From debbugs-submit-bounces@debbugs.gnu.org Sun Apr 04 09:29:16 2021 Received: (at 47584) by debbugs.gnu.org; 4 Apr 2021 13:29:16 +0000 Received: from localhost ([127.0.0.1]:35111 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lT2oS-00023e-9U for submit@debbugs.gnu.org; Sun, 04 Apr 2021 09:29:16 -0400 Received: from albert.telenet-ops.be ([195.130.137.90]:55058) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lT2oP-00023T-7x for 47584@debbugs.gnu.org; Sun, 04 Apr 2021 09:29:10 -0400 Received: from butterfly.local ([213.132.130.22]) by albert.telenet-ops.be with bizsmtp id odV62400H0V8PTH06dV73o; Sun, 04 Apr 2021 15:29:07 +0200 Message-ID: <06e348e862e473525b9a6d7fbeb9a142bb6a1ddd.camel@telenet.be> Subject: Re: bug#47584: Race condition in =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99=3A?= possible privilege escalation. From: Maxime Devos To: 47584@debbugs.gnu.org Date: Sun, 04 Apr 2021 15:29:01 +0200 In-Reply-To: <9c0c5f5906e45e83ecae84ae8858ddaf4ea78569.camel@telenet.be> References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> <9c0c5f5906e45e83ecae84ae8858ddaf4ea78569.camel@telenet.be> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-tziKAX3PL53RU3HssADc" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1617542947; bh=24DjltUEbGHgGmft/sP6tyIl8Ks4Fem+fXpL+Z6MXqQ=; h=Subject:From:To:Date:In-Reply-To:References; b=B07PAPv60A4OUzYFQw7vymQkh7T8OLaUdnX73mu9pwhO0UmE0DYrpWCrXdB+AMUk4 3vxfWdxtEPfzvaca2qMkc0gb4FpZiT0JfM0DoL2XRGKQE2HtEK0hzKt2dmrYN6Whhv nf8SNHrd2fFi1XDx71cWfH45wQ+rnspra264z7woTvOFaQgHEEWD3EVHTqhmQF9NS5 gJ05m7GI+QLxNQqsHuoIe6NWB0fgxVdj3us+cB6aFtUwxIB2M7JZd5vSx0itBukuFi qUS9rKdfj5r1WJGqWxy8AGtbIAyD+KdocWSh6DGMM9TdCi4Zsl35Y84oxR6BkYT4bE vyLxgXpz9coBA== X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-tziKAX3PL53RU3HssADc Content-Type: multipart/mixed; boundary="=-Alt/SRaDwMpdmXfDXDES" --=-Alt/SRaDwMpdmXfDXDES Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, 2021-04-03 at 18:26 +0200, Maxime Devos wrote: > A suggested blog post is attached. A revised blog post is attached. The following points are currently _not_ addressed: Ludovic Court=C3=A8s wrote: > Also=E2=80=A6 in this paragraph, it=E2=80=99s not entirely clear which u= ser we=E2=80=99re > talking about it. In news.scm, I reworded it like so: > The attack can happen when @command{guix system reconfigure} is running. > Running @command{guix system