From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp1 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id oEQRFIIJH2DJTgAA0tVLHw
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sat, 06 Feb 2021 21:26:26 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1 with LMTPS
	id IDTOD4IJH2BqEgAAbx9fmQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sat, 06 Feb 2021 21:26:26 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 87A97940105
	for <larch@yhetil.org>; Sat,  6 Feb 2021 21:26:25 +0000 (UTC)
Received: from localhost ([::1]:59012 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1l8V5y-0007Hw-NX
	for larch@yhetil.org; Sat, 06 Feb 2021 16:26:24 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:48148)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>) id 1l8V5j-0007Hm-3i
 for guix-devel@gnu.org; Sat, 06 Feb 2021 16:26:07 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e]:46813)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <ludo@gnu.org>)
 id 1l8V5i-0006u7-HU; Sat, 06 Feb 2021 16:26:06 -0500
Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=41564 helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <ludo@gnu.org>)
 id 1l8V5f-0007AL-2f; Sat, 06 Feb 2021 16:26:03 -0500
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
To: Maxime Devos <maximedevos@telenet.be>
Subject: Re: Potential security weakness in Guix services
References: <YBMybeFOP0VfW6G7@jasmine.lan> <87k0rrls0z.fsf@gnu.org>
 <08F0CD76-DDCF-4CFA-AE8D-5FB165A62B25@lepiller.eu>
 <c7e82df3921fb0eaefb9db798d634f63f6eb0142.camel@telenet.be>
 <87o8h2ehy7.fsf@gnu.org>
 <69968b3a01d872cabdf55a94b6c82d5057e010c9.camel@telenet.be>
 <87v9b66dm1.fsf@gnu.org>
 <56adb5efa894304c27beba99b07e2f8cfd8ee7cb.camel@telenet.be>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 18 =?utf-8?Q?Pluvi=C3=B4se?= an 229 de la
 =?utf-8?Q?R=C3=A9volution?=
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Sat, 06 Feb 2021 22:26:01 +0100
In-Reply-To: <56adb5efa894304c27beba99b07e2f8cfd8ee7cb.camel@telenet.be>
 (Maxime Devos's message of "Fri, 05 Feb 2021 13:20:40 +0100")
Message-ID: <87zh0gzy52.fsf@gnu.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Cc: guix-devel@gnu.org
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Migadu-Spam-Score: -2.86
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Queue-Id: 87A97940105
X-Spam-Score: -2.86
X-Migadu-Scanner: scn1.migadu.com
X-TUID: 81aW4T8SHUi5

Hi,

Maxime Devos <maximedevos@telenet.be> skribis:

> On Fri, 2021-02-05 at 10:57 +0100, Ludovic Court=C3=A8s wrote:
>> Hi Maxime,
>
>>=20
>> > I don't know how I should implement this properly in Guile, though.
>> > In C, I would use loop using openat with O_NOFOLLOW, in combination
>> > with stat, but Guile doesn't have openat or O_NOFOLLOW.
>>=20
>> In this case we need a solution without openat for now.  Perhaps simply
>> changing =E2=80=98mkdir-p/perms=E2=80=99 to =E2=80=98lstat=E2=80=99 comp=
onents as it goes?
>
> A compromised service could create a component as a regular file or
> directory, and quickly replace it with a symlink after the activation
> gexp checks the component wasn't a symlink but before the chown or
> chmod.

I understand the TOCTTOU race.  However, activation code runs in two
situations: when booting the system (before shepherd takes over), and
upon =E2=80=98guix system reconfigure=E2=80=99 completion.

When booting the system, there=E2=80=99s just no process out there to take
advantage of the race condition.

In the second case, presumably all the file name components already
exist.

Does that make sense?

>> > [...]
>> > I'll look into writing a concrete proposal for *at in guile.
>> > I'll post a link to the guile mailing list message when it has
>> > been composed and sent.
>
> Link: https://lists.gnu.org/archive/html/bug-guile/2021-02/msg00002.html

Thanks!

Ludo=E2=80=99.