Insecure permissions on /var/guix/profiles/per-user (CVE-2019-18192)

DoneSubmitted by Ludovic Courtès.
Details
6 participants
  • Bengt Richter
  • Julien Lepiller
  • Ludovic Courtès
  • Maxim Cournoyer
  • Tobias Geerinckx-Rice
  • pelzflorian (Florian Pelz)
Owner
unassigned
Severity
important
L
L
Ludovic Courtès wrote on 14 Oct 2019 09:47
Per-user profile directory hijack (CVE-2019-17365 for Nix)
(address . bug-guix@gnu.org)
87o8yjsr8o.fsf@gnu.org
Hello Guix,
That the per-user profile directory is world-writable allows an attackerto hijack code run by other users, as has been reported in the contextof Nix:
https://www.openwall.com/lists/oss-security/2019/10/09/4
I believe it applies to Guix as well.
Nix people are tracking it here:
https://github.com/NixOS/nix/pull/3134 https://github.com/NixOS/nix/issues/509
Looks like we’ll need to do something similar to:https://github.com/NixOS/nix/pull/3136/commits/5a303093dcae1e5ce9212616ef18f2ca51020b0d.
Thoughts?
Thanks,Ludo’.
L
L
Ludovic Courtès wrote on 14 Oct 2019 09:54
control message for bug #37744
(address . control@debbugs.gnu.org)
87mue3sqxt.fsf@gnu.org
tags 37744 + securityquit
L
L
Ludovic Courtès wrote on 14 Oct 2019 09:54
(address . control@debbugs.gnu.org)
87lftnsqxh.fsf@gnu.org
severity 37744 importantquit
L
L
Ludovic Courtès wrote on 14 Oct 2019 09:58
Re: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)
(address . 37744@debbugs.gnu.org)
87blujsqq0.fsf@gnu.org
Ludovic Courtès <ludo@gnu.org> skribis:
Toggle quote (3 lines)> Looks like we’ll need to do something similar to:> <https://github.com/NixOS/nix/pull/3136/commits/5a303093dcae1e5ce9212616ef18f2ca51020b0d>.
Compared to the Nix build daemon, our daemon can accept connections overTCP in addition to Unix-domain sockets, so the bit that does:
store->createUser(userName, userId);
won’t work in that context (it would create ‘per-user/root’.)
I don’t see how to let the daemon create ‘per-user/$USER’ on behalf ofthe client for clients connecting over TCP. Or we’d need to add achallenge mechanism or authentication.
Thoughts?
Ludo’.
T
T
Tobias Geerinckx-Rice wrote on 14 Oct 2019 13:53
(name . Ludovic Courtès)(address . ludo@gnu.org)
87y2xno85o.fsf@nckx
Ludo',
Thanks for your report :-p
The 1777 is obviously very bad, no question. However: question:
Ludovic Courtès 写道:
Toggle quote (6 lines)> I don’t see how to let the daemon create ‘per-user/$USER’ on > behalf of> the client for clients connecting over TCP. Or we’d need to add > a> challenge mechanism or authentication.
I need more cluebat please: say I'm an attacker and connect to your daemon (over TCP, why not), asking it to create an empty ‘per-user/ludo’.
Assuming the daemon creates it with sane permissions (say 0755) & without any race conditions, what's my evil plan now?
Kind regards,
T G-R
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl2kYb8ACgkQ2Imw8BjFSTypnA/+LRcRUA15xM+hQ6XE6s9ij6GSJXtAkC9E1F7L4FYSK78WLG5cZNSrAknzekXbxMjotGMnPgeSnOHYD8opZUPPUvl8lqOVuToGrufyzrlyxdvUXBJnwGC4A/f1//cd1d4lgt6MRuqMZphu4dm1qX+fRwGze6eWh5UF4pZGYfXZ2jzmPOG0/vZjGUlhTEjxauL2X6qS2mWBIU6SZmTfYyT4R8yR2jNjvOQt0/LhIZasq+gt3RaODGLtbrn7lQxX82R2NIr/xO0ykMWoCuSug3wcVKWJkMMLEgPPkOpxtH+MRDhPCatM3DO0MScVOssNS4V+3wqvRVwzSbwUzo4TvaG0qtTSlWlvBro3qQAkELDzyfwQtAuh8SRS8R+4/YFCGOtW4v7m9dnmwxklEzH7MIcbL+K4Evu65EOptqzN6MX4lGSrYR0lnJNXTw4Jdny6XP76NZp7vs7Nk0oVi9FUCqLf6pZT988sA0OCiaGRGWhZdTZ4CqUE0GMJVGSYnM5kwe6gzfoZtcR5DPiyR1B6jQZ1MVTSBskIRR7UyEqoAQqiaHM0xpQyRIFu8voH9sOxTdyboBGPDNlTv5rcMQHZ6wM2oyEAJPYZ4JpO+IIZKbTN+MEdexULOoEm33P9Enm4lKsXEzm2no9eMGUdBA1ib7ZfQsuXRVRa6LpZ2G62DTY+RDc==mxLC-----END PGP SIGNATURE-----
M
M
Maxim Cournoyer wrote on 14 Oct 2019 18:37
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)
87sgnvp9k2.fsf@gmail.com
Hello,
Tobias Geerinckx-Rice <me@tobias.gr> writes:
Toggle quote (23 lines)> Ludo',>> Thanks for your report :-p>> The 1777 is obviously very bad, no question. However: question:>> Ludovic Courtès 写道:>> I don’t see how to let the daemon create ‘per-user/$USER’ on behalf>> of>> the client for clients connecting over TCP. Or we’d need to add a>> challenge mechanism or authentication.>> I need more cluebat please: say I'm an attacker and connect to your> daemon (over TCP, why not), asking it to create an empty> ‘per-user/ludo’.>> Assuming the daemon creates it with sane permissions (say 0755) &> without any race conditions, what's my evil plan now?>> Kind regards,>> T G-R
It's not yet clear to me how an actual attack would work, but IIUC whenconnecting over TCP there's no 'trusted' way to verify the user isactually the user it says they are; so they could impersonate at will(and make use of another user's local directory, perhaps arranging towrite something nasty in there).
Is my understanding correct?
Maxim
L
L
Ludovic Courtès wrote on 15 Oct 2019 14:34
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)
87d0eyuqzd.fsf@gnu.org
Hi!
Tobias Geerinckx-Rice <me@tobias.gr> skribis:
Toggle quote (12 lines)> The 1777 is obviously very bad, no question. However: question:>> Ludovic Courtès 写道:>> I don’t see how to let the daemon create ‘per-user/$USER’ on behalf>> of>> the client for clients connecting over TCP. Or we’d need to add a>> challenge mechanism or authentication.>> I need more cluebat please: say I'm an attacker and connect to your> daemon (over TCP, why not), asking it to create an empty> ‘per-user/ludo’.
You wouldn’t be able to do that because over TCP because the daemoncan’t tell what user you are.
Note that TCP has to be explicitly enabled through ‘guix-daemon--listen=0.0.0.0’. It’s meant for cluster setups where you have onehead node that clients connect to from remote nodes.
I suppose we won’t be able to address the problem in this particularsetup, unless we had some authentication mechanism like I wrote above(it could be a challenge like the MIT-MAGIC-COOKIE.)
Ludo’.
T
T
Tobias Geerinckx-Rice wrote on 15 Oct 2019 16:31
(name . Ludovic Courtès)(address . ludo@gnu.org)
87mue2nkrj.fsf@nckx
Ludo',
Thanks for your answer.
Ludovic Courtès 写道:
Toggle quote (9 lines)>> I need more cluebat please: say I'm an attacker and connect to >> your>> daemon (over TCP, why not), asking it to create an empty>> ‘per-user/ludo’.>> You wouldn’t be able to do that because over TCP because the > daemon> can’t tell what user you are.
