From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id oEQRFIIJH2DJTgAA0tVLHw (envelope-from ) for ; Sat, 06 Feb 2021 21:26:26 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id IDTOD4IJH2BqEgAAbx9fmQ (envelope-from ) for ; Sat, 06 Feb 2021 21:26:26 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 87A97940105 for ; Sat, 6 Feb 2021 21:26:25 +0000 (UTC) Received: from localhost ([::1]:59012 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l8V5y-0007Hw-NX for larch@yhetil.org; Sat, 06 Feb 2021 16:26:24 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:48148) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l8V5j-0007Hm-3i for guix-devel@gnu.org; Sat, 06 Feb 2021 16:26:07 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]:46813) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l8V5i-0006u7-HU; Sat, 06 Feb 2021 16:26:06 -0500 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=41564 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1l8V5f-0007AL-2f; Sat, 06 Feb 2021 16:26:03 -0500 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Maxime Devos Subject: Re: Potential security weakness in Guix services References: <87k0rrls0z.fsf@gnu.org> <08F0CD76-DDCF-4CFA-AE8D-5FB165A62B25@lepiller.eu> <87o8h2ehy7.fsf@gnu.org> <69968b3a01d872cabdf55a94b6c82d5057e010c9.camel@telenet.be> <87v9b66dm1.fsf@gnu.org> <56adb5efa894304c27beba99b07e2f8cfd8ee7cb.camel@telenet.be> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 18 =?utf-8?Q?Pluvi=C3=B4se?= an 229 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Sat, 06 Feb 2021 22:26:01 +0100 In-Reply-To: <56adb5efa894304c27beba99b07e2f8cfd8ee7cb.camel@telenet.be> (Maxime Devos's message of "Fri, 05 Feb 2021 13:20:40 +0100") Message-ID: <87zh0gzy52.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -2.86 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 87A97940105 X-Spam-Score: -2.86 X-Migadu-Scanner: scn1.migadu.com X-TUID: 81aW4T8SHUi5 Hi, Maxime Devos skribis: > On Fri, 2021-02-05 at 10:57 +0100, Ludovic Court=C3=A8s wrote: >> Hi Maxime, > >>=20 >> > I don't know how I should implement this properly in Guile, though. >> > In C, I would use loop using openat with O_NOFOLLOW, in combination >> > with stat, but Guile doesn't have openat or O_NOFOLLOW. >>=20 >> In this case we need a solution without openat for now. Perhaps simply >> changing =E2=80=98mkdir-p/perms=E2=80=99 to =E2=80=98lstat=E2=80=99 comp= onents as it goes? > > A compromised service could create a component as a regular file or > directory, and quickly replace it with a symlink after the activation > gexp checks the component wasn't a symlink but before the chown or > chmod. I understand the TOCTTOU race. However, activation code runs in two situations: when booting the system (before shepherd takes over), and upon =E2=80=98guix system reconfigure=E2=80=99 completion. When booting the system, there=E2=80=99s just no process out there to take advantage of the race condition. In the second case, presumably all the file name components already exist. Does that make sense? >> > [...] >> > I'll look into writing a concrete proposal for *at in guile. >> > I'll post a link to the guile mailing list message when it has >> > been composed and sent. > > Link: https://lists.gnu.org/archive/html/bug-guile/2021-02/msg00002.html Thanks! Ludo=E2=80=99.