From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 06 07:57:22 2021 Received: (at 47584) by debbugs.gnu.org; 6 Apr 2021 11:57:22 +0000 Received: from localhost ([127.0.0.1]:39399 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTkKg-0002op-Bk for submit@debbugs.gnu.org; Tue, 06 Apr 2021 07:57:22 -0400 Received: from eggs.gnu.org ([209.51.188.92]:37502) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTkKd-0002ob-UX for 47584@debbugs.gnu.org; Tue, 06 Apr 2021 07:57:21 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:48624) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lTkKX-0005qN-W0; Tue, 06 Apr 2021 07:57:14 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=37184 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lTkKU-00012l-2L; Tue, 06 Apr 2021 07:57:13 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Maxime Devos Subject: Re: bug#47584: Race condition in =?utf-8?Q?=E2=80=98copy-account-?= =?utf-8?Q?skeletons=E2=80=99=3A?= possible privilege escalation. References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> <87mtufw1kh.fsf@gnu.org> <7ab30aad812e5de1216c95b3becb784e3363e615.camel@telenet.be> <87zgycqzfz.fsf@gnu.org> <00621260aa43f1918aaf0f0bb2318bf359b826c3.camel@telenet.be> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 17 Germinal an 229 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 06 Apr 2021 13:57:08 +0200 In-Reply-To: <00621260aa43f1918aaf0f0bb2318bf359b826c3.camel@telenet.be> (Maxime Devos's message of "Tue, 06 Apr 2021 11:56:23 +0200") Message-ID: <87v98zmxrf.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 Cc: Leo Famulari , 47584@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi Maxime, Maxime Devos skribis: > On Mon, 2021-04-05 at 21:54 +0200, Ludovic Court=C3=A8s wrote: >> [...] >>=20 >> OK. It does mean that the bug is hardly exploitable in practice: you >> have to be able to log in at all, > Yes. > >> and if you=E2=80=99re able to log in, you have >> to log in precisely within the 1s (or less) that follows account >> creation, which sounds challenging (TCP + SSH connection establishment >> is likely to take as much time or more, > > Is logging in possible when the home directory doesn't exist? I think so. > An attacker could copy and paste, or have used a single-character passwor= d, > to save some time. Hmm yes. It=E2=80=99s a bit a far-fetched though: the attacker would have passed the sysadmin the output of the =E2=80=98crypt=E2=80=99 procedure, su= ch that the sysadmin cannot know the password length. >> Does it warrant as strong messaging as for the recent daemon >> =E2=80=98--keep-failed=E2=80=99 vulnerability? > > As it is a one-time chance, with a limited window, and only under specific > circumstances (creating a new user account), I don't think so. But I wou= ld > still recommend to upgrade. Does the blog post have =E2=80=98too strong = messaging=E2=80=99?=20 The blog post and info-guix messages are the highest levels of visibility we can give, roughly. So I think we have to think twice before doing that or truly important issues will eventually go unnoticed. The risk with this issue seems much lower than that of the keep-failed issue, it even looks super low. WDYT? Ludo=E2=80=99.