No, I ask it nicely: ‘hullo daemon, I'm, er, "ludo"’.
Of course the remote daemon doesn't trust me beyond pre-creating an empty per-user directory owned by the local "ludo" user only if such a user exists. It doesn't even report succes or failure to avoid leaking valid user names.
You already trust the network not to DoS you with webkitgtks, how does this new step decrease security?
Sure, it bumps the protocol version; I'm aware of that.
Toggle quote (3 lines)> It’s meant for cluster setups where you have one> head node that clients connect to from remote nodes.
And likely some kind of centralised user management so it's not unreasonable to handle this differently/manually.
Kind regards,
T G-R
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl2l2EwACgkQ2Imw8BjFSTzSrg//STsCmgYG7y1rrXkImrbsS3ueh522GvPjHvSEfn4WFJrxRk2VeIi9T0LnRY7BnOwEDoD7tLsJNH/t6RZYVTyNHpNBQr13UPQW59VMz2W32lIgpmxaiAKySZVRquuX9nQPeKSTHT1h0bDwtiXvFbxE2pcBm+fAMNwTT1nsLiEWyw5DodaCKKo/lPCI+o0XbJs6/klXrPyHFSOjB5xd17olKT1O/mHRx78cpW2ZxwaIN6kdO/eXONuajrUbgb+cMcLIp8Y0MMkJuB9uPyC1gJq84SpxbcrMY2M2VuRnA4usoPs8RB2CQ9ek35wzbWPwPpBz2unE0juh/yE9hleGBlRLBpsLQQhP/Z4Fb+mNo/SMlViWWHEbLzDRrsIXmtlfz81nWqbMaSGMttDW3FRZnQS479Snh+SgxUI6kxnpYC12u7iJ5CCLidAxBoCr0zx5Qjt0zOUFet4Qb70QZil2jEU3pK6WrAgD3avSEnUsjcULCgfuIXEG6YYS6nnnfqnp9B4M6j3h46BAF6MGDZoYnQaDJn2EPt9XmIiZow1MMZtOZSX7hCInvvamVYD4aAN96ri+yladlm3dregzrYY3S1NxyvzKWY6q28Oj1PhNV7pNHwTDJmzYLIGU5gajRaymzSVVbWusNygkQ14EdwdZ3ncms1Wwt+JBwrvVKbWuf1Ao9l8==TyMl-----END PGP SIGNATURE-----
L
L
Ludovic Courtès wrote on 16 Oct 2019 08:57
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)
8736fttby6.fsf@gnu.org
Hi Tobias,
Tobias Geerinckx-Rice <me@tobias.gr> skribis:
Toggle quote (7 lines)> No, I ask it nicely: ‘hullo daemon, I'm, er, "ludo"’.>> Of course the remote daemon doesn't trust me beyond pre-creating an> empty per-user directory owned by the local "ludo" user only if such a> user exists. It doesn't even report succes or failure to avoid> leaking valid user names.
Ah you’re right, the worst that can happen is that an empty directory iscreated for someone else. Sounds like a plan.
Ludo’.
L
L
Ludovic Courtès wrote on 16 Oct 2019 12:22
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)
87tv89rnva.fsf@gnu.org
Hello!
Here’s a patch that fixes the issue, partly based on what the Nix folksdid.
For the client-connecting-over-TCP case, I added special handling:‘set-build-options’ now passes a “user-name” property, potentiallyallowing to create ‘per-user/$USER’ at that point (like you suggested,Tobias.)
In a cluster setup, it means that the machine that runs ‘guix-daemon’must see the same users as the machines where its clients run, butthat’s basically already what we expect:https://hpc.guix.info/blog/2017/11/installing-guix-on-a-cluster/.
There’s one case that won’t be correctly handled: in a cluster setup, anold client talking to a new daemon won’t provide info to create‘per-user/$USER’, and thus ‘guix package’ & co. won’t be able to createthe user’s profile it it doesn’t already exist. I think that’s hard toavoid though.
Thoughts?
Thanks,Ludo’.
From 7c43fdeb2f9283d86d849007e8fbc138ca2912c4 Mon Sep 17 00:00:00 2001From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>Date: Wed, 16 Oct 2019 11:51:42 +0200Subject: [PATCH 1/2] daemon: Make 'profiles/per-user' non-world-writable.
Fixes https://bugs.gnu.org/37744.Reported at https://www.openwall.com/lists/oss-security/2019/10/09/4.
Based on Nix commit 5a303093dcae1e5ce9212616ef18f2ca51020b0dby Eelco Dolstra <edolstra@gmail.com>.
* nix/libstore/local-store.cc (LocalStore::LocalStore): Set 'perUserDir'to #o755 instead of #o1777.(LocalStore::createUser): New function.* nix/libstore/local-store.hh (LocalStore): Add it.* nix/libstore/store-api.hh (StoreAPI): Add it.* nix/nix-daemon/nix-daemon.cc (performOp): In 'wopSetOptions', addcondition to handle "user-name" property and honor it.(processConnection): Add 'userId' parameter. Call 'store->createUser'when userId is not -1.* guix/profiles.scm (ensure-profile-directory): Note that this is nowhandled by the daemon.* guix/store.scm (current-user-name): New procedure.(set-build-options): Add #:user-name parameter and pass it to the daemon.* tests/guix-daemon.sh: Test the creation of 'profiles/per-user' whenlistening on a TCP socket.* tests/store.scm ("profiles/per-user exists and is not writable")("profiles/per-user/$USER exists"): New tests.--- guix/profiles.scm | 3 ++- guix/store.scm | 12 ++++++++++++ nix/libstore/local-store.cc | 17 +++++++++++++++-- nix/libstore/local-store.hh | 2 ++ nix/libstore/store-api.hh | 4 ++++ nix/nix-daemon/nix-daemon.cc | 24 ++++++++++++++++++++++-- tests/guix-daemon.sh | 21 +++++++++++++++++++++ tests/store.scm | 13 ++++++++++++- 8 files changed, 90 insertions(+), 6 deletions(-)
Toggle diff (233 lines)diff --git a/guix/profiles.scm b/guix/profiles.scmindex f5c863945c..cd3b21e390 100644--- a/guix/profiles.scm+++ b/guix/profiles.scm@@ -1732,7 +1732,8 @@ because the NUMBER is zero.)" (string-append %profile-directory "/guix-profile")) (define (ensure-profile-directory)- "Attempt to create /…/profiles/per-user/$USER if needed."+ "Attempt to create /…/profiles/per-user/$USER if needed. Nowadays this is+taken care of by the daemon." (let ((s (stat %profile-directory #f))) (unless (and s (eq? 'directory (stat:type s))) (catch 'system-errordiff --git a/guix/store.scm b/guix/store.scmindex d7c603898c..382aad29d9 100644--- a/guix/store.scm+++ b/guix/store.scm@@ -748,6 +748,14 @@ encoding conversion errors." (cut string-append "http://" <>)) '("ci.guix.gnu.org"))) +(define (current-user-name)+ "Return the name of the calling user."