From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 16 15:58:53 2019 Received: (at 37744) by debbugs.gnu.org; 16 Oct 2019 19:58:53 +0000 Received: from localhost ([127.0.0.1]:46606 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKpRd-0001V1-10 for submit@debbugs.gnu.org; Wed, 16 Oct 2019 15:58:53 -0400 Received: from lepiller.eu ([89.234.186.109]:41580) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKpRW-0001Uh-KX for 37744@debbugs.gnu.org; Wed, 16 Oct 2019 15:58:48 -0400 Received: from lepiller.eu (localhost [127.0.0.1]) by lepiller.eu (OpenSMTPD) with ESMTP id 08337429; Wed, 16 Oct 2019 19:58:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=lepiller.eu; h=date:from :to:cc:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; s=dkim; bh=yS8O6vGjnqYa cY8NoQyPLydjLC8=; b=Eae28kSM7xTAlWFqCI1N+7eslgBPPXbgL5k0AgrZm+2I aTHD1NRUAWtE0f4orJCTslOR6BaAililU3bX24KPi+gAV2DJ+GCN/4n33xL172ID vk6WeHGc16K4LWMxektUAApfglXUU7ftAzaJ1Ikw8SryAk1ZAU60IYiZY54hE57z EcSOZZHUtY1ZH6dDl6iGbWhNvASU7IOmXjeRhy882U+Hh28Hx2lg3HHL8UUqYpts ghCbqqc4ay/zdjKQWxmzwwf5EZxbRGN4vLlGZXk60M0LnslgLMgxu1gchX4CW7OQ drMge0KcdXX3COLs8cahKoFXY53PgTp+qGFIbyDnlw== Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id c6cf8ef8 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Wed, 16 Oct 2019 19:58:44 +0000 (UTC) Date: Wed, 16 Oct 2019 21:58:39 +0200 From: Julien Lepiller To: Ludovic =?UTF-8?B?Q291cnTDqHM=?= Subject: Re: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Message-ID: <20191016215839.73c32b64@sybil.lepiller.eu> In-Reply-To: <87ftjsk4d3.fsf@gnu.org> References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> <20191016142221.qys2y2cb4spmwscq@pelzflorian.localdomain> <87ftjsoh40.fsf@nckx> <20191016151922.5fanqbt6kiv4offx@pelzflorian.localdomain> <87eezcogtf.fsf@nckx> <87ftjsk4d3.fsf@gnu.org> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-unknown-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 37744 Cc: 37744@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Le Wed, 16 Oct 2019 19:05:44 +0200, Ludovic Court=C3=A8s a =C3=A9crit : > Hi! >=20 > Thanks for your feedback Tobias, Florian, and Julien! >=20 > Taking that into account, I propose this (I=E2=80=99ve also changed the t= itle > to make it hopefully clearer): >=20 > --8<---------------cut here---------------start------------->8--- > (entry (commit "FIXME") > (title (en "Insecure @file{/var/guix/profiles/per-user} > permissions")) (body > (en "The default user profile, @file{~/.guix-profile}, > points to @file{/var/guix/profiles/per-user/$USER}. Until now, > @file{/var/guix/profiles/per-user} was world-writable, allowing the > @command{guix} command to create the @code{$USER} sub-directory. >=20 > On a multi-user system, this allowed a malicious user to create and > populate that @code{$USER} sub-directory for another user that had > not yet logged in. Since @code{/var/@dots{}/$USER} is in > @code{$PATH}, the target user could end up running attacker-provided > code. See @uref{https://issues.guix.gnu.org/issue/37744} for more > information. >=20 > This is now fixed by letting @command{guix-daemon} create these > directories on behalf of users and removing the world-writable > permissions on @code{per-user}. On multi-user systems, we recommend > updating the daemon now. To do that, run @code{sudo guix pull} if > you're on a foreign distro, or run @code{guix pull && sudo guix > system reconfigure @dots{}} on Guix System. In both cases, make sure > to restart the service afterwards, with @code{herd} or > @code{systemctl}."))) --8<---------------cut > here---------------end--------------->8--- pour le fran=C3=A7ais (n'h=C3=A9site pas =C3=A0 reprendre le texte si tu tr= ouves =C3=A0 redire :)) : titre : Permissions laxistes pour @file{/var/guix/profiles/per-user} corps : Le profil utilisateur par d=C3=A9faut, @file{~/.guix-profile}, pointe vers @file{/var/guix/profiles/per-user/$USER}. Jusqu'=C3=A0 maintenant, @file{/var/guix/profiles/per-user} =C3=A9tait disponible en =C3=A9criture pour tout le monde, ce qui permettait =C3=A0 la commande @command{guix} de cr=C3=A9=C3=A9r le sous-r=C3=A9pertoire @code{$USER}. Sur un syst=C3=A8me multi-utilisateur, cela permet =C3=A0 un utilisateur malveillant de cr=C3=A9er et de remplir le sous-r=C3=A9pertoire @code{USER}= pour n'importe quel utilisateur qui ne s'est jamais connect=C3=A9. Comme @code{/var/@dots{}/$USER} fait partie de @code{$PATH}, l'utilisateur cibl=C3=A9 pouvait ex=C3=A9cuter des programmes fournis par l'attaquant. V= oir @uref{https://issues.guix.gnu.org/issue/37744} pour plus de d=C3=A9tails. Cela est maintenant corrig=C3=A9 en laissant =C3=A0 @command{guix-daemon} l= e soin de cr=C3=A9er ces r=C3=A9pertoire pour le compte des utilisateurs et en supprimant les permissions en =C3=A9criture pour tout le monde sur @code{per-user}. Nous te recommandons de mettre =C3=A0 jour le d=C3=A9mon imm=C3=A9diatement. Pour cela, lance @code{sudo guix pull} si tu es sur une distro externe ou @code{guix pull && sudo guix system reconfigure @dots{}} sur le syst=C3=A8me Guix. Dans tous les cas, assure-toi ensuite de red=C3=A9marrer le service avec @code{herd} ou @code{systemctl}. >=20 > If this is fine with you, I hereby request translation of this entry. > :-) >=20 > I=E2=80=99ll commit the change within a few hours if there are no objecti= ons. >=20 > Ludo=E2=80=99. >=20 >=20 >=20