From debbugs-submit-bounces@debbugs.gnu.org Sat Apr 03 16:49:33 2021 Received: (at 47584) by debbugs.gnu.org; 3 Apr 2021 20:49:33 +0000 Received: from localhost ([127.0.0.1]:34503 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSnD2-0006ts-T8 for submit@debbugs.gnu.org; Sat, 03 Apr 2021 16:49:33 -0400 Received: from eggs.gnu.org ([209.51.188.92]:58748) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSnD1-0006tf-SF for 47584@debbugs.gnu.org; Sat, 03 Apr 2021 16:49:32 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59420) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSnCw-0006WG-LM; Sat, 03 Apr 2021 16:49:26 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=40718 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lSnCw-00078K-0C; Sat, 03 Apr 2021 16:49:26 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Maxime Devos Subject: Re: bug#47584: Race condition in =?utf-8?Q?=E2=80=98copy-account-?= =?utf-8?Q?skeletons=E2=80=99=3A?= possible privilege escalation. References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> <9c0c5f5906e45e83ecae84ae8858ddaf4ea78569.camel@telenet.be> Date: Sat, 03 Apr 2021 22:49:24 +0200 In-Reply-To: <9c0c5f5906e45e83ecae84ae8858ddaf4ea78569.camel@telenet.be> (Maxime Devos's message of "Sat, 03 Apr 2021 18:26:53 +0200") Message-ID: <878s5zw0tn.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 Cc: 47584@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Maxime Devos skribis: > +The attack consists of the user being logged in after the account > +skeletons have been copied to the home directory, but before the > +owner of the account skeletons have been set. The user then deletes > +a copied account skeleton (e.g. `$HOME/.gdbinit`) and replaces > +it with a symbolic link to a file not owned by the user, such as > +`/etc/shadow`. Also=E2=80=A6 in this paragraph, it=E2=80=99s not entirely clear which use= r we=E2=80=99re talking about it. In news.scm, I reworded it like so: The attack can happen when @command{guix system reconfigure} is running. Running @command{guix system reconfigure} can trigger the creation of new= user accounts if the configuration specifies new accounts. If a user whose ac= count is being created manages to log in after the account has been created but before ``skeleton files'' copied to its home directory have the right ownership, they may, by creating an appropriately-named symbolic link in = the home directory pointing to a sensitive file, such as @file{/etc/shadow}, = get root privileges. It may also be worth mentioning that the user is likely unable to log in at all at that point, as I wrote here: https://issues.guix.gnu.org/47584#6 WDYT? Ludo=E2=80=99.