+ (catch #t+ (lambda ()+ (passwd:name (getpwuid (getuid))))+ (lambda _+ (getenv "USER"))))+ (define* (set-build-options server #:key keep-failed? keep-going? fallback? (verbosity 0)@@ -759,6 +767,7 @@ encoding conversion errors." (build-verbosity 0) (log-type 0) (print-build-trace #t)+ (user-name (current-user-name)) ;; When true, provide machine-readable "build ;; traces" for use by (guix status). Old clients@@ -849,6 +858,9 @@ encoding conversion errors." `(("build-repeat" . ,(number->string (max 0 (1- rounds))))) '())+ ,@(if user-name+ `(("user-name" . ,user-name))+ '()) ,@(if terminal-columns `(("terminal-columns" . ,(number->string terminal-columns)))diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.ccindex 3b08492c64..3793382361 100644--- a/nix/libstore/local-store.cc+++ b/nix/libstore/local-store.cc@@ -88,8 +88,9 @@ LocalStore::LocalStore(bool reserveSpace) Path perUserDir = profilesDir + "/per-user"; createDirs(perUserDir);- if (chmod(perUserDir.c_str(), 01777) == -1)- throw SysError(format("could not set permissions on '%1%' to 1777") % perUserDir);+ if (chmod(perUserDir.c_str(), 0755) == -1)+ throw SysError(format("could not set permissions on '%1%' to 755")+ % perUserDir); mode_t perm = 01775; @@ -1642,4 +1643,16 @@ void LocalStore::vacuumDB() } +void LocalStore::createUser(const std::string & userName, uid_t userId)+{+ auto dir = settings.nixStateDir + "/profiles/per-user/" + userName;++ createDirs(dir);+ if (chmod(dir.c_str(), 0755) == -1)+ throw SysError(format("changing permissions of directory '%s'") % dir);+ if (chown(dir.c_str(), userId, -1) == -1)+ throw SysError(format("changing owner of directory '%s'") % dir);+}++ }diff --git a/nix/libstore/local-store.hh b/nix/libstore/local-store.hhindex 4113fafcb5..2e48cf03e6 100644--- a/nix/libstore/local-store.hh+++ b/nix/libstore/local-store.hh@@ -180,6 +180,8 @@ public: void setSubstituterEnv(); + void createUser(const std::string & userName, uid_t userId);+ private: Path schemaPath;diff --git a/nix/libstore/store-api.hh b/nix/libstore/store-api.hhindex 2d9dcbd573..7d2ad2270d 100644--- a/nix/libstore/store-api.hh+++ b/nix/libstore/store-api.hh@@ -289,6 +289,10 @@ public: /* Check the integrity of the Nix store. Returns true if errors remain. */ virtual bool verifyStore(bool checkContents, bool repair) = 0;++ /* Create a profile for the given user. This is done by the daemon+ because the 'profiles/per-user' directory is not writable by users. */+ virtual void createUser(const std::string & userName, uid_t userId) = 0; }; diff --git a/nix/nix-daemon/nix-daemon.cc b/nix/nix-daemon/nix-daemon.ccindex 1163a249d1..3dd156ba77 100644--- a/nix/nix-daemon/nix-daemon.cc+++ b/nix/nix-daemon/nix-daemon.cc@@ -613,6 +613,17 @@ static void performOp(bool trusted, unsigned int clientVersion, || name == "build-repeat" || name == "multiplexed-build-output") settings.set(name, value);+ else if (name == "user-name"+ && settings.clientUid == (uid_t) -1) {+ /* Create the user profile. This is necessary if+ clientUid = -1, for instance because the client+ connected over TCP. */+ struct passwd *pw = getpwnam(value.c_str());+ if (pw != NULL)+ store->createUser(value, pw->pw_uid);+ else+ printMsg(lvlInfo, format("user name %1% not found") % value);+ } else settings.set(trusted ? name : "untrusted-" + name, value); }@@ -731,7 +742,7 @@ static void performOp(bool trusted, unsigned int clientVersion, } -static void processConnection(bool trusted)+static void processConnection(bool trusted, uid_t userId) { canSendStderr = false; _writeToStderr = tunnelStderr;@@ -778,6 +789,15 @@ static void processConnection(bool trusted) /* Open the store. */ store = std::shared_ptr<StoreAPI>(new LocalStore(reserveSpace)); + if (userId != (uid_t) -1) {+ /* Create the user profile. */+ struct passwd *pw = getpwuid(userId);+ if (pw != NULL && pw->pw_name != NULL)+ store->createUser(pw->pw_name, userId);+ else+ printMsg(lvlInfo, format("user with UID %1% not found") % userId);+ }+ stopWork(); to.flush(); @@ -963,7 +983,7 @@ static void acceptConnection(int fdSocket) /* Handle the connection. */ from.fd = remote; to.fd = remote;- processConnection(trusted);+ processConnection(trusted, clientUid); exit(0); }, false, "unexpected build daemon error: ", true);diff --git a/tests/guix-daemon.sh b/tests/guix-daemon.shindex 758f18cc36..b58500966b 100644--- a/tests/guix-daemon.sh+++ b/tests/guix-daemon.sh@@ -94,6 +94,27 @@ done kill "$daemon_pid" +# Make sure 'profiles/per-user' is created when connecting over TCP.++orig_GUIX_STATE_DIRECTORY="$GUIX_STATE_DIRECTORY"+GUIX_STATE_DIRECTORY="$GUIX_STATE_DIRECTORY-2"++guix-daemon --disable-chroot --listen="localhost:9877" &+daemon_pid=$!++GUIX_DAEMON_SOCKET="guix://localhost:9877"+export GUIX_DAEMON_SOCKET++test ! -d "$GUIX_STATE_DIRECTORY/profiles/per-user"++guix build guile-bootstrap -d++test -d "$GUIX_STATE_DIRECTORY/profiles/per-user/$USER"++kill "$daemon_pid"+unset GUIX_DAEMON_SOCKET+GUIX_STATE_DIRECTORY="$orig_GUIX_STATE_DIRECTORY"+ # Check the failed build cache. guix-daemon --no-substitutes --listen="$socket" --disable-chroot \diff --git a/tests/store.scm b/tests/store.scmindex 518750d26a..2b14a4af0a 100644--- a/tests/store.scm+++ b/tests/store.scm@@ -18,6 +18,7 @@ (define-module (test-store) #:use-module (guix tests)+ #:use-module (guix config) #:use-module (guix store) #:use-module (guix utils) #:use-module (guix monads)@@ -102,7 +103,17 @@ "/283gqy39v3g9dxjy26rynl0zls82fmcg-guile-2.0.7/bin/guile"))) (not (direct-store-path? (%store-prefix))))) -(test-skip (if %store 0 13))+(test-skip (if %store 0 15))++(test-equal "profiles/per-user exists and is not writable"+ #o755+ (stat:perms (stat (string-append %state-directory "/profiles/per-user"))))++(test-equal "profiles/per-user/$USER exists"+ (list (getuid) #o755)+ (let ((s (stat (string-append %state-directory "/profiles/per-user/"+ (passwd:name (getpwuid (getuid)))))))+ (list (stat:uid s) (stat:perms s)))) (test-equal "add-data-to-store" #vu8(1 2 3 4 5)-- 2.23.0
From 07126db581f1854a2235c271fcdaecfb36705d5c Mon Sep 17 00:00:00 2001From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>Date: Wed, 16 Oct 2019 12:16:20 +0200Subject: [PATCH 2/2] DRAFT news: Add entry for security issue with /var/guix/profiles/per-user.
DRAFT: Update commit before pushing.
