SECURITY: Sanitize the permissions for guix daemon socket?

  • Done
  • quality assurance status badge
Details
2 participants
  • Jacob Hrbek
  • Tobias Geerinckx-Rice
Owner
unassigned
Submitted by
Jacob Hrbek
Severity
normal
J
J
Jacob Hrbek wrote on 14 Nov 2021 10:18
(name . bug-guix@gnu.org)(address . bug-guix@gnu.org)
0vikmU8M7HlOsjRKej0siT0rJjlgmN5Asnd1HpGeH_8xYz_okK-KtukDg6vO9U3wtmQrAd5FHhooRjJ__yE1jlcoQ17TqGPrYNiD6Bjk01w=@rixotstudio.cz
The /var/guix/daemon-socket/socket is by default set to be owned by root:root with chmod 0666 that allows **ALL** users on the system to interact with guix daemon to write in the store directory.

Proposing to define a group (or use guixbuild group?) to by default deny access to the socket to all users without the group as i see this being a security issue waiting to happen.

-- Jacob "Kreyren" Hrbek

Sent with ProtonMail Secure Email.
Attachment: file
Attachment: publickey - kreyren@rixotstudio.cz - 0x1677DB82.asc
Attachment: signature.asc
J
J
Jacob Hrbek wrote on 14 Nov 2021 10:49
(No Subject)
(name . 51833@debbugs.gnu.org)(address . 51833@debbugs.gnu.org)
1f_SrWXwfJ8vD07ySkk7hkHsJ4G3sFPqoK7wk5WfigTaawBUQgdMzmD63CUGAfJ6icNvWikd1KZ-H6EFSWJl5joDdw2OVl8EbBPQnzAyLg4=@rixotstudio.cz

My concern was malicious user caching a malicious derivation trying to force root user to invoke it to unleash the payload, but that is not possible due to the use of GPG with the guix repo to prevent injection of malicious DNS server through DHCP.

-- Jacob "Kreyren" Hrbek

Sent with ProtonMail Secure Email.
Attachment: file
Attachment: publickey - kreyren@rixotstudio.cz - 0x1677DB82.asc
Attachment: signature.asc
T
T
Tobias Geerinckx-Rice wrote on 14 Nov 2021 12:50
Not a security nor a bug
(name . GNU bug tracker automated control server)(address . control@debbugs.gnu.org)
87fsrz0xb1.fsf@nckx
close 51833
?