reconfigure} can trigger the creation of ne= w user > accounts if the configuration specifies new accounts. If a user whose a= ccount > is being created manages to log in after the account has been created bu= t > before ``skeleton files'' copied to its home directory have the right > ownership, they may, by creating an appropriately-named symbolic link in= the > home directory pointing to a sensitive file, such as @file{/etc/shadow},= get > root privileges. > > It may also be worth mentioning that the user is likely unable to log in > at all at that point, as I wrote here: I can't think of something along these lines to write at the moment ... Greetings, Maxime. --=-Alt/SRaDwMpdmXfDXDES Content-Disposition: attachment; filename*0=0001-website-Add-post-about-vulnerability-in-copy-account.pat; filename*1=ch Content-Transfer-Encoding: base64 Content-Type: text/x-patch; name="0001-website-Add-post-about-vulnerability-in-copy-account.patch"; charset="UTF-8" RnJvbSAxMGI0NTI4YWFjNmNkOWMwYzM0MTYzNGI5ZjE2M2YwYTM4ZWM0YzZiIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBNYXhpbWUgRGV2b3MgPG1heGltZWRldm9zQHRlbGVuZXQuYmU+ CkRhdGU6IFNhdCwgMyBBcHIgMjAyMSAxODowMjowNSArMDIwMApTdWJqZWN0OiBbUEFUQ0hdID0/ VVRGLTg/cT93ZWJzaXRlOj0yMEFkZD0yMHBvc3Q9MjBhYm91dD0yMHZ1bG5lcmFiaWxpdHk/PQog PT9VVEYtOD9xPz0yMGluPTIwPUUyPTgwPTk4Y29weS1hY2NvdW50LXNrZWxldG9ucz1FMj04MD05 OS4/PQpNSU1FLVZlcnNpb246IDEuMApDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9 VVRGLTgKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogOGJpdAoKKiB3ZWJzaXRlL3Bvc3RzL2hv bWUtc3ltbGluay5tZDogTmV3IHBvc3QuCgpDby1hdXRob3JlZC1ieTogTHVkb3ZpYyBDb3VydMOo cyA8bHVkb0BnbnUub3JnPgotLS0KIHdlYnNpdGUvcG9zdHMvaG9tZS1zeW1saW5rLm1kIHwgODYg KysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysKIDEgZmlsZSBjaGFuZ2VkLCA4NiBp bnNlcnRpb25zKCspCiBjcmVhdGUgbW9kZSAxMDA2NDQgd2Vic2l0ZS9wb3N0cy9ob21lLXN5bWxp bmsubWQKCmRpZmYgLS1naXQgYS93ZWJzaXRlL3Bvc3RzL2hvbWUtc3ltbGluay5tZCBiL3dlYnNp dGUvcG9zdHMvaG9tZS1zeW1saW5rLm1kCm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAw MDAuLjY3ZjMwNTMKLS0tIC9kZXYvbnVsbAorKysgYi93ZWJzaXRlL3Bvc3RzL2hvbWUtc3ltbGlu ay5tZApAQCAtMCwwICsxLDg2IEBACit0aXRsZTogUmlzayBvZiBsb2NhbCBwcml2aWxlZ2UgZXNj YWxhdGlvbiBpbiBhY2NvdW50IGNyZWF0aW9uCitkYXRlOiAyMDIxLTA0LTA0IDE1OjMwCithdXRo b3I6IE1heGltZSBEZXZvcywgTHVkb3ZpYyBDb3VydMOocwordGFnczogU2VjdXJpdHkgQWR2aXNv cnkKKy0tLQorCitBIHNlY3VyaXR5IHZ1bG5lcmFiaWxpdHkgdGhhdCBjYW4gbGVhZCB0byBsb2Nh