* etc/news.scm: Add entry for security issue in multi-user setups.--- etc/news.scm | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+)
Toggle diff (34 lines)diff --git a/etc/news.scm b/etc/news.scmindex e19dec38dd..afcf5fadaa 100644--- a/etc/news.scm+++ b/etc/news.scm@@ -9,6 +9,27 @@ (channel-news (version 0) + (entry (commit "FIXME")+ (title (en "Security issue with profiles in multi-user setups"))+ (body+ (en "The default user profile, @file{~/.guix-profile}, points to+@file{/var/guix/profiles/per-user/$USER}. Until now,+@file{/var/guix/profiles/per-user} was world-writable, allowing the+@command{guix} command to create the @code{$USER} sub-directory.++On a multi-user system, this allowed a malicious user to create and populate+that @code{$USER} sub-directory for another user that had not yet logged in.+Since @code{$USER} is in @code{$PATH}, the target user could end up running+attacker-provided code. See @uref{https://issues.guix.gnu.org/issue/37744}+for more information.++This is now fixed by letting @command{guix-daemon} create these directories on+behalf of users and removing the world-writable permissions on+@code{per-user}. On multi-user systems, we recommend updating the daemon now.+To do that, run @code{sudo guix pull} if you're on a foreign distro, or run+@code{sudo guix pull && sudo guix system reconfigure @dots{}} on Guix+System.")))+ (entry (commit "5f3f70391809f8791c55c05bd1646bc58508fa2c") (title (en "GNU C Library upgraded") (de "GNU-C-Bibliothek aktualisiert")-- 2.23.0
L
L
Ludovic Courtès wrote on 16 Oct 2019 15:25
878spksty3.fsf@gnu.org
Hello!
In addition to the news entry that ‘guix pull’ will display, we may wantto publicize the issue. In particular, should we:
1. Apply for a new CVE?
2. Post an article on the blog to explain in detail what happened? That should probably include an analysis like that at https://www.openwall.com/lists/oss-security/2019/10/09/4, given that Guix does things not entirely like Nix here.
3. Email that analysis to oss-security?
4. Push a new release?
I’m tempted to think that we should do 1 to 3, as quickly as we can.Help welcome, in particular on #2!
As for #4, I think we should push a new release soon anyway, but maybenot just specifically for this issue since it can be addressed simply byupgrading.
Thoughts?
Ludo’.
T
T
Tobias Geerinckx-Rice wrote on 16 Oct 2019 16:12
(name . Ludovic Courtès)(address . ludo@gnu.org)
87imoook2l.fsf@nckx
Ludo',
That was swift, thanks!
IANAC++.
Ludovic Courtès 写道:
Toggle quote (19 lines)> diff --git a/nix/libstore/local-store.cc > b/nix/libstore/local-store.cc> index 3b08492c64..3793382361 100644> --- a/nix/libstore/local-store.cc> +++ b/nix/libstore/local-store.cc> @@ -88,8 +88,9 @@ LocalStore::LocalStore(bool reserveSpace)> > Path perUserDir = profilesDir + "/per-user";> createDirs(perUserDir);> - if (chmod(perUserDir.c_str(), 01777) == -1)> - throw SysError(format("could not set permissions on > '%1%' to 1777") % perUserDir);> + if (chmod(perUserDir.c_str(), 0755) == -1)> + throw SysError(format("could not set permissions on > '%1%' to 755")> + % perUserDir);> > mode_t perm = 01775;
This is inside
if (getuid() == 0 && settings.buildUsersGroup != "") { }
It's not clear to me why the second condition here is relevant, but I don't have the big picture. Nor do I suspect I want it.
Kind regards,
T G-R
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl2nJWIACgkQ2Imw8BjFSTwOGQ//cEyN0EMnK+iPMgVrc0DvagCDnyJ4VnVpTF0hOf+ltfPgB65/Nki+NpRPq5ErZj9pz4oXkZT2GSwot5v8GxhKt82FBckWKVZ8Lxoi6hR7/voPHpDzLnid5TDxXVqNaZUjvUk2jmcbD1fwozswLOma8qD7QPjoVQ9Awp0MU74JGkGW4AUUgwa8BXt149BhnCWpl3nh0tKYLCtyhVuK5jIk0U/dkzMXjxx6QM4GmalmnLAYDgOpTZpORmaD1VrabVBMModfDG+8C1RWClpFrPgVRwqvmBK4Zkopomp+cXB4vDUZ1Sm3vsDMfhvOhst4dvEeesA4npjeq+3nzFqcY1VvMkmHur1tTmrVvOJ7IbmMuyPPIWUTdixeH1OEPJExpaJ3/X1fzVPaoOc5hXQFDOI3VXSgZwqA8K7yE1DUUtt+ZBtldKNUqWz1+QsbNf7jYOYC5ftPryax9HULNlQlrW6Ak9f5rNavaHAm/zDrPLmBN0kpaBkAWrT4WTqn2xVDgF7sroZ9RLOL6AJhfLeXsKi9KOvPshghTVv/NtBxBmlyU5/I4ZZDCcd8S55mQ3afU41ALG1z7vsgVwz7/TkuZ1bpffmGV4n8DHhgc7EgkOJl5gBVg3IoQy+pVbUWjw78Cdet8LgERD+c/aN4ITAJ9hysooby/nADTfEGJznfcs1S1pA==gjOy-----END PGP SIGNATURE-----
P
P
pelzflorian (Florian Pelz) wrote on 16 Oct 2019 16:22
(name . Ludovic Courtès)(address . ludo@gnu.org)
20191016142221.qys2y2cb4spmwscq@pelzflorian.localdomain
Thank you for ensuring security issues are fixed.
On Wed, Oct 16, 2019 at 12:22:33PM +0200, Ludovic Court�s wrote:
Toggle quote (7 lines)> +This is now fixed by letting @command{guix-daemon} create these directories on> +behalf of users and removing the world-writable permissions on> +@code{per-user}. On multi-user systems, we recommend updating the daemon now.> +To do that, run @code{sudo guix pull} if you're on a foreign distro, or run> +@code{sudo guix pull && sudo guix system reconfigure @dots{}} on Guix> +System.")))
Why sudo guix pull? It should be without sudo, am I wrong?
I will translate now and submit a patch.
Regards,Florian
T
T
Tobias Geerinckx-Rice wrote on 16 Oct 2019 17:16
87ftjsoh40.fsf@nckx
pelzflorian,
pelzflorian (Florian Pelz) 写道:
Toggle quote (2 lines)> Why sudo guix pull? It should be without sudo, am I wrong?
Guix on ‘foreign’ distributions uses the root profile for the daemon by default (i.e. in guix-daemon.service).
You could change this to a regular user's profile, but that amounts to giving this user passwordless root access.
Kind regards,
T G-R
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl2nNF8ACgkQ2Imw8BjFSTwTYQ//VTIaPOqmsG/HaW4zZEQ5SH2rmhfWkSTqaRmwRvol82/3/WoRyf6n4cstOMCjTCZGX4+giq3/CPI3bMlR/faHLAR6WdIiuDvtcpz7II4Bw5aeGKIXQYyP5cYqRepfwA0BzzN9yKu8yHxRgVUEToPcrTDwetKb5I2TbsKHdtJhKdKStXH+kjgwJekg1ZvZswyu5oYkk02hM91TaTksMrWuLT32Ce4ia/TURPmx/PU0TrnGnnUIRqO/7S5lftovYwfSChfmSj64QBrt1QjCbcZHkwZWmmquyFT8m2JeNy/OQpx3r8F9zdq7LCuS6u03enL7hVW+I6rYIBSlWULGT2PofDtarLBetYV1sgFdkk+A270uQTmzPYpNX18f6y31BjYUCDKG9irMDgvC0l5GmbSZD+yeR2ROQb5cAIVoJauUtK2hH8dfLgimRC3XdDpkQd3UhFSiJDXM1+zFgFfWSlK6d2+vBz1+8OZIXnqLhjlM2WZbyUeUVp1ep6qfjSU+AUx1WEiy04begEjyrzXkrLG/K7lKmcQ6rEB9w9/tlZUz/sYINpTsTOB+uf5OFrtIeFqb1JQMPAbEmsWKwVCqSycJ33YU/nxfwOpa+Mwt+PRs3E/HUoj/342zvrzrJMBCXKYH8U/PhXtuz58Ub7dS3cN674uvwQjMkQeUr1h53rL8Lxo==BsCz-----END PGP SIGNATURE-----
P
P
pelzflorian (Florian Pelz) wrote on 16 Oct 2019 17:19
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)
20191016151922.5fanqbt6kiv4offx@pelzflorian.localdomain
On Wed, Oct 16, 2019 at 05:16:47PM +0200, Tobias Geerinckx-Rice wrote:
Toggle quote (7 lines)> pelzflorian (Florian Pelz) 写道:> > Why sudo guix pull? It should be without sudo, am I wrong?> > Guix on ‘foreign’ distributions uses the root profile for the daemon by> default (i.e. in guix-daemon.service).>
Sorry for being imprecise. I meant on Guix System.
