[PATCH] restrict access to daemon-socket in tests

  • Open
  • quality assurance status badge
Details
One participant
  • Reepca Russelstein
Owner
unassigned
Submitted by
Reepca Russelstein
Severity
normal
R
R
Reepca Russelstein wrote 42 hours ago
(address . guix-patches@gnu.org)
87h696jrkc.fsf@russelstein.xyz
In guix-daemons run with --disable-chroot, only trusted users should be
allowed access to the daemon socket, because anyone with access to the
daemon socket in this situation can take control over the build user (or
if there are no build users, the daemon user) by making a builder put a
setuid binary in /tmp.

As I would like to strongly encourage the regular running of 'make
check', it would therefore be good to limit access to the
test-environment daemon's socket. The attached patch does this by
modifying test-env so that it ensures strict permissions on
$GUIX_STATE_DIRECTORY/daemon-socket.

- reepca
From 2e74d48f103e8561f8099b474faa413483aa6613 Mon Sep 17 00:00:00 2001
Message-ID: <2e74d48f103e8561f8099b474faa413483aa6613.1729465925.git.reepca@russelstein.xyz>
From: Reepca Russelstein <reepca@russelstein.xyz>
Date: Sat, 19 Oct 2024 20:48:29 -0500
Subject: [PATCH] build-aux: test-env.in: restrict access to daemon-socket in
tests.

With the weak isolation available to the test daemon, it is essential to
disallow untrusted access to it, as otherwise another local user can gain our
user's credentials easily.

* build-aux/test-env.in: ensure the daemon-socket directory is freshly-created
with 0700 permissions.

Change-Id: I742f70fc6fc28e5b4dc88d590eef3daf1b964670
---
build-aux/test-env.in | 5 +++++
1 file changed, 5 insertions(+)

Toggle diff (19 lines)
diff --git a/build-aux/test-env.in b/build-aux/test-env.in
index ca786437e9..9caa29da58 100644
--- a/build-aux/test-env.in
+++ b/build-aux/test-env.in
@@ -97,7 +97,12 @@ then
GUIX_ALLOW_UNAUTHENTICATED_SUBSTITUTES \
GUIX_CONFIGURATION_DIRECTORY XDG_CACHE_HOME
+ # Create a fresh directory with restrictive permissions so that our test
+ # daemon's weak isolation can't be exploited by other users
+ rm -rf "$GUIX_STATE_DIRECTORY/daemon-socket"
+ mkdir -m 0700 "$GUIX_STATE_DIRECTORY/daemon-socket"
+
# Launch the daemon without chroot support because is may be
# unavailable, for instance if we're not running as root.
"@abs_top_builddir@/pre-inst-env" \

--
2.45.2
-----BEGIN PGP SIGNATURE-----

iQFLBAEBCAA1FiEEdNapMPRLm4SepVYGwWaqSV9/GJwFAmcVjrQXHHJlZXBjYUBy
dXNzZWxzdGVpbi54eXoACgkQwWaqSV9/GJwY8Af+O8kPoQ6YsxG5dn7+5PPmnrpX
FtewbMVFZR7/AoT70ie6hgNo39m6HIsDgvkui3e/skAWrcZynu88ujYRJTi41AGU
Z2UuZr3xvKH1bFifsU320UbVeRpcDh5CqsCUz7zB21SXWxRstjcxQpM5G+D9SEsH
zCmfwoQ3TEeHvq76aqXb6FBkyLfMi1OSGO5t4LLCUlDoqsRuio6rwAuKc6sc37QP
5sbIhmmSfUqFYfkEYEOmGHYsVdGBzJqIbpmlk1UoEN+SZE10AtiDArLIAy7IiHEq
+vpHXP3UFlU+2qBYGz01yJgOq8K0JBiM61Jb5qrzbBpTgIVdVOFIqHxxCtys/g==
=BEI0
-----END PGP SIGNATURE-----

?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 73924@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 73924
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch