GuixSD Security Advisory ======================== On GuixSD, ‘activate-setuid-programs’ in (gnu build activation) would create setuid-root binaries under /gnu/store for all the programs listed under ‘setuid-programs’ in the ‘operating-system’ declaration. Consequently, any program that appeared in ‘setuid-programs’ in a previous OS generation would remain setuid-root in /gnu/store. A local user could thus run previous setuid programs, possibly taking advantage of old local exploits for those programs. The bug can also hamper build reproducibility in some cases, as reported in . Limitations ----------- 1. This issue only affects GuixSD, not Guix on another distro. 2. Systems where /gnu/store and / are separate partitions are unaffected. 3. The setuid bit in files under /gnu/store cannot propagate to other machines via substitutes (‘guix publish’), offloading, or remote copy (‘guix copy’). 4. The issue matters most on multi-user GuixSD machines. Details ------- ‘activate-setuid-programs’ in (gnu build activation) did this: (define (make-setuid-program prog) (let ((target (string-append %setuid-directory "/" (basename prog)))) (link-or-copy prog target) (chown target 0 0) (chmod target #o6555))) which amounts to: 1. ln /gnu/store/…/bin/su /run/setuid-programs/su 2. chmod +s /run/setuid-programs/su meaning that *both* ‘su’ files become setuid root. Fix --- The issue is fixed by this commit: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5e66574a128937e7f2fcf146d146225703ccfd5d The corresponding bug report is: https://bugs.gnu.org/28751 We recommend that you upgrade and then remove setuid files from the store, in this order: 1. guix pull 2. guix system reconfigure config.scm 3. reboot 4. As root, run: mount -o remount,rw /gnu/store && \ find /gnu/store -perm -6000 -exec chmod -v a-s {} \; ; \ mount -o remount,ro /gnu/store Don’t hesitate to ask if you have any questions. Ludo' & the fine guix-security@gnu.org folks.