Regards,Florian
T
T
Tobias Geerinckx-Rice wrote on 16 Oct 2019 17:23
(name . pelzflorian (Florian Pelz))(address . pelzflorian@pelzflorian.de)
87eezcogtf.fsf@nckx
pelzflorian (Florian Pelz) 写道:
Toggle quote (6 lines)> On Wed, Oct 16, 2019 at 05:16:47PM +0200, Tobias Geerinckx-Rice > wrote:>> blah blah blah>> Sorry for being imprecise. I meant on Guix System.
Sorry for misreading, you're right that it shouldn't be needed (or recommended IMO).
Kind regards,
T G-R
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl2nNdwACgkQ2Imw8BjFSTyFyxAAladP1ST+Td9ix4x2FEaIjZ44ZITbeSip50xvdIaOX65kxS7gib1Zq6xmnRPnTSwlbq9iTOnerGUDG3s5uDcWl/AJEmhUqHC7PReDCHdRGrxbq/iWWPsXLcf7ZFydaY0t+DW4iGa1GGPzWo/qCOpvngdh8yloImR7TOApNXljtlWNFTErwxuF9s3dYjrZFSUIIXfxV+bmP1yePLOqAdEivAMvN5bd43Z2ufHgKNGNU1pkoQcGlondyQq7jYv68jtaCbdVdymCHUZsChdp2RgnWLQTAYCkiBNaK5AWlxwtE9aNk6IxlFrH5T87p10RXkz5xPOb7/464K6yXQgEr29wXSibFrHCSBvVAHisAdVw+dQJk8RcUSWdk2LYLgJKHted2tLs0Z+trtkqGa0269+a2vCgGotBu0Sy12QfLsMjatGNdky4wsjCDbRuahaD3vYxhxtZav1pUBgInpdD/y5W58JpPdaNCwfJ4chtNkirb4soA2U57ffLthp7u05BvRp+dr9YB2ZANsaIJ+SacRpPtA+MKUOL2V8zSWNVZR6YUXV84RhzbNh4puSi1iwWky0PmyYthM8UqbEQ5TrI0D8ygZSwoBrorIezuKEsBQtZuZuuW+Bjcr6hkpAK3TD7Am8Xoj00sQElGIDeOfUDtKS5kogsqazA0Q1lyDgFHNIxnbs==SOn3-----END PGP SIGNATURE-----
P
P
pelzflorian (Florian Pelz) wrote on 16 Oct 2019 17:37
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 37744@debbugs.gnu.org)
20191016153756.xlnhk6axmg6tx35b@pelzflorian.localdomain
On Wed, Oct 16, 2019 at 04:22:21PM +0200, pelzflorian (Florian Pelz) wrote:
Toggle quote (3 lines)> Why sudo guix pull? It should be without sudo, am I wrong?>
The attached patch adds a German translation. Please remove the lastsudo from the de translation too if you agree that it is wrong.
Regards,Florian
From 14d4d176bae1e67c627a169c881720f3f9fb3904 Mon Sep 17 00:00:00 2001From: Florian Pelz <pelzflorian@pelzflorian.de>Date: Wed, 16 Oct 2019 16:37:27 +0200Subject: [PATCH] nls: Update 'de' translation of news entries.
* etc/news.scm: Add new 'de' translation.--- etc/news.scm | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-)
Toggle diff (45 lines)diff --git a/etc/news.scm b/etc/news.scmindex afcf5fadaa..27130092c6 100644--- a/etc/news.scm+++ b/etc/news.scm@@ -10,7 +10,8 @@ (version 0) (entry (commit "FIXME")- (title (en "Security issue with profiles in multi-user setups"))+ (title (en "Security issue with profiles in multi-user setups")+ (de "Sicherheitslücke bei Profilen in Mehrbenutzersystemen")) (body (en "The default user profile, @file{~/.guix-profile}, points to @file{/var/guix/profiles/per-user/$USER}. Until now,@@ -28,7 +29,27 @@ behalf of users and removing the world-writable permissions on @code{per-user}. On multi-user systems, we recommend updating the daemon now. To do that, run @code{sudo guix pull} if you're on a foreign distro, or run @code{sudo guix pull && sudo guix system reconfigure @dots{}} on Guix-System.")))+System.")+ (de "Das voreingestellte Benutzerprofil, @file{~/.guix-profile},+verweist auf @file{/var/guix/profiles/per-user/$USER}. Bisher hatte jeder+Benutzer Schreibzugriff auf @file{/var/guix/profiles/per-user}, wodurch der+@command{guix}-Befehl berechtigt war, das Unterverzeichnis @code{$USER}+anzulegen.++Wenn mehrere Benutzer dasselbe System benutzen, kann ein böswilliger Benutzer+so das Unterverzeichnis @code{$USER} und Dateien darin für einen anderen+Benutzer anlegen, wenn sich dieser noch nie angemeldet hat. Weil @code{$USER}+auch in @code{$PATH} aufgeführt ist, kann der betroffene Nutzer dazu gebracht+werden, vom Angreifer vorgegebenen Code auszuführen. Siehe+@uref{https://issues.guix.gnu.org/issue/37744} für weitere Informationen.++Der Fehler wurde nun behoben, indem @command{guix-daemon} diese Verzeichnisse+jetzt selbst anlegt statt das dem jeweiligen Benutzerkonto zu überlassen. Der+Schreibzugriff auf @code{per-user} wird den Benutzern entzogen. Auf einem+System mit mehreren Benutzern empfehlen wir, den Daemon jetzt zu+aktualisieren. Auf einer Fremddistribution führen Sie dazu @code{sudo guix+pull} aus; auf einem Guix-System führen Sie @code{sudo guix pull && sudo guix+system reconfigure …} aus."))) (entry (commit "5f3f70391809f8791c55c05bd1646bc58508fa2c") (title (en "GNU C Library upgraded")-- 2.23.0
J
J
Julien Lepiller wrote on 16 Oct 2019 18:28
AA3C1975-800B-4D2E-A260-20E9DC95D0F0@lepiller.eu
Le 16 octobre 2019 12:22:33 GMT+02:00, "Ludovic Courtès" <ludo@gnu.org> a écrit :
Toggle quote (27 lines)>Hello!>>Here’s a patch that fixes the issue, partly based on what the Nix folks>did.>>For the client-connecting-over-TCP case, I added special handling:>‘set-build-options’ now passes a “user-name” property, potentially>allowing to create ‘per-user/$USER’ at that point (like you suggested,>Tobias.)>>In a cluster setup, it means that the machine that runs ‘guix-daemon’>must see the same users as the machines where its clients run, but>that’s basically already what we expect:><https://hpc.guix.info/blog/2017/11/installing-guix-on-a-cluster/>.>>There’s one case that won’t be correctly handled: in a cluster setup,>an>old client talking to a new daemon won’t provide info to create>‘per-user/$USER’, and thus ‘guix package’ & co. won’t be able to create>the user’s profile it it doesn’t already exist. I think that’s hard to>avoid though.>>Thoughts?>>Thanks,>Ludo’.
