GNU bug report logs

#37744 Insecure permissions on /var/guix/profiles/per-user (CVE-2019-18192)

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #24 received at 37744@debbugs.gnu.org (full text, mbox, reply):

Received: (at 37744) by debbugs.gnu.org; 15 Oct 2019 14:31:53 +0000
From debbugs-submit-bounces@debbugs.gnu.org Tue Oct 15 10:31:53 2019
Received: from localhost ([127.0.0.1]:44668 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1iKNrc-0005YQ-Uv
	for submit@debbugs.gnu.org; Tue, 15 Oct 2019 10:31:53 -0400
Received: from tobias.gr ([80.241.217.52]:39464)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <me@tobias.gr>) id 1iKNrZ-0005YF-4W
 for 37744@debbugs.gnu.org; Tue, 15 Oct 2019 10:31:51 -0400
Received: by tobias.gr (OpenSMTPD) with ESMTP id 34bb2212;
 Tue, 15 Oct 2019 14:31:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=tobias.gr; h=from:to:cc
 :subject:message-id:references:in-reply-to:date:mime-version
 :content-type; s=2018; i=me@tobias.gr; bh=yrl9K127aJUb2iZRYk4CE1
 OaIcAGeE64CbBPo3R+lyo=; b=kXF2a200IZPOxQkMu743TuJvdI7PO0RiaZg8QD
 wTp2vrw9zqzsnlGkLwHJb5NY+L4wqdwayGjJRpDyOKqU2SEbn5NCzItACoty9Erw
 Jay/8kBIz+GCBZR+40zL4xAy10Qz3suAQNmonGPcPmjLcqDZ8BFELuBcUYBpKsJy
 t1xSndLbmM/QhjdbPBxx7ArLqKB7RZNXUZ1ETC2wY2vOFBn/XMoP/YU3j+JxYiPC
 U+wviRHhsdVqZlx0yIxXK9DFhO8PSjVqpwEabx9YDw/aIzgfBhMixdyLdotHso/E
 ZWIEznLoo2z+eB/ysuLPNLImzUdksrPRwtvijsIJA5uS5LtQ==
Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 566ff0b8
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); 
 Tue, 15 Oct 2019 14:31:45 +0000 (UTC)
From: Tobias Geerinckx-Rice <me@tobias.gr>
To: Ludovic Courtès <ludo@gnu.org>
Subject: Re: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for
 Nix)
Message-ID: <87mue2nkrj.fsf@nckx>
References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org>
 <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org>
In-reply-to: <87d0eyuqzd.fsf@gnu.org>
Date: Tue, 15 Oct 2019 16:31:40 +0200
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 37744
Cc: 37744@debbugs.gnu.org, guix-security@gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

[Message part 1 (text/plain, inline)]
Ludo',

Thanks for your answer.

Ludovic Courtès 写道:
>> I need more cluebat please: say I'm an attacker and connect to 
>> your
>> daemon (over TCP, why not), asking it to create an empty
>> ‘per-user/ludo’.
>
> You wouldn’t be able to do that because over TCP because the 
> daemon
> can’t tell what user you are.

No, I ask it nicely: ‘hullo daemon, I'm, er, "ludo"’.

Of course the remote daemon doesn't trust me beyond pre-creating 
an empty per-user directory owned by the local "ludo" user only if 
such a user exists.  It doesn't even report succes or failure to 
avoid leaking valid user names.

You already trust the network not to DoS you with webkitgtks, how 
does this new step decrease security?

Sure, it bumps the protocol version; I'm aware of that.

> It’s meant for cluster setups where you have one
> head node that clients connect to from remote nodes.

And likely some kind of centralised user management so it's not 
unreasonable to handle this differently/manually.

Kind regards,

T G-R

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 11:41:16 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.