bCBwcml2aWxlZ2UKK2VzY2FsYXRpb24gaGFzIGJlZW4gZm91bmQgaW4gdGhlIGNvZGUgdGhhdCBj cmVhdGVzIHVzZXIgYWNjb3VudHMgb24gR3VpeAorU3lzdGVt4oCUR3VpeCBvbiBvdGhlciBkaXN0 cm9zIGlzIHVuYWZmZWN0ZWQuICBUaGUgc3lzdGVtIGlzIG9ubHkgdnVsbmVyYWJsZQorZHVyaW5n IHRoZSBhY3RpdmF0aW9uIG9mIG5vbi1zeXN0ZW0gdXNlciBhY2NvdW50cyB0aGF0IGRvIG5vdCBh bHJlYWR5IGV4aXN0LgorCitUaGlzIGV4cGxvaXQgaXMgX25vdF8gcHJldmVudGVkIGJ5IHRoZSBM aW51eCBbcHJvdGVjdGVkCitzeW1saW5rc10oaHR0cHM6Ly9zeXNjdGwtZXhwbG9yZXIubmV0L2Zz L3Byb3RlY3RlZF9zeW1saW5rcy8pIGZlYXR1cmUuCisKKyMgVnVsbmVyYWJpbGl0eQorCitUaGUg YXR0YWNrIGNvbnNpc3RzIG9mIHRoZSB1c2VyIGJlaW5nIGxvZ2dlZCBpbiBhZnRlciB0aGUgYWNj b3VudAorc2tlbGV0b25zIGhhdmUgYmVlbiBjb3BpZWQgdG8gdGhlIGhvbWUgZGlyZWN0b3J5LCBi dXQgYmVmb3JlIHRoZQorb3duZXIgb2YgdGhlIGFjY291bnQgc2tlbGV0b25zIGhhdmUgYmVlbiBz ZXQuICBUaGUgdXNlciB0aGVuIGRlbGV0ZXMKK2EgY29waWVkIGFjY291bnQgc2tlbGV0b24gKGUu Zy4gYCRIT01FLy5nZGJpbml0YCkgYW5kIHJlcGxhY2VzCitpdCB3aXRoIGEgc3ltYm9saWMgbGlu ayB0byBhIGZpbGUgbm90IG93bmVkIGJ5IHRoZSB1c2VyLCBzdWNoIGFzCitgL2V0Yy9zaGFkb3dg LgorCitUaGUgYWN0aXZhdGlvbiBjb2RlIHRoZW4gY2hhbmdlcyB0aGUgb3duZXJzaGlwIG9mIHRo ZSBmaWxlIHRoZSBzeW1ib2xpYworbGluayBwb2ludHMgdG8gaW5zdGVhZCBvZiB0aGUgc3ltYm9s aWMgbGluayBpdHNlbGYuICBBdCB0aGF0IHBvaW50LCB0aGUKK3VzZXIgaGFzIHJlYWQtd3JpdGUg YWNjZXNzIHRvIHRoZSB0YXJnZXQgZmlsZS4KKworIyBGaXgKKworVGhpcyBbYnVnXShodHRwczov L2lzc3Vlcy5ndWl4LmdudS5vcmcvNDc1ODQpIGhhcyBiZWVuCitbZml4ZWRdKGh0dHBzOi8vZ2l0 LnNhdmFubmFoLmdudS5vcmcvY2dpdC9ndWl4LmdpdC9jb21taXQvP2lkPTIxNjE4MjBlYmJiYWI2 MmE1Y2U3NmM5MTAxZWJhZWM1NGRjNjE1ODYpLgorU2VlIGJlbG93IGZvciB1cGdyYWRlIGluc3Ry dWN0aW9ucy4KKworVGhlIGZpeCBjb25zaXN0IG9mIGluaXRpYWxseSBjcmVhdGluZyB0aGUgaG9t ZSBkaXJlY3Rvcnkgcm9vdC1vd25lZCBhbmQgb25seQorY2hhbmdpbmcgdGhlIG93bmVyIG9mIHRo ZSBob21lIGRpcmVjdG9yeSBvbmNlIGFsbCBza2VsZXRvbnMgaGF2ZSBiZWVuIGNvcGllZAorYW5k IHRoZWlyIG93bmVyIGhhcyBiZWVuIHNldC4KKworIyBVcGdyYWRpbmcKKworVG8gdXBncmFkZSB0 aGUgR3VpeCBTeXN0ZW0sIHJ1biBzb21ldGhpbmcgbGlrZToKKworYGBgCitndWl4IHB1bGwKK3N1 ZG8gZ3VpeCBzeXN0ZW0gcmVjb25maWd1cmUgL3J1bi9jdXJyZW50LXN5c3RlbS9jb25maWd1cmF0 aW9uLnNjbQorc3VkbyByZWJvb3QKK2BgYAorCitBcyB0aGUgdXNlciBhY2NvdW50IGFjdGl2YXRp b24gY29kZSBpcyBydW4gYXMgYSBzaGVwaGVyZCBzZXJ2aWNlLAordGhlIGxhc3Qgc3RlcCBpcyBy ZXF1aXJlZCB0byBtYWtlIHN1cmUgdGhlIGZpeGVkIGFjdGl2YXRpb24gY29kZQoraXMgcnVuIGlu IHRoZSBmdXR1cmUuCisKK1RvIGF2b2lkIHRoZSB2dWxuZXJhYmlsaXR5IHdoaWxlIHVwZ3JhZGlu ZyB0aGUgc3lzdGVtLCBvbmx5IGRlY2xhcmUKK25ldyB1c2VyIGFjY291bnRzIGluIHRoZSBjb25m