We could advise people to restart the service too, with e.g. systemctl restart guix-daemon
L
L
Ludovic Courtès wrote on 16 Oct 2019 19:05
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)
87ftjsk4d3.fsf@gnu.org
Hi!
Thanks for your feedback Tobias, Florian, and Julien!
Taking that into account, I propose this (I’ve also changed the title tomake it hopefully clearer):
Toggle snippet (23 lines) (entry (commit "FIXME") (title (en "Insecure @file{/var/guix/profiles/per-user} permissions")) (body (en "The default user profile, @file{~/.guix-profile}, points to@file{/var/guix/profiles/per-user/$USER}. Until now,@file{/var/guix/profiles/per-user} was world-writable, allowing the@command{guix} command to create the @code{$USER} sub-directory.
On a multi-user system, this allowed a malicious user to create and populatethat @code{$USER} sub-directory for another user that had not yet logged in.Since @code{/var/@dots{}/$USER} is in @code{$PATH}, the target user could endup running attacker-provided code. See@uref{https://issues.guix.gnu.org/issue/37744} for more information.
This is now fixed by letting @command{guix-daemon} create these directories onbehalf of users and removing the world-writable permissions on@code{per-user}. On multi-user systems, we recommend updating the daemon now.To do that, run @code{sudo guix pull} if you're on a foreign distro, or run@code{guix pull && sudo guix system reconfigure @dots{}} on Guix System. Inboth cases, make sure to restart the service afterwards, with @code{herd} or@code{systemctl}.")))
If this is fine with you, I hereby request translation of this entry.:-)
I’ll commit the change within a few hours if there are no objections.
Ludo’.
T
T
Tobias Geerinckx-Rice wrote on 16 Oct 2019 21:50
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 37744@debbugs.gnu.org)
87d0ewo4g1.fsf@nckx
Ludo',
Ludovic Courtès 写道:
Toggle quote (4 lines)> Taking that into account, I propose this (I’ve also changed the > title to> make it hopefully clearer):
Here's my NL translation:
(nl "Onveilige @file{/var/guix/profiles/per-user}-rechten")) (nl "Het standaard gebruikersprofiel, @file{~/.guix-profile}, verwijstnaar @file{/var/guix/profiles/per-user/$USER}. Tot op heden kon om het evenwiein @file{/var/guix/profiles/per-user} schrijven, wat het @command{guix}-commandotoestond de @code{$USER} submap aan te maken.
Op systemen met meerdere gebuikers kon hierdoor een kwaadaardige gebruiker een@code{$USER} submap met inhoud aanmaken voor een andere gebruiker die nog nietwas ingelogd. Omdat @code{/var/@dots{}/$USER} zich in @code{$PATH} bevindt,kon het doelwit zo code uitvoeren die door de aanvaller zelf werd aangeleverd.Zie @uref{https://issues.guix.gnu.org/issue/37744}voor meer informatie.
Dit probleem is nu verholpen: schrijven door iedereen in @code{per-user} is nietmeer toegestaan en @command{guix-daemon} maakt zelf submappen aan namens degebruiker. Op systemen met meerdere gebruikers raden we aan om@code{guix-daemon} nu bij te werken. Op Guix System kan dit met@code{guix pull && sudo guix system reconfigure @dots{}}, op andere distributiesmet @code{sudo guix pull}. Herstart vervolgens in beide gevallen@code{guix-daemon} met @code{herd} of @code{systemctl}.")
Kind regards,
T G-R
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl2ndH4ACgkQ2Imw8BjFSTwonA//XCCZD5qBwQ52rNYuQy+RMveNpvfyABGciNqtnacohV/JpMhK4soEFkZcPcRTlGbZdQqDMag0y5ZxpDCXboCaHJNr3Uv6t8UhDUY1kv6wOPXePAUlhn85YbEOpbt6LPp0WNnw8CWkPjl1U5HT7fhiQdfV6NDtTTUKJLOVkbUMNYtkidJK9ycykXQko4mF+xuEVzdwibJ5bLJCSKN+3hIyFPFxOHcbGP96ocFtZeXXFki3ppkJ9Mv9OWxW4aRl2L+7+aiQpiPytt8/RFjmzAt5uk8Ojf6l0VDMQ+8v2oJTyufp7zFHskKP6MOOI8fqvh1RCMpBM1Ddi0Rlwke4OSFmKcDlMZZtooH4Q9Czqu/pq4/U48RlM+JRryJCJsNMcAITRsRlLirRwzeX4XBOmTHV5OxXxMSEAss2xBgcz57AXDOQ2p7M7SNk072Tn8jVU8LvDPk51g+x3+MmnriT24NZ+2OdWyAC63HfjaAdBJqTsFcfZXp7YvNGgde3rYNJVzjHh62dE2bzmz5riiOZ5PxayMLlLSsqVQL7gkjFr5E0ZqKncdyhnkOiq3G2LBI618smiGKzeCYbQ4ReRJx7xC59DJbFzu6Uxxe1ItLUhGH43EM33DbTQQu32AeDhtiKQDkxv+POKHegOKwKX161mHNHUF/tPEGCCE5P7bHt+CjiDQk==//rT-----END PGP SIGNATURE-----
T
T
Tobias Geerinckx-Rice wrote on 16 Oct 2019 21:55
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 37744@debbugs.gnu.org)
87blugo47z.fsf@nckx
Let's try that again:
(nl "Onveilige @file{/var/guix/profiles/per-user}-rechten")) (nl "Het standaard gebruikersprofiel, @file{~/.guix-profile}, verwijstnaar @file{/var/guix/profiles/per-user/$USER}. Tot op heden kon om het even wiein @file{/var/guix/profiles/per-user} schrijven, wat het @command{guix}-commandotoestond de @code{$USER} submap aan te maken.
Op systemen met meerdere gebuikers kon hierdoor een kwaadaardige gebruiker een@code{$USER} submap met inhoud aanmaken voor een andere gebruiker die nog nietwas ingelogd. Omdat @code{/var/@dots{}/$USER} zich in @code{$PATH} bevindt,kon het doelwit zo code uitvoeren die door de aanvaller zelf werd aangeleverd.Zie @uref{https://issues.guix.gnu.org/issue/37744}voor meer informatie.
Dit probleem is nu verholpen: schrijven door iedereen in @code{per-user} is nietmeer toegestaan en @command{guix-daemon} maakt zelf submappen aan namens degebruiker. Op systemen met meerdere gebruikers raden we aan om@code{guix-daemon} nu bij te werken. Op Guix System kan dit met@code{guix pull && sudo guix system reconfigure @dots{}}, op andere distributiesmet @code{sudo guix pull}. Herstart vervolgens in beide gevallen@code{guix-daemon} met @code{herd} of @code{systemctl}.")
