Duncan Overbruck reported on guix-security on Jan. 30th that onGuix System, programs listed in ‘setuid-programs’ all end up beingsetuid-root *and* setgid-root (this issue is only relevant to GuixSystem users; users of Guix on “foreign” distros are unaffected). The latter could potentially lead to local privilege escalation becausethese programs are usually designed to be setuid-root, but notsetgid-root. As Duncan wrote:
Toggle quote (16 lines)> The issue is that if those programs like ping are not aware of being> installed with setgid and then fail to drop full privileges.>> In case someone finds a vulnerability in ping, that happens somewhere after> the privileges should have been dropped then you have a privilege escalation> issue and not just a buffer overflow in code running as the user.>> Another case would be as example dbus-launch-helper usually owned by> root:dbus and is not executable by others, but in guix is root:root> and readable/executable by others, this could potentially open more> attack surface.>> With forcing every single setuid binary to be just root:root 06555 you> deviate from the developers intended permission and there could be something> that is going to be exploitable just because guix deviates from that.
We do not know of any exploitation of this issue. For completeness,here is the list of setuid programs one may get on Guix System by usingthe settings and services currently provided (‘service-types/setuid’comes from the attached file):
The immediate fix is to not make those programs setgid-root (patchattached). (Incidentally, Chris Webber proposed to make it explicit, which we’ll doeventually: https://issues.guix.gnu.org/44700.) Many thanks to Duncan Overbruck for reporting the issue! Ludo’.