From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 14 07:53:42 2019 Received: (at 37744) by debbugs.gnu.org; 14 Oct 2019 11:53:42 +0000 Received: from localhost ([127.0.0.1]:38234 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iJyv0-0004ue-Gj for submit@debbugs.gnu.org; Mon, 14 Oct 2019 07:53:42 -0400 Received: from tobias.gr ([80.241.217.52]:33946) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iJyuy-0004uU-KF for 37744@debbugs.gnu.org; Mon, 14 Oct 2019 07:53:41 -0400 Received: by tobias.gr (OpenSMTPD) with ESMTP id 83bd6219; Mon, 14 Oct 2019 11:53:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=tobias.gr; h=from:to:cc :subject:message-id:references:in-reply-to:date:mime-version :content-type; s=2018; i=me@tobias.gr; bh=mo64gS4uBlAL2E/Q4PvN6b zmNj3pHhamTFcGI/bWORE=; b=FOp47UXXBIKlC71fW1pRKPD/iZHCCveI19k40n dGY808VoVhWx9aTVaV2nlPM5cMCdKH9qBwyLPIGL2yTTjDP0Lpirg8zMNsdk9zf2 mCPxAQyIWKH+21ZRqrF7SrV2gaSECvQdBX4NSnbWpsRQOfPf0xqBPmAEHvC0iroJ /T1DGApAiJRmo7GA401VpTCENgoJsOe44CSKQBeJk+FhrveHwpx3Kw4kjXArWStU IIQYxt3EDs9pVgUiljIvOYV7RW0lafxOPkMgLAqiHyTZWk+03DAp1f3rsUgVHcFx 7l3J7WJYOZyJl84zQrYAf020pE62d66V0JjVOegy4Hh7kS6Q== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id af3f9cd1 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Mon, 14 Oct 2019 11:53:37 +0000 (UTC) From: Tobias Geerinckx-Rice To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Message-ID: <87y2xno85o.fsf@nckx> References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> In-reply-to: <87blujsqq0.fsf@gnu.org> Date: Mon, 14 Oct 2019 13:53:35 +0200 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 37744 Cc: 37744@debbugs.gnu.org, GNU Guix maintainers , guix-security@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Ludo', Thanks for your report :-p The 1777 is obviously very bad, no question. However: question: Ludovic Court=C3=A8s =E5=86=99=E9=81=93=EF=BC=9A > I don=E2=80=99t see how to let the daemon create =E2=80=98per-user/$USER= =E2=80=99 on=20 > behalf of > the client for clients connecting over TCP. Or we=E2=80=99d need to add= =20 > a > challenge mechanism or authentication. I need more cluebat please: say I'm an attacker and connect to=20 your daemon (over TCP, why not), asking it to create an empty=20 =E2=80=98per-user/ludo=E2=80=99. Assuming the daemon creates it with sane permissions (say 0755) &=20 without any race conditions, what's my evil plan now? Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl2kYb8ACgkQ2Imw8BjF STypnA/+LRcRUA15xM+hQ6XE6s9ij6GSJXtAkC9E1F7L4FYSK78WLG5cZNSrAknz ekXbxMjotGMnPgeSnOHYD8opZUPPUvl8lqOVuToGrufyzrlyxdvUXBJnwGC4A/f1 //cd1d4lgt6MRuqMZphu4dm1qX+fRwGze6eWh5UF4pZGYfXZ2jzmPOG0/vZjGUlh TEjxauL2X6qS2mWBIU6SZmTfYyT4R8yR2jNjvOQt0/LhIZasq+gt3RaODGLtbrn7 lQxX82R2NIr/xO0ykMWoCuSug3wcVKWJkMMLEgPPkOpxtH+MRDhPCatM3DO0MScV OssNS4V+3wqvRVwzSbwUzo4TvaG0qtTSlWlvBro3qQAkELDzyfwQtAuh8SRS8R+4 /YFCGOtW4v7m9dnmwxklEzH7MIcbL+K4Evu65EOptqzN6MX4lGSrYR0lnJNXTw4J dny6XP76NZp7vs7Nk0oVi9FUCqLf6pZT988sA0OCiaGRGWhZdTZ4CqUE0GMJVGSY nM5kwe6gzfoZtcR5DPiyR1B6jQZ1MVTSBskIRR7UyEqoAQqiaHM0xpQyRIFu8voH 9sOxTdyboBGPDNlTv5rcMQHZ6wM2oyEAJPYZ4JpO+IIZKbTN+MEdexULOoEm33P9 Enm4lKsXEzm2no9eMGUdBA1ib7ZfQsuXRVRa6LpZ2G62DTY+RDc= =mxLC -----END PGP SIGNATURE----- --=-=-=--