Courtès [this message]
2021-02-02 13:38 ` Maxime Devos
2021-02-02 15:30 ` Maxime Devos
2021-02-05 9:57 ` Ludovic Courtès
2021-02-05 12:20 ` Maxime Devos
2021-02-05 14:16 ` Maxime Devos
2021-02-06 21:28 ` Ludovic Courtès
2021-02-06 22:01 ` Maxime Devos
2021-02-10 20:45 ` Ludovic Courtès
2021-02-06 21:26 ` Ludovic Courtès
2021-02-14 12:29 ` TOCTTOU race (was: Potential security weakness in Guix services) Maxime Devos
2021-02-14 17:19 ` Bengt Richter
2021-02-18 17:54 ` TOCTTOU race Ludovic Courtès
2021-02-19 18:01 ` Maxime Devos
2021-02-22 8:54 ` Ludovic Courtès
2021-02-22 19:13 ` Maxime Devos
2021-02-23 15:30 ` Ludovic Courtès
2021-02-27 7:41 ` Maxime Devos
2021-03-10 10:07 ` Ludovic Courtès
2021-02-10 20:54 ` Potential security weakness in Guix services Christopher Lemmer Webber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o8h2ehy7.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guix-devel@gnu.org \
--cc=maximedevos@telenet.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.