From: ludo@gnu.org (Ludovic Courtès)
To: Guix-devel <guix-devel@gnu.org>, help-guix <help-guix@gnu.org>
Cc: guix-security@gnu.org
Subject: [SECURITY] Setuid binaries created in /gnu/store on GuixSD
Date: Sun, 08 Oct 2017 21:37:30 +0200 [thread overview]
Message-ID: <87vajpbfd1.fsf@gnu.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 2277 bytes --]
GuixSD Security Advisory
========================
On GuixSD, ‘activate-setuid-programs’ in (gnu build activation) would
create setuid-root binaries under /gnu/store for all the programs listed
under ‘setuid-programs’ in the ‘operating-system’ declaration.
Consequently, any program that appeared in ‘setuid-programs’ in a
previous OS generation would remain setuid-root in /gnu/store. A local
user could thus run previous setuid programs, possibly taking advantage
of old local exploits for those programs.
The bug can also hamper build reproducibility in some cases, as reported
in <https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00060.html>.
Limitations
-----------
1. This issue only affects GuixSD, not Guix on another distro.
2. Systems where /gnu/store and / are separate partitions are
unaffected.
3. The setuid bit in files under /gnu/store cannot propagate to other
machines via substitutes (‘guix publish’), offloading, or remote
copy (‘guix copy’).
4. The issue matters most on multi-user GuixSD machines.
Details
-------
‘activate-setuid-programs’ in (gnu build activation) did this:
(define (make-setuid-program prog)
(let ((target (string-append %setuid-directory
"/" (basename prog))))
(link-or-copy prog target)
(chown target 0 0)
(chmod target #o6555)))
which amounts to:
1. ln /gnu/store/…/bin/su /run/setuid-programs/su
2. chmod +s /run/setuid-programs/su
meaning that *both* ‘su’ files become setuid root.
Fix
---
The issue is fixed by this commit:
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5e66574a128937e7f2fcf146d146225703ccfd5d
The corresponding bug report is:
https://bugs.gnu.org/28751
We recommend that you upgrade and then remove setuid files from the
store, in this order:
1. guix pull
2. guix system reconfigure config.scm
3. reboot
4. As root, run:
mount -o remount,rw /gnu/store && \
find /gnu/store -perm -6000 -exec chmod -v a-s {} \; ; \
mount -o remount,ro /gnu/store
Don’t hesitate to ask if you have any questions.
Ludo' & the fine guix-security@gnu.org folks.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
reply other threads:[~2017-10-08 19:37 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87vajpbfd1.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guix-devel@gnu.org \
--cc=guix-security@gnu.org \
--cc=help-guix@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.