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl2ndaAACgkQ2Imw8BjFSTwCew/6AytKwVYnds0lkKGqO2ArULiXafhmJPDr+PlVFiAVFwQNhrto27e3RO03o+KaMsxbdHln8eaGM1CfP9B63iMXIEJSSTbbO8GRZo9DzzhrE4AZXazHODURJul8zePP+QvHReIwP4dgmSC8CrFIAWY5VdRyqGPSnxXMKNMNGllW0TEJbmZ+kTl6BLDUYXeukCC2Sau3QsVHUHe+U+exKFDvT99CjS/rGs4BBmbRf6GPoCoTDepONg7OyCX8ZDx8B83vFaUfZfwcg6bSy+iTzawbgERUaxCuK6KABHceWZcy3RQDUOR4cBz6lYZbK4L1nxxZCIx16cvit5NTSaCgdT3zwfu6f5gITiJDdorvWAy8xfQSuUwojNGQmyvqRWaux09oKQS+jSyuAN7cIqFKrEKkmC5rUsUpb7rpNdZCPvLiS9uli1zv3+LvK2KTRv8psze9mdiAfHnlHEtlnR11Gg7b8+R1sUad62V/erjuDtRzavLf2IFmUmvxk0jQCS8BJRRZs8BuuvobNCdkz295uJd7MWcoIwqjVn/N7yE6QC6hzOL4Ys6eP++6IjHa4dU8WEj4g3oT8xUWd3ePtdtHxjTiBpAk8iM7+30WpKjlMTgWvceId1phfUxlQauQxfwRAf5DKosIP+QIcyYstk0KWanNYz6YkcSiMFK6Hm1ucMeLBkY==1dY2-----END PGP SIGNATURE-----
J
J
Julien Lepiller wrote on 16 Oct 2019 21:58
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 37744@debbugs.gnu.org)
20191016215839.73c32b64@sybil.lepiller.eu
Le Wed, 16 Oct 2019 19:05:44 +0200,Ludovic Courtès <ludo@gnu.org> a écrit :
Toggle quote (33 lines)> Hi!> > Thanks for your feedback Tobias, Florian, and Julien!> > Taking that into account, I propose this (I’ve also changed the title> to make it hopefully clearer):> > --8<---------------cut here---------------start------------->8---> (entry (commit "FIXME")> (title (en "Insecure @file{/var/guix/profiles/per-user}> permissions")) (body> (en "The default user profile, @file{~/.guix-profile},> points to @file{/var/guix/profiles/per-user/$USER}. Until now,> @file{/var/guix/profiles/per-user} was world-writable, allowing the> @command{guix} command to create the @code{$USER} sub-directory.> > On a multi-user system, this allowed a malicious user to create and> populate that @code{$USER} sub-directory for another user that had> not yet logged in. Since @code{/var/@dots{}/$USER} is in> @code{$PATH}, the target user could end up running attacker-provided> code. See @uref{https://issues.guix.gnu.org/issue/37744} for more> information.> > This is now fixed by letting @command{guix-daemon} create these> directories on behalf of users and removing the world-writable> permissions on @code{per-user}. On multi-user systems, we recommend> updating the daemon now. To do that, run @code{sudo guix pull} if> you're on a foreign distro, or run @code{guix pull && sudo guix> system reconfigure @dots{}} on Guix System. In both cases, make sure> to restart the service afterwards, with @code{herd} or> @code{systemctl}."))) --8<---------------cut> here---------------end--------------->8---
pour le français (n'hésite pas à reprendre le texte si tu trouves àredire :)) :
titre : Permissions laxistes pour @file{/var/guix/profiles/per-user}
corps : Le profil utilisateur par défaut, @file{~/.guix-profile},pointe vers @file{/var/guix/profiles/per-user/$USER}. Jusqu'àmaintenant, @file{/var/guix/profiles/per-user} était disponible enécriture pour tout le monde, ce qui permettait à la commande@command{guix} de créér le sous-répertoire @code{$USER}.
Sur un système multi-utilisateur, cela permet à un utilisateurmalveillant de créer et de remplir le sous-répertoire @code{USER} pourn'importe quel utilisateur qui ne s'est jamais connecté. Comme@code{/var/@dots{}/$USER} fait partie de @code{$PATH}, l'utilisateurciblé pouvait exécuter des programmes fournis par l'attaquant. Voir@uref{https://issues.guix.gnu.org/issue/37744}pour plus de détails.
Cela est maintenant corrigé en laissant à @command{guix-daemon} le soinde créer ces répertoire pour le compte des utilisateurs et ensupprimant les permissions en écriture pour tout le monde sur@code{per-user}. Nous te recommandons de mettre à jour le démonimmédiatement. Pour cela, lance @code{sudo guix pull} si tu es surune distro externe ou @code{guix pull && sudo guix system reconfigure@dots{}} sur le système Guix. Dans tous les cas, assure-toi ensuite deredémarrer le service avec @code{herd} ou @code{systemctl}.
Toggle quote (10 lines)> > If this is fine with you, I hereby request translation of this entry.> :-)> > I’ll commit the change within a few hours if there are no objections.> > Ludo’.> > >
L
L
Ludovic Courtès wrote on 16 Oct 2019 22:01
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)
87a7a0jw7y.fsf@gnu.org
Tobias Geerinckx-Rice <me@tobias.gr> skribis:
Toggle quote (27 lines)> Ludovic Courtès 写道:>> diff --git a/nix/libstore/local-store.cc>> b/nix/libstore/local-store.cc>> index 3b08492c64..3793382361 100644>> --- a/nix/libstore/local-store.cc>> +++ b/nix/libstore/local-store.cc>> @@ -88,8 +88,9 @@ LocalStore::LocalStore(bool reserveSpace)>> Path perUserDir = profilesDir + "/per-user";>> createDirs(perUserDir);>> - if (chmod(perUserDir.c_str(), 01777) == -1)>> - throw SysError(format("could not set permissions on>> '%1%' to 1777") % perUserDir);>> + if (chmod(perUserDir.c_str(), 0755) == -1)>> + throw SysError(format("could not set permissions on>> '%1%' to 755")>> + % perUserDir);>> mode_t perm = 01775;>> This is inside>> if (getuid() == 0 && settings.buildUsersGroup != "") {> …> }>> It's not clear to me why the second condition here is relevant, but I> don't have the big picture. Nor do I suspect I want it.
Yeah ‘settings.buildUsersGroup != ""’ probably doesn’t make all thatmuch sense here but it was already there and we strongly discourageagainst root without ‘--build-users-group’ anyway.
Thanks for having lynx eyes! :-)
Ludo’.
L
L
Ludovic Courtès wrote on 16 Oct 2019 22:28
(address . 37744@debbugs.gnu.org)(address . guix-security@gnu.org)
875zkojuzi.fsf@gnu.org
Ludovic Courtès <ludo@gnu.org> skribis:
Toggle quote (5 lines)> In addition to the news entry that ‘guix pull’ will display, we may want> to publicize the issue. In particular, should we:>> 1. Apply for a new CVE?
I went ahead and asked for a CVE ID via https://cveform.mitre.org/.
Ludo’.
L
L
Ludovic Courtès wrote on 16 Oct 2019 23:38
(name . Julien Lepiller)(address . julien@lepiller.eu)(address . 37744@debbugs.gnu.org)
871rvcid6o.fsf@gnu.org
Julien Lepiller <julien@lepiller.eu> skribis:
Toggle quote (3 lines)> pour le français (n'hésite pas à reprendre le texte si tu trouves à> redire :)) :
Pushed on your behalf, merci ! :-)
Ludo'.
L
L
Ludovic Courtès wrote on 16 Oct 2019 23:39
(name . pelzflorian (Florian Pelz))(address . pelzflorian@pelzflorian.de)(address . 37744@debbugs.gnu.org)
87wod4gyjq.fsf@gnu.org
Hi Florian,
"pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> skribis:
Toggle quote (7 lines)>>From 14d4d176bae1e67c627a169c881720f3f9fb3904 Mon Sep 17 00:00:00 2001> From: Florian Pelz <pelzflorian@pelzflorian.de>> Date: Wed, 16 Oct 2019 16:37:27 +0200> Subject: [PATCH] nls: Update 'de' translation of news entries.>> * etc/news.scm: Add new 'de' translation.
I committed this with minor changes (removed “sudo”, etc.), but thetranslation corresponds to the first version of the entry. Please feelfree to commit changes directly to update it!
Thanks,Ludo’.
