From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: [SECURITY] Setuid binaries created in /gnu/store on GuixSD Date: Sun, 08 Oct 2017 21:37:30 +0200 Message-ID: <87vajpbfd1.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Guix-devel , help-guix Cc: guix-security@gnu.org List-Id: guix-devel.gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable GuixSD Security Advisory =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D On GuixSD, =E2=80=98activate-setuid-programs=E2=80=99 in (gnu build activat= ion) would create setuid-root binaries under /gnu/store for all the programs listed under =E2=80=98setuid-programs=E2=80=99 in the =E2=80=98operating-system=E2= =80=99 declaration. Consequently, any program that appeared in =E2=80=98setuid-programs=E2=80= =99 in a previous OS generation would remain setuid-root in /gnu/store. A local user could thus run previous setuid programs, possibly taking advantage of old local exploits for those programs. The bug can also hamper build reproducibility in some cases, as reported in . Limitations =2D---------- 1. This issue only affects GuixSD, not Guix on another distro. 2. Systems where /gnu/store and / are separate partitions are unaffected. 3. The setuid bit in files under /gnu/store cannot propagate to other machines via substitutes (=E2=80=98guix publish=E2=80=99), offloading,= or remote copy (=E2=80=98guix copy=E2=80=99). 4. The issue matters most on multi-user GuixSD machines. Details =2D------ =E2=80=98activate-setuid-programs=E2=80=99 in (gnu build activation) did th= is: (define (make-setuid-program prog) (let ((target (string-append %setuid-directory "/" (basename prog)))) (link-or-copy prog target) (chown target 0 0) (chmod target #o6555))) which amounts to: 1. ln /gnu/store/=E2=80=A6/bin/su /run/setuid-programs/su 2. chmod +s /run/setuid-programs/su meaning that *both* =E2=80=98su=E2=80=99 files become setuid root. Fix =2D-- The issue is fixed by this commit: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=3D5e66574a128937e7f= 2fcf146d146225703ccfd5d The corresponding bug report is: https://bugs.gnu.org/28751 We recommend that you upgrade and then remove setuid files from the store, in this order: 1. guix pull 2. guix system reconfigure config.scm 3. reboot 4. As root, run: mount -o remount,rw /gnu/store && \ find /gnu/store -perm -6000 -exec chmod -v a-s {} \; ; \ mount -o remount,ro /gnu/store Don=E2=80=99t hesitate to ask if you have any questions. Ludo' & the fine guix-security@gnu.org folks. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEPORkVYqE/cadtAz7CQsRmT2a67UFAlnafnoACgkQCQsRmT2a 67UhpQ/9EbfEmUOPwaaR05iZSypEZb8cO8hJoB1VahJ+5ca6CFoc7zuL+zJlEyrT Is+aw2Yh+Wr0OXKWlXKSCe42WBTjR0acCeZo2+qZ3ioKx3H6IfHxsjc1gPvSHGz4 pJM9W3689Xy6ULcBAa8fgUFUU6jZVrrZw4YEFcn0lcE1KJSbPC8dQD8zyGZV/Ck3 aLfCZCLk7oY3XrVVmueb+1QrQ/8DMXzhaeORaR87vAXqVLIWfH06ikohjdyxuUZc rhBEZPMXQtr4kWk2+EmuNsvg6NnSog9qq8EISZpeO0ZJzmIIzhnIKN+YgrYXxg0a JmlD1e8cDGBGqhdupWWaJkZ+ndSIrCbd1GvMbOX7HBguFXrlp+Pave6MsltqMLZA gQp9fKEeSAon82TzNOY5cTybzSv43/1pv+HoRy51ummXInIwaFXGVX3gd6vOV0Cw GXXHYcJKGXl+KkRHiX0lqlY+LZCyaWLPRBt4K0bXn9YqSltBzz2MKe3+BCxO8RwV pshQDDTddiftGfMWmsppNcdZF+3yralEQ3jqjDE2EtJeXOWDj+M9IKHCRbONDcZQ vtjae/Sy2HyMWL9eHO0b8BJPuMQCT1KiMjfmWXWVTER2Gz9dUH/3zpnsYYYXjUh4 SERR4QfcdSpNN+Cs2y1bMCutWbs1Ckt5PrSFqxt/ovng1HJ8GfY= =Op3v -----END PGP SIGNATURE----- --=-=-=--