#37744 Insecure permissions on /var/guix/profiles/per-user (CVE-2019-18192)

Message #115 received at 37744@debbugs.gnu.org (full text, mbox, reply):

Received: (at 37744) by debbugs.gnu.org; 19 Oct 2019 01:32:39 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri Oct 18 21:32:39 2019
Received: from localhost ([127.0.0.1]:51744 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1iLdbi-0002c2-J1
	for submit@debbugs.gnu.org; Fri, 18 Oct 2019 21:32:38 -0400
Received: from imta-35.everyone.net ([216.200.145.35]:41184
 helo=imta-38.everyone.net)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <bokr@oz.net>) id 1iLdbf-0002br-80
 for 37744@debbugs.gnu.org; Fri, 18 Oct 2019 21:32:36 -0400
Received: from pps.filterd (omta001.sj2.proofpoint.com [127.0.0.1])
 by imta-38.everyone.net (8.16.0.27/8.16.0.27) with SMTP id x9J1Hlph015985;
 Fri, 18 Oct 2019 18:32:31 -0700
X-Eon-Originating-Account: OWTG8HJNePY3xlQtzAPv2cNOlsinsbM5_N0o6066KVo
X-Eon-Dm: m0117124.ppops.net
Received: by m0117124.mta.everyone.net (EON-AUTHRELAY2 - 32d0d199)
 id m0117124.5da9f94c.15ee0; Fri, 18 Oct 2019 18:32:12 -0700
X-Eon-Sig: AQMHrIJdqmecmpG+LwIAAAAD,4a600884f548be428dd5dae9451f3385
X-Eip: zGyawvE48GQxnEP4X3M-G8B-LLrFacoF8A0Y9A6jzOs
Date: Fri, 18 Oct 2019 18:32:01 -0700
From: Bengt Richter <bokr@bokr.com>
To: Ludovic Courtès <ludo@gnu.org>
Subject: Re: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for
 Nix)
Message-ID: <20191018224519.GA81713@PhantoNv4ArchGx.localdomain>
References: <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx>
 <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org>
 <878spksty3.fsf@gnu.org> <87blufny52.fsf@gnu.org>
 <878spjnqlo.fsf@nckx> <87k193ktk9.fsf@gnu.org>
 <20191018022128.GA1765@PhantoNv4ArchGx.localdomain>
 <877e5215ox.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <877e5215ox.fsf@gnu.org>
User-Agent: Mutt/1.12.1 (2019-06-15)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, ,
 definitions=2019-10-18_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0
 priorityscore=1501 malwarescore=0
 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1034
 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000
 definitions=main-1910190006
X-Spam-Score: -0.4 (/)
X-Debbugs-Envelope-To: 37744
Cc: 37744@debbugs.gnu.org, Tobias Geerinckx-Rice <me@tobias.gr>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Reply-To: Bengt Richter <bokr@bokr.com>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.4 (-)

Hi Ludo,

On +2019-10-18 16:36:30 +0200, Ludovic Courtès wrote:
> Bengt Richter <bokr@bokr.com> skribis:
> 
> > On +2019-10-17 22:25:58 +0200, Ludovic Courtès wrote:
> 
> [...]
> 
> >> > Imperialist nitpick: why list the foreigners first?  :-)
> >> >
> >> > Anti-imperialist nitpick: reversing the two allows using ‘other
> >> > distributions’ instead of ‘foreign’ which always sounds a bit
> >> > dismissive to my ears.
> >> >
> >> > End nitpick.
> >> 
> >> That makes sense to me; I’m not satisfied with “foreign” either (I think
> >> the inspiration came from FFIs, but still).  Maybe “fellow distros”?
> >> :-)
> >
> > Is not the important distinction whether the "foreign distro" can be generated
> > with pure guix libre components using a pure guix tool chain vs not?
> 
> “Foreign distro” designates any distro other than Guix System.  From a
> technical viewpoint, it’s sometimes useful to be able to make that
> distinction.
> 
> HTH,
> Ludo’.

I was trying to get to a more exact definition of "that distinction" :)

I have read the page at "info guix installation", where "foreign" is explained:
---------------------------
     Note: We recommend the use of this shell installer script
     (https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh)
     to install Guix on top of a running GNU/Linux system, thereafter
     called a “foreign distro”.(1)  The script automates the download,
     installation, and initial configuration of Guix.  It should be run
     as the root user.

   When installed on a foreign distro, GNU Guix complements the
available tools without interference.  Its data lives exclusively in two
directories, usually ‘/gnu/store’ and ‘/var/guix’; other files on your
system, such as ‘/etc’, are left untouched.
[...]

(1) This section is concerned with the installation of the package
manager, which can be done on top of a running GNU/Linux system.  If,
instead, you want to install the complete GNU operating system, *note
System Installation::.
---------------------------

I have also read from "info guix introduction":
-----------------
   (2) We used to refer to Guix System as “Guix System Distribution” or
“GuixSD”.  We now consider it makes more sense to group everything under
the “Guix” banner since, after all, Guix System is readily available
through the ‘guix system’ command, even if you’re using a different
distro underneath!
----------------

further along it says:
-----------------------
   With Guix System, you _declare_ all aspects of the operating system
configuration and Guix takes care of instantiating the configuration in
a transactional, reproducible, and stateless fashion (*note System
Configuration::).  Guix System uses the Linux-libre kernel, the Shepherd
initialization system (*note (shepherd)Introduction::), the well-known
GNU utilities and tool chain, as well as the graphical environment or
system services of your choice.
-----------------------

That sounds more restricted than "... even if you’re using a different
distro underneath!" 

When you say "Guix System," do/should you really mean _only_ a system specifically
running a linux-libre kernel, built with no dependencies outside of GuixSD
official sources, and using Shepherd initialization??

E.g., the purism OS has (UIAM) been recognized as free as in RMS's "ryf" but is it
compiled entirely using only tools in /gnu/store/... ?

Ask them, right? ;-)
(BTW, does anyone in the guix community have contact with them?
I think they are trying to contribute upstream and do "The Right Thing"(TM))

My point is, if e.g. a bug is caused by something that is different in their kernel image
from the one you generate from linux-libre and GuixSD sources, then we will be chasing a bug
in their build process, not ours.

Sometimes it might be "useful to be able to make that distinction" no? :)

(kernel image is just an example, likewise for initrd's or anything that runs that was not derived
from official guix/GuixSD sources).

BTW, Is it safe to do "guix system reconfigure" naively, "... even if you’re using a different
distro underneath!" ?? I am afraid to try it :)

--
Regards,
Bengt Richter

PS. I think it would be useful if there were a LD_IMPURE_REFERENCE_LOG="path/to/logfile.txt"
in an easy-to-edit place that, if present, would cause the ld wrapper to append to log what
it finds (even if otherwise ignoring impure refs)
WDYT?

Send a report that this bug log contains spam.