From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id GPnjI7MWHWBcWgAA0tVLHw (envelope-from ) for ; Fri, 05 Feb 2021 09:58:11 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id KILCH7MWHWAHKgAAB5/wlQ (envelope-from ) for ; Fri, 05 Feb 2021 09:58:11 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 2135E9402B3 for ; Fri, 5 Feb 2021 09:58:11 +0000 (UTC) Received: from localhost ([::1]:39908 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l7xsP-0006wi-Vp for larch@yhetil.org; Fri, 05 Feb 2021 04:58:10 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:41586) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l7xs4-0006vL-RM for guix-devel@gnu.org; Fri, 05 Feb 2021 04:57:49 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:57635) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l7xs2-000059-CX; Fri, 05 Feb 2021 04:57:46 -0500 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=33682 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1l7xs1-0004jD-9L; Fri, 05 Feb 2021 04:57:45 -0500 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Maxime Devos Subject: Re: Potential security weakness in Guix services References: <87k0rrls0z.fsf@gnu.org> <08F0CD76-DDCF-4CFA-AE8D-5FB165A62B25@lepiller.eu> <87o8h2ehy7.fsf@gnu.org> <69968b3a01d872cabdf55a94b6c82d5057e010c9.camel@telenet.be> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 17 =?utf-8?Q?Pluvi=C3=B4se?= an 229 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Fri, 05 Feb 2021 10:57:42 +0100 In-Reply-To: <69968b3a01d872cabdf55a94b6c82d5057e010c9.camel@telenet.be> (Maxime Devos's message of "Tue, 02 Feb 2021 14:38:23 +0100") Message-ID: <87v9b66dm1.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -2.85 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 2135E9402B3 X-Spam-Score: -2.85 X-Migadu-Scanner: scn1.migadu.com X-TUID: x8KOng5tZlLp Hi Maxime, Maxime Devos skribis: > On Tue, 2021-02-02 at 14:07 +0100, Ludovic Court=C3=A8s wrote: >> OK, I see. Roughly, this symlink chown story would be a local exploit >> that the attacker can take advantage of after exploiting the RCE to >> potentially get root access. >>=20 >> =E2=80=98mkdir-p/perms=E2=80=99 could check that the directory is not a = symlink, to >> begin with. Is this what you had in mind, Maxime? > > Yes! Though the parent- and grandparent and etc. should be checked as we= ll. > If e.g. (I don't have a real example at hand) knot's activation has > a (mkdir-p/perms "/var/lib/knot/e/t/c/e/t/e/r/a" uid/gid-stuff) line, then > mkdir-p/perms has to take care that the "e", "t", "c", "e", "t", "e, "r" > and "a" directories aren't symlinks. OK. > I don't know how I should implement this properly in Guile, though. > In C, I would use loop using openat with O_NOFOLLOW, in combination > with stat, but Guile doesn't have openat or O_NOFOLLOW. In this case we need a solution without openat for now. Perhaps simply changing =E2=80=98mkdir-p/perms=E2=80=99 to =E2=80=98lstat=E2=80=99 compone= nts as it goes? > I've proposed adding the O_NOFOLLOW to guile [1]. I don't have a > proposal for openat in guile yet. If I do propose an interface > to openat(2); I should probably make a proposal for fchownat > and other *at variants at the same time. I don't have a concrete > proposal for how a nice Scheme interface would look like. > > In the mean time, I suppose it should be possible to use openat > via the FFI and define O_NOFOLLOW manually in Guix. > > I'll look into writing a concrete proposal for *at in guile. > I'll post a link to the guile mailing list message when it has > been composed and sent. I think it=E2=80=99s a good endeavor, but it=E2=80=99s a longer-term one si= nce it=E2=80=99ll take some time before this new version is in use by all the Guix code. The difficulty in designing such an interface is that the Scheme API is more about ports than it=E2=80=99s about file names and file descriptors. Thanks! Ludo=E2=80=99.