GNU bug report logs

#37744 Insecure permissions on /var/guix/profiles/per-user (CVE-2019-18192)

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #54 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 16 Oct 2019 16:28:44 +0000
From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 16 12:28:44 2019
Received: from localhost ([127.0.0.1]:46431 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1iKmAF-0004gu-M8
	for submit@debbugs.gnu.org; Wed, 16 Oct 2019 12:28:43 -0400
Received: from lists.gnu.org ([209.51.188.17]:45119)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <julien@lepiller.eu>) id 1iKmAD-0004gm-MY
 for submit@debbugs.gnu.org; Wed, 16 Oct 2019 12:28:41 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:33929)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <julien@lepiller.eu>) id 1iKmAC-0002P1-En
 for bug-guix@gnu.org; Wed, 16 Oct 2019 12:28:41 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,URIBL_BLOCKED
 autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <julien@lepiller.eu>) id 1iKmAB-0007hx-7p
 for bug-guix@gnu.org; Wed, 16 Oct 2019 12:28:40 -0400
Received: from lepiller.eu ([2a00:5884:8208::1]:58014)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <julien@lepiller.eu>)
 id 1iKmAA-0007ZS-Fi; Wed, 16 Oct 2019 12:28:39 -0400
Received: from lepiller.eu (localhost [127.0.0.1])
 by lepiller.eu (OpenSMTPD) with ESMTP id 66797d98;
 Wed, 16 Oct 2019 16:28:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=lepiller.eu; h=date
 :in-reply-to:references:mime-version:content-type
 :content-transfer-encoding:subject:to:cc:from:message-id; s=
 dkim; bh=fPETMt2iGutOgaaR5tZkymS14nc=; b=n/pkBpIXlxBQZ5g3By71MDM
 Zk3CfU6uLKl4X3+z/D+nXf8LtC6R07W0XNRDdQ8/FoXjtanqP2q7fL5ElxsQlYyC
 cjM68Dty6A1Xo4ZxXolYpG40TpfHGoQ0XGBAw9tOKzkE2Nz8taOIdfmNWVgYeLnf
 Yaix5oac3XGKUMzPW/FUB/aFHuFknQgY2qN3KbeLpeed4ytZsAiPpzDIUVO3Uh9t
 Kt3APv+SqH/7QTVtJ51ASNFecId/QJMBIdlKLjI+g5PaMojKW81f0XUwq485Fti6
 SMgAUXx9R8Hqff1re6Sq6CGG+DYYhtg0chqER+5NSGtON1OtuPZmbekfqBa+Okg=
 =
Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id 7b7161df
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); 
 Wed, 16 Oct 2019 16:28:24 +0000 (UTC)
Date: Wed, 16 Oct 2019 18:28:08 +0200
User-Agent: K-9 Mail for Android
In-Reply-To: <87tv89rnva.fsf@gnu.org>
References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org>
 <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx>
 <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: text/plain;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for
 Nix)
To: bug-guix@gnu.org, Ludovic Courtès <ludo@gnu.org>,
 Tobias Geerinckx-Rice <me@tobias.gr>
From: Julien Lepiller <julien@lepiller.eu>
Message-ID: <AA3C1975-800B-4D2E-A260-20E9DC95D0F0@lepiller.eu>
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-Received-From: 2a00:5884:8208::1
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: submit
Cc: 37744@debbugs.gnu.org, guix-security@gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
Le 16 octobre 2019 12:22:33 GMT+02:00, "Ludovic Courtès" <ludo@gnu.org> a écrit :
>Hello!
>
>Here’s a patch that fixes the issue, partly based on what the Nix folks
>did.
>
>For the client-connecting-over-TCP case, I added special handling:
>‘set-build-options’ now passes a “user-name” property, potentially
>allowing to create ‘per-user/$USER’ at that point (like you suggested,
>Tobias.)
>
>In a cluster setup, it means that the machine that runs ‘guix-daemon’
>must see the same users as the machines where its clients run, but
>that’s basically already what we expect:
><https://hpc.guix.info/blog/2017/11/installing-guix-on-a-cluster/>.
>
>There’s one case that won’t be correctly handled: in a cluster setup,
>an
>old client talking to a new daemon won’t provide info to create
>‘per-user/$USER’, and thus ‘guix package’ & co. won’t be able to create
>the user’s profile it it doesn’t already exist.  I think that’s hard to
>avoid though.
>
>Thoughts?
>
>Thanks,
>Ludo’.

We could advise people to restart the service too, with e.g. systemctl restart guix-daemon




Send a report that this bug log contains spam.


debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 11:31:58 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.