title: Risk of local privilege escalation in account creation
date: 2021-04-03 17:30
author: Maxime Devos
tags: Security Advisory
---

A security vulnerability that can lead to local privilege escalation
has been found in the activation code of user accounts (excluding
system accounts).  It does not affect users on foreign distros
and is only exploitable during system reconfiguration.

This exploit is _not_ impossible on machines where the Linux [protected
symlinks](https://sysctl-explorer.net/fs/protected_symlinks/) feature
is enabled.  It is believed the attack can also be performed using hard
links.

# Vulnerability

The attack consists of the user being logged in after the account
skeletons have been copied to the home directory, but before the
owner of the account skeletons have been set.  The user then deletes
a copied account skeleton (e.g. `$HOME/.gdbinit`) and replaces
it with a symbolic link to a file not owned by the user, such as
`/etc/shadow`.

The activation code then changes the ownership of the file the symbolic
link points to instead of the symbolic link itself.  At that point, the
user has read-write access to the target file.

# Fix

This [bug](https://issues.guix.gnu.org/47584) has been
<!-- XXX insert the commit id -->
[fixed](https://git.savannah.gnu.org/cgit/guix.git/commit/?id= XXX).
See below for upgrade instructions.

The fix consist of initially creating the home directory root-owned and only
changing the owner of the home directory once all skeletons have been copied
and their owner has been set.

# Upgrading

To upgrade the Guix System, run something like:

```
guix pull
sudo guix system reconfigure /run/current-system/configuration.scm
sudo reboot
```

As the user account activation code is run as a shepherd service,
the last step is required to make sure the fixed activation code
is run in the future.

To avoid the vulnerability while upgrading the system, only declare
new user accounts in the configuration file after the Guix System
has been upgraded.

# Conclusions

The activation code in Guix System originally was written with the
assumption that no other code was running at the same time in mind.
However, this is not a reasonable assumption in practice, as this
vulnerability demonstrates.  Thus, it may be worthwhile to look
over other activation code for similar issues.

While investigating how to fix the issue, it became apparent GNU Guile,
the implementation of the Algorithmic Language Scheme GNU Guix is
written in, is lacking in primitives that usually are used to avoid
these kind of issues, such `openat` and `O_NOFOLLOW`.

While these primitives turned out not to be necessary to fix the
issue and a [patch series](<https://lists.gnu.org/archive/html/guile-devel/2021-03/msg00026.html>)
to GNU Guile has been submitted that adds these primitives, this does
serve as a remainder that GNU Guile is a critical component of
Guix System and working around missing primitives will not always be possible.

This issue is tracked as
[bug #47584](https://issues.guix.gnu.org/47584); you can read the thread
for more information.

Please report any issues you may have to
[`guix-devel@gnu.org`](https://guix.gnu.org/en/contact/).  See the
[security web page](https://guix.gnu.org/en/security/) for information
on how to report security issues.

#### About GNU Guix

[GNU Guix](https://guix.gnu.org) is a transactional package manager and
an advanced distribution of the GNU system that [respects user
freedom](https://www.gnu.org/distros/free-system-distribution-guidelines.html).
Guix can be used on top of any system running the Hurd or the Linux
kernel, or it can be used as a standalone operating system distribution
for i686, x86_64, ARMv7, and AArch64 machines.

In addition to standard package management features, Guix supports
transactional upgrades and roll-backs, unprivileged package management,
per-user profiles, and garbage collection.  When used as a standalone
GNU/Linux distribution, Guix offers a declarative, stateless approach to
operating system configuration management.  Guix is highly customizable
and hackable through [Guile](https://www.gnu.org/software/guile)
programming interfaces and extensions to the
[Scheme](http://schemers.org) language.