aWd1cmF0aW9uIGZpbGUgYWZ0ZXIgdGhlIEd1aXggU3lzdGVtCitoYXMgYmVlbiB1cGdyYWRlZC4K KworIyBDb25jbHVzaW9ucworCitXb3JrIGlzIG9uZ29pbmcgdG8gc3VwcG9ydCB0aGUgYG9wZW5h dGAgZmFtaWx5IG9mIFBPU0lYIGZ1bmN0aW9ucyBpbgorR3VpbGUsIHdoaWNoLCB3aGVuIHVzZWQs IGhlbHAgYWRkcmVzcyB0aGlzIGNsYXNzIG9mIHZ1bG5lcmFiaWxpdGllcy4KKworVGhpcyBpc3N1 ZSBpcyB0cmFja2VkIGFzCitbYnVnwqAjNDc1ODRdKGh0dHBzOi8vaXNzdWVzLmd1aXguZ251Lm9y Zy80NzU4NCk7IHlvdSBjYW4gcmVhZCB0aGUgdGhyZWFkCitmb3IgbW9yZSBpbmZvcm1hdGlvbi4K KworUGxlYXNlIHJlcG9ydCBhbnkgaXNzdWVzIHlvdSBtYXkgaGF2ZSB0bworW2BndWl4LWRldmVs QGdudS5vcmdgXShodHRwczovL2d1aXguZ251Lm9yZy9lbi9jb250YWN0LykuICBTZWUgdGhlCitb c2VjdXJpdHkgd2ViIHBhZ2VdKGh0dHBzOi8vZ3VpeC5nbnUub3JnL2VuL3NlY3VyaXR5LykgZm9y IGluZm9ybWF0aW9uCitvbiBob3cgdG8gcmVwb3J0IHNlY3VyaXR5IGlzc3Vlcy4KKworIyMjIyBB Ym91dCBHTlUgR3VpeAorCitbR05VIEd1aXhdKGh0dHBzOi8vZ3VpeC5nbnUub3JnKSBpcyBhIHRy YW5zYWN0aW9uYWwgcGFja2FnZSBtYW5hZ2VyIGFuZAorYW4gYWR2YW5jZWQgZGlzdHJpYnV0aW9u IG9mIHRoZSBHTlUgc3lzdGVtIHRoYXQgW3Jlc3BlY3RzIHVzZXIKK2ZyZWVkb21dKGh0dHBzOi8v d3d3LmdudS5vcmcvZGlzdHJvcy9mcmVlLXN5c3RlbS1kaXN0cmlidXRpb24tZ3VpZGVsaW5lcy5o dG1sKS4KK0d1aXggY2FuIGJlIHVzZWQgb24gdG9wIG9mIGFueSBzeXN0ZW0gcnVubmluZyB0aGUg SHVyZCBvciB0aGUgTGludXgKK2tlcm5lbCwgb3IgaXQgY2FuIGJlIHVzZWQgYXMgYSBzdGFuZGFs b25lIG9wZXJhdGluZyBzeXN0ZW0gZGlzdHJpYnV0aW9uCitmb3IgaTY4NiwgeDg2XzY0LCBBUk12 NywgYW5kIEFBcmNoNjQgbWFjaGluZXMuCisKK0luIGFkZGl0aW9uIHRvIHN0YW5kYXJkIHBhY2th Z2UgbWFuYWdlbWVudCBmZWF0dXJlcywgR3VpeCBzdXBwb3J0cwordHJhbnNhY3Rpb25hbCB1cGdy YWRlcyBhbmQgcm9sbC1iYWNrcywgdW5wcml2aWxlZ2VkIHBhY2thZ2UgbWFuYWdlbWVudCwKK3Bl ci11c2VyIHByb2ZpbGVzLCBhbmQgZ2FyYmFnZSBjb2xsZWN0aW9uLiAgV2hlbiB1c2VkIGFzIGEg c3RhbmRhbG9uZQorR05VL0xpbnV4IGRpc3RyaWJ1dGlvbiwgR3VpeCBvZmZlcnMgYSBkZWNsYXJh dGl2ZSwgc3RhdGVsZXNzIGFwcHJvYWNoIHRvCitvcGVyYXRpbmcgc3lzdGVtIGNvbmZpZ3VyYXRp b24gbWFuYWdlbWVudC4gIEd1aXggaXMgaGlnaGx5IGN1c3RvbWl6YWJsZQorYW5kIGhhY2thYmxl IHRocm91Z2ggW0d1aWxlXShodHRwczovL3d3dy5nbnUub3JnL3NvZnR3YXJlL2d1aWxlKQorcHJv Z3JhbW1pbmcgaW50ZXJmYWNlcyBhbmQgZXh0ZW5zaW9ucyB0byB0aGUKK1tTY2hlbWVdKGh0dHA6 Ly9zY2hlbWVycy5vcmcpIGxhbmd1YWdlLgotLSAKMi4zMS4xCgo= --=-Alt/SRaDwMpdmXfDXDES-- --=-tziKAX3PL53RU3HssADc Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYGm/HhccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7gOuAP4tiShMw0wcPnXaQOEAsH2ZF8+K fWgrX6P5rFS+2lysTgEAtFETSQvqwdujktK3lf2czEe0XVj+ioF2hjoccFbxCQ4= =7Hri -----END PGP SIGNATURE----- --=-tziKAX3PL53RU3HssADc--