Re: TOCTTOU race - Ludovic Courtès

all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

From: "Ludovic Courtès" <ludo@gnu.org>
To: Maxime Devos <maximedevos@telenet.be>
Cc: guix-devel@gnu.org
Subject: Re: TOCTTOU race
Date: Mon, 22 Feb 2021 09:54:13 +0100	[thread overview]
Message-ID: <87r1l8eb4a.fsf@gnu.org> (raw)
In-Reply-To: <ef430e273b9199014038403d4deeaf9dbcb85e49.camel@telenet.be> (Maxime Devos's message of "Fri, 19 Feb 2021 19:01:11 +0100")

Hi Maxime,

Maxime Devos <maximedevos@telenet.be> skribis:

> On Thu, 2021-02-18 at 18:54 +0100, Ludovic Courtès wrote:

[...]

>> Note that, if that happens at boot time, the system will fail to boot (I
>> think you’d get a REPL rather than a kernel panic, but it’d be good to
>> check in a VM.)
>
> If that happens, that's too bad.  Just ignoring the error seems bad from
> a security perspective.  I verified in a VM you'd get a REPL.
> From the REPL, a sysadmin could investigate and choose to delete the offending
> symlink & reboot (and presumably fix the security bug and upgrade the service),
> or decide Guix System needs to be reinstalled.

OK, sounds reasonable.

> Please take note that I didn't correct all potentially insecure activation gexps.
> These should ideally be done by someone who knows how to use the particular service
> and have a system to test it on.  (My changes to nscld-service-type and knot-activation
> are untested.)

I agree this is how it should happen ideally… let’s see if things happen
“ideally”.  :-)

> From 2c3968f658ada27d2062a960d229f3db9cfe208c Mon Sep 17 00:00:00 2001
> From: Maxime Devos <maximedevos@telenet.be>
> Date: Sun, 14 Feb 2021 12:57:32 +0100
> Subject: [PATCH] services: prevent following symlinks during activation
                             ^
Nitpick: we usually capitalize here and in the commit log.

Perhaps add a couple of lines explaining that this fixes a potential
security issue, with a link to this thread.

> Currently, there's a TOCTTOU race.  This can be addressed
> once guile has bindings for fstatat, openat and friends.

I’d move that comment next to the ‘mkdir-p/perms’ definition.

> * guix/build/service-utils.scm: new module
>   with new procedure 'mkdir-p/perms'.

I think you can remove these lines.

> * Makefile.am (MODULES): compile new module.
> * gnu/services/authentication.scm
>   (%nslcd-activation, nslcd-service-type): use new procedure.
> * gnu/services/cups.scm (%cups-activation): likewise.
> * gnu/services/dbus.scm (dbus-activation): likewise.
> * gnu/services/dns.scm (knot-activation): likewise.

LGTM for master, thanks!

Ludo’.

next prev parent reply	other threads:[~2021-02-22  8:54 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-28 21:53 Potential security weakness in Guix services Leo Famulari
2021-01-29 13:33 ` Maxime Devos
2021-01-29 15:25   ` Maxime Devos
2021-02-01 15:35 ` Ludovic Courtès
2021-02-01 15:47   ` Julien Lepiller
2021-02-01 16:19     ` Maxime Devos
2021-02-02 13:07       ` Ludovic Courtès
2021-02-02 13:38         ` Maxime Devos
2021-02-02 15:30           ` Maxime Devos
2021-02-05  9:57           ` Ludovic Courtès
2021-02-05 12:20             ` Maxime Devos
2021-02-05 14:16               ` Maxime Devos
2021-02-06 21:28                 ` Ludovic Courtès
2021-02-06 22:01                   ` Maxime Devos
2021-02-10 20:45                     ` Ludovic Courtès
2021-02-06 21:26               ` Ludovic Courtès
2021-02-14 12:29                 ` TOCTTOU race (was: Potential security weakness in Guix services) Maxime Devos
2021-02-14 17:19                   ` Bengt Richter
2021-02-18 17:54                   ` TOCTTOU race Ludovic Courtès
2021-02-19 18:01                     ` Maxime Devos
2021-02-22  8:54                       ` Ludovic Courtès [this message]
2021-02-22 19:13                         ` Maxime Devos
2021-02-23 15:30                           ` Ludovic Courtès
2021-02-27  7:41                             ` Maxime Devos
2021-03-10 10:07                               ` Ludovic Courtès
2021-02-10 20:54             ` Potential security weakness in Guix services Christopher Lemmer Webber

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87r1l8eb4a.fsf@gnu.org \
    --to=ludo@gnu.org \
    --cc=guix-devel@gnu.org \
    --cc=maximedevos@telenet.be \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.