GNU bug report logs

#37744 Insecure permissions on /var/guix/profiles/per-user (CVE-2019-18192)

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #18 received at 37744@debbugs.gnu.org (full text, mbox, reply):

Received: (at 37744) by debbugs.gnu.org; 14 Oct 2019 16:38:01 +0000
From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 14 12:38:01 2019
Received: from localhost ([127.0.0.1]:41594 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1iK3M8-00021X-WA
	for submit@debbugs.gnu.org; Mon, 14 Oct 2019 12:38:01 -0400
Received: from mail-qk1-f178.google.com ([209.85.222.178]:44143)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@gmail.com>) id 1iK3M6-00021J-CC
 for 37744@debbugs.gnu.org; Mon, 14 Oct 2019 12:37:59 -0400
Received: by mail-qk1-f178.google.com with SMTP id u22so16408108qkk.11
 for <37744@debbugs.gnu.org>; Mon, 14 Oct 2019 09:37:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:date:in-reply-to:message-id
 :user-agent:mime-version:content-transfer-encoding;
 bh=HffCaUsLXr/saEpxwv8o+Hn+YO71HqPhA81JSdTJTJI=;
 b=YSu7Or2XP9KTevfb+tCFt5y3K01Ovv6ieRow3iBQVqOg7n6CluMYMpQAdYnLt5Gy2l
 jO1/gKII54av0DuOldTwlkbxxfM/JNZzyhZcFzQINQtgtbb2VgwqbuoYdKNj0bgTzRsd
 tDmpAQ5kv7EfrW+I+nerLxpC5/WuCWMKs3E0ARG4T4F7Si0qcyv6xHmWStul9zbP48De
 0daIDQIaLvRQquOCED0D1bhNVLyJM2R0/NAuzc6bpVlemfaUXoOiEkQYYJLCtwF7vrQQ
 /PnZWzq2sY85tlgCIuT5eLySQwOBm98ggW4AyY8Ww01C+PxWRfXpjeSCJqtjt/HapOVi
 XrnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
 :message-id:user-agent:mime-version:content-transfer-encoding;
 bh=HffCaUsLXr/saEpxwv8o+Hn+YO71HqPhA81JSdTJTJI=;
 b=VBeOsMwAqZgleuZZgjXzIfAQ8ZS1eH1yWRdedmA5IjnopA1nYE295f83CsH6b5hwLO
 rl/MVu6drKVPmD2I482EVxAaLcCFozzvnDDNHnbLzhDNo6EX9NoXAOYY9tSDPwXUVWeE
 v0+xM0SFdawnaxf8vkD0TLbZFHuMqMIyc4R2ceef8hlgSg6k2emfH0IUPkqDW753OPdt
 1/RkwEJ/imhMUu9plJgLRvZC6TyYbFgR0nj9H4KAMmFnaZLci351d/ZLqQPnQ6gMJILL
 fJG4veYRPqITyWGG4wZHsKrmctQ8qbVI3jdF9k6RMogIEIpPCPHBou6fomNHNmRIcx37
 836w==
X-Gm-Message-State: APjAAAVtlNmwjp/ngNc7UWkbXpONVMkUF5VnDGDTic6HVh1QG81H0fok
 12tnSn3l+K1NRY5anNbzkutGTZLR
X-Google-Smtp-Source: APXvYqyYFTQZ1Fk2lBrXXHHIY7eDheBhkt7l/eikXQDSLVy3POlLGmp9XFD/BeunDJIPjys5eNN4aQ==
X-Received: by 2002:a37:9f57:: with SMTP id i84mr29023879qke.406.1571071072794; 
 Mon, 14 Oct 2019 09:37:52 -0700 (PDT)
Received: from apteryx (dsl-10-131-5.b2b2c.ca. [72.10.131.5])
 by smtp.gmail.com with ESMTPSA id x33sm9071985qtd.79.2019.10.14.09.37.50
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 14 Oct 2019 09:37:51 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
To: Tobias Geerinckx-Rice <me@tobias.gr>
Subject: Re: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for
 Nix)
References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org>
 <87y2xno85o.fsf@nckx>
Date: Mon, 14 Oct 2019 12:37:49 -0400
In-Reply-To: <87y2xno85o.fsf@nckx> (Tobias Geerinckx-Rice's message of "Mon,
 14 Oct 2019 13:53:35 +0200")
Message-ID: <87sgnvp9k2.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 37744
Cc: GNU Guix maintainers <guix-maintainers@gnu.org>,
 Ludovic Courtès <ludo@gnu.org>, 37744@debbugs.gnu.org,
 guix-security@gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hello,

Tobias Geerinckx-Rice <me@tobias.gr> writes:

> Ludo',
>
> Thanks for your report :-p
>
> The 1777 is obviously very bad, no question.  However: question:
>
> Ludovic Courtès 写道:
>> I don’t see how to let the daemon create ‘per-user/$USER’ on behalf
>> of
>> the client for clients connecting over TCP.  Or we’d need to add a
>> challenge mechanism or authentication.
>
> I need more cluebat please: say I'm an attacker and connect to your
> daemon (over TCP, why not), asking it to create an empty
> ‘per-user/ludo’.
>
> Assuming the daemon creates it with sane permissions (say 0755) &
> without any race conditions, what's my evil plan now?
>
> Kind regards,
>
> T G-R

It's not yet clear to me how an actual attack would work, but IIUC when
connecting over TCP there's no 'trusted' way to verify the user is
actually the user it says they are; so they could impersonate at will
(and make use of another user's local directory, perhaps arranging to
write something nasty in there).

Is my understanding correct?

Maxim

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 11:30:40 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.