From debbugs-submit-bounces@debbugs.gnu.org Thu Mar 18 17:10:59 2021 Received: (at 47229) by debbugs.gnu.org; 18 Mar 2021 21:10:59 +0000 Received: from localhost ([127.0.0.1]:48214 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMzv1-0001MW-CN for submit@debbugs.gnu.org; Thu, 18 Mar 2021 17:10:59 -0400 Received: from wout4-smtp.messagingengine.com ([64.147.123.20]:44155) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMzuz-0001MJ-Ok for 47229@debbugs.gnu.org; Thu, 18 Mar 2021 17:10:58 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id DFFEC1032; Thu, 18 Mar 2021 17:10:51 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Thu, 18 Mar 2021 17:10:52 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=8TLljeB3SoeHAoBN+XuZKK0D 8txlXCK4cAEQbusTF/c=; b=RkAwBBAjbcjeGbkd4Ml5sdtYTxIP6XjMnSZG7Wmk uIKFSOQgY9Zt+msrh6yWQcFBxzQM+Lk4CUlTQdT65fWDgjxfgTn3hnkiaFUhOqnc LeVUVRjHalXKGLwmIBReeDo6mwbUDuljt+uhosHTm9liZjBSGkyEkq6kqXF31T2N 5xo= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=8TLlje B3SoeHAoBN+XuZKK0D8txlXCK4cAEQbusTF/c=; b=QeVYIT7H732MtS+4jgh5jw rKimPuCwx02hmihDSF5h/ozmGdsEKh7BwZoAhBcXn0twamGllc9Lv7I6V2bB5RQL pXsqWsZpN0EIyQK/vy+/5uRkhxNqI3kfj7gnZkk53/8QC8KJp4G+h5YGkmgjS3Tk ZehMBrjmmuRQ+Nm+KxaF5j2yiuOUfqIJKrljRfgWilE5FdKWEBhF4KQg2mGKGQCi mya6XTIFy75YybLi9vtldUq12moOLP/dEgrhhV/pNUtCabXtk7JwlOEX1HQX62Su vyliRw74de6wF5s2ksA3tG7dYKFVqwE72e0m9PcI35OtPehauCFl8JVqrarI1iYw == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudefiedgudegkecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpeffhffvuffkfhggtggujgesghdtreertddtjeenucfhrhhomhepnfgvohcu hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth htvghrnhephfekvdduieehfedttdduledvgfehleevleejheettddvffevgeejgeetueff keetnecuffhomhgrihhnpehgnhhurdhorhhgnecukfhppedutddtrdduuddrudeiledrud dukeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehl vghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 31B7B24005D; Thu, 18 Mar 2021 17:10:51 -0400 (EDT) Date: Thu, 18 Mar 2021 17:10:49 -0400 From: Leo Famulari To: Ludovic =?iso-8859-1?Q?Court=E8s?= Subject: Re: bug#47229: Local privilege =?utf-8?Q?e?= =?utf-8?Q?scalation_via_guix-daemon_and_=E2=80=98--keep-failed=E2=80=99?= Message-ID: References: <87lfaksock.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="dzF1svFDk/IQH/JI" Content-Disposition: inline In-Reply-To: <87lfaksock.fsf@gnu.org> X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47229 Cc: 47229@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --dzF1svFDk/IQH/JI Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 18, 2021 at 12:17:15PM +0100, Ludovic Court=C3=A8s wrote: > It does not affect multi-user setups where =E2=80=98guix-daemon=E2=80=99 = runs on a > separate machine and is accessed over the network, via > =E2=80=98GUIX_DAEMON_SOCKET=E2=80=99, as is customary on cluster setups. = Machines where > the Linux =E2=80=9Cprotected hardlink=E2=80=9D[*] feature is enabled, whi= ch is common, > are also unaffected=E2=80=94this is the case when the contents of > /proc/sys/fs/protected_hardlinks are 1. After publishing the advisory, we received a clarification about the impact of "protected hardlinks". When using a guix-daemon that does not include the fix [0] for the bug reported here, it is still possible for rogue build scripts to escape the build environment, even when protected hardlinks are enabled. Protected hardlinks do make exploitation significantly more difficult, but not impossible. For this reason, we continue to recommend that all Guix users upgrade their guix-daemons, as described in the original advisory. [0] https://git.savannah.gnu.org/cgit/guix.git/commit/?id=3Dec7fb669945bfb47c5e= 1fdf7de3a5d07f7002ccf --dzF1svFDk/IQH/JI Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBTwdkACgkQJkb6MLrK fwhRjhAA7Q1QD4rjWsQv3r83DUZs2lGrH7lh8nJQTevij6xmFBNda4g+aFicdmq9 mHOeQLqnZKw/KOdVAcND1IXghKrjq0fiLA8cwxUG0XcrVAQjwCv58KLQMfjYbYfs L99rbFWLUbw6T9PlarWsiNOZSKfW0i8rycNGaWoYpNqhWczR4cdSWOcAjkt6u6Ps Wqk3PZmALPnT3gSMP4b6j8Ra/H8jgpo4RT4DmleMtt6aiVrA9r+ssRN8z2UwAVMg UZ2afiHyaQWN1flUzwCM0mVgaGhMUWAUriIWLTykRBZnI0hoboNrBvHrLa0lge81 oZBQ5cFepFMshTRLHXjP44A7KGRAH5WJlUGXCNlTr6s2ATxyfD6ZkcsU/a2HPxOj BJVvgZuSa78yNo3uHNzwkGsU6Ghi0muYFiet/gqUytH/BCHR44PyosKKRrChgfPa p/hnaA752w5bwYpUs10KcGjRGFsTLBlLl+cFqVGBa+oRT1Aq7DbdPFh1bBSREDfg piMX+L+4tweC0isOy7SaM2dnj1BNfg05hYwjDY4lY1uCTZ98dGRXaYElEev1h35c LHdunj8xM5HOJ18uNJ8pPxtyheR5WwSE4bb5IVOHRzfi7MXJja8ofrx7CBfb9IiO PWmmwrXWsSaLg+OjI1NXIfGgCFH+sH3uzmNaT4hs63IysIYKEo0= =QbGk -----END PGP SIGNATURE----- --dzF1svFDk/IQH/JI--