From debbugs-submit-bounces@debbugs.gnu.org Sat Apr 03 16:15:54 2021 Received: (at 47584) by debbugs.gnu.org; 3 Apr 2021 20:15:55 +0000 Received: from localhost ([127.0.0.1]:34479 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSmgU-00066S-FT for submit@debbugs.gnu.org; Sat, 03 Apr 2021 16:15:54 -0400 Received: from eggs.gnu.org ([209.51.188.92]:54496) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSmgS-00066G-Vi for 47584@debbugs.gnu.org; Sat, 03 Apr 2021 16:15:53 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59075) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSmgN-00082b-LI; Sat, 03 Apr 2021 16:15:47 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=40540 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lSmgN-0002lt-5e; Sat, 03 Apr 2021 16:15:47 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Maxime Devos Subject: Re: bug#47584: Race condition in =?utf-8?Q?=E2=80=98copy-account-?= =?utf-8?Q?skeletons=E2=80=99=3A?= possible privilege escalation. References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> <63fbd9e37cc3582daf265277e64f0a99b20e05ec.camel@telenet.be> Date: Sat, 03 Apr 2021 22:15:45 +0200 In-Reply-To: <63fbd9e37cc3582daf265277e64f0a99b20e05ec.camel@telenet.be> (Maxime Devos's message of "Sat, 03 Apr 2021 18:22:12 +0200") Message-ID: <87y2dzw2dq.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 Cc: 47584@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi Maxime, Maxime Devos skribis: > From 9672bd37bf50db1e0989d0b84035c4788422bd31 Mon Sep 17 00:00:00 2001 > From: Maxime Devos > Date: Tue, 30 Mar 2021 22:36:14 +0200 > Subject: [PATCH 1/2] activation: Do not dereference symlinks in home dire= ctory > creation. > MIME-Version: 1.0 > Content-Type: text/plain; charset=3DUTF-8 > Content-Transfer-Encoding: 8bit > > Fixes . > > * gnu/build/activation.scm > (copy-account-skeletons): Do not chown the home directory; leave this > to 'activate-user-home'. > (activate-user-home): Only chown the home directory after the account > skeletons have been copied. > > Co-authored-by: Ludovic Court=C3=A8s . Pushed: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=3D2161820ebbbab62a5= ce76c9101ebaec54dc61586 > From d071ee3aff5be1a6d7876d7411e70f7283dce1fb Mon Sep 17 00:00:00 2001 > From: Maxime Devos > Date: Sat, 3 Apr 2021 12:19:10 +0200 > Subject: [PATCH 2/2] news: Add entry for user account activation > vulnerability. > > TODO for guix committer: correct the commit id appropriately. > > * etc/news.scm: Add entry. I tweaked it to (1) make it clear upfront that only Guix System is affected, (2) to explicitly recommend an upgrade on Guix System, and (3) to clarify when the attack can happen. Thanks for finding the issue, for reporting it at guix-security, and for preparing these patches! Ludo=E2=80=99.