L
L
Ludovic Courtès wrote on 16 Oct 2019 23:40
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)(address . 37744@debbugs.gnu.org)
87sgnsgyiw.fsf@gnu.org
Tobias Geerinckx-Rice <me@tobias.gr> skribis:
Toggle quote (2 lines)> Let's try that again:
Committed on your behalf, thanks! :-)
L
L
Ludovic Courtès wrote on 16 Oct 2019 23:41
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)(address . 37744-done@debbugs.gnu.org)
87o8yggyga.fsf@gnu.org
I pushed the fix as 81c580c8664bfeeb767e2c47ea343004e88223c7, followedby an updated of the ‘guix’ package ine63b31443b29b7793e73ab04798220edc6e564fc.
Thanks everyone!
Ludo’.
Closed
P
P
pelzflorian (Florian Pelz) wrote on 17 Oct 2019 04:58
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 37744@debbugs.gnu.org)
20191017025819.ptdeqtscgphvqyw7@pelzflorian.localdomain
On Wed, Oct 16, 2019 at 11:39:37PM +0200, Ludovic Courtès wrote:
Toggle quote (5 lines)> I committed this with minor changes (removed “sudo”, etc.), but the> translation corresponds to the first version of the entry. Please feel> free to commit changes directly to update it!>
Oh no, it seems my message did not get through. I should not havesent it off-list, how stupid of me.
----- Forwarded message from "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de> -----
Date: Wed, 16 Oct 2019 21:00:57 +0200From: "pelzflorian (Florian Pelz)" <pelzflorian@pelzflorian.de>To: Ludovic Courtès <ludo@gnu.org>Subject: Re: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)User-Agent: NeoMutt/20180716
(Off-list.)
On Wed, Oct 16, 2019 at 07:05:44PM +0200, Ludovic Courtès wrote:
Toggle quote (4 lines)> If this is fine with you, I hereby request translation of this entry.> :-)

(title […] (de "Sicherheitslücke in @file{/var/guix/profiles/per-user}-Berechtigungen")
(body[…] (de "Das voreingestellte Benutzerprofil, @file{~/.guix-profile},verweist auf @file{/var/guix/profiles/per-user/$USER}. Bisher hatte jederBenutzer Schreibzugriff auf @file{/var/guix/profiles/per-user}, wodurch der@command{guix}-Befehl berechtigt war, das Unterverzeichnis @code{$USER}anzulegen.
Wenn mehrere Benutzer dasselbe System benutzen, kann ein böswilligerBenutzer so das Unterverzeichnis @code{$USER} und Dateien darin füreinen anderen Benutzer anlegen, wenn sich dieser noch nie angemeldethat. Weil @code{/var/…/$USER} auch in @code{$PATH} aufgeführt ist,kann der betroffene Nutzer dazu gebracht werden, vom Angreifervorgegebenen Code auszuführen. Siehe@uref{https://issues.guix.gnu.org/issue/37744}für weitereInformationen.
Der Fehler wurde nun behoben, indem @command{guix-daemon} dieseVerzeichnisse jetzt selbst anlegt statt das dem jeweiligenBenutzerkonto zu überlassen. Der Schreibzugriff auf @code{per-user}wird den Benutzern entzogen. Für Systeme mit mehreren Benutzernempfehlen wir, den Daemon jetzt zu aktualisieren. Auf einerFremddistribution führen Sie dazu @code{sudo guix pull} aus; auf einemGuix-System führen Sie @code{guix pull && sudo guix system reconfigure…} aus. Achten Sie in beiden Fällen darauf, den Dienst mit @code{herd}oder @code{systemctl} neuzustarten.")

Thank you for your important work! :)
Regards,Florian
----- End forwarded message -----
Regards,Florian
P
P
pelzflorian (Florian Pelz) wrote on 17 Oct 2019 05:01
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 37744@debbugs.gnu.org)
20191017030157.rriyxhdkhhjvalyd@pelzflorian.localdomain
On Thu, Oct 17, 2019 at 04:58:19AM +0200, pelzflorian (Florian Pelz) wrote:
Toggle quote (10 lines)> On Wed, Oct 16, 2019 at 11:39:37PM +0200, Ludovic Courtès wrote:> > I committed this with minor changes (removed “sudo”, etc.), but the> > translation corresponds to the first version of the entry. Please feel> > free to commit changes directly to update it!> > > > Oh no, it seems my message did not get through. I should not have> sent it off-list, how stupid of me.>
Will commit now.
L
L
Ludovic Courtès wrote on 17 Oct 2019 18:18
(address . 37744@debbugs.gnu.org)(address . guix-security@gnu.org)
87blufny52.fsf@gnu.org
Hi!
Ludovic Courtès <ludo@gnu.org> skribis:
Toggle quote (17 lines)> In addition to the news entry that ‘guix pull’ will display, we may want> to publicize the issue. In particular, should we:>> 1. Apply for a new CVE?>> 2. Post an article on the blog to explain in detail what happened?> That should probably include an analysis like that at> <https://www.openwall.com/lists/oss-security/2019/10/09/4>, given> that Guix does things not entirely like Nix here.>> 3. Email that analysis to oss-security?>> 4. Push a new release?>> I’m tempted to think that we should do 1 to 3, as quickly as we can.> Help welcome, in particular on #2!
Attached is a draft based on ‘etc/news.scm’.
Let me know what you think!
Ludo’.
title: Insecure permissions on profile directory date: 2019-10-05 14:30author: Ludovic Courtèstags: Security---We have become aware of a security issue for Guix on multi-user systems[that we have just fixed](https://issues.guix.gnu.org/issue/37744).Anyone running Guix on a multi-user system is encouraged to upgrade`guix-daemon`—see below for instructions.
# Context
The default user profile, `~/.guix-profile`, points to`/var/guix/profiles/per-user/$USER`. Until now,`/var/guix/profiles/per-user` was world-writable, allowing the `guix`command to create the `$USER` sub-directory.
On a multi-user system, this allowed a malicious user to create andpopulate that `$USER` sub-directory for another user that had not yetlogged in. Since `/var/…/$USER` is in `$PATH`, the target user couldend up running attacker-provided code. Seehttps://issues.guix.gnu.org/issue/37744for more information.
This issue was initially [reported by Michael Orlitzky forNix](https://www.openwall.com/lists/oss-security/2019/10/09/4)([CVE-2019-17365](https://nvd.nist.gov/vuln/detail?vulnId=CVE-2019-17365)).
# Fix
The [fix](https://issues.guix.gnu.org/issue/37744)consists in letting`guix-daemon` create these directories on behalf of users and removingthe world-writable permissions on `per-user`.
For [clustersetups](https://hpc.guix.info/blog/2017/11/installing-guix-on-a-cluster/)where clients connect to the daemon over TCP ([thanks to the `--listen`option of`guix-daemon`](https://guix.gnu.org/manual/en/html_node/Invoking-guix_002ddaemon.html)),the fix _requires_ `guix-daemon` to be able to resolve user names sothat it can create `/var/…/per-user/$USER` with the right ownership.Note also that the `guix` command prior to this fix would notcommunicate the user name it’s running under to the daemon, therebypreventing it from creating that directory on its behalf.
# Upgrading
On multi-user systems, we recommend upgrading the daemon now.
To upgrade the daemon on a “foreign distro”, run something along theselines:
```sudo guix pullsudo systemctl restart guix-daemon.service```
On Guix System, run:
```guix pullsudo guix system reconfigure /etc/config.scmsudo herd restart guix-daemon```
Once you’ve run `guix build hello` or any other `guix` command, youshould see that `/var/guix/profiles/per-user` is no longerworld-writable:
```$ ls -ld /var/guix/profiles/per-userdrwxr-xr-x 5 root root 4096 Jun 23 2017 /var/guix/profiles/per-user```
Please report any issues you may have to[`guix-devel@gnu.org`](https://guix.gnu.org/contact/). See the[security web page](https://guix.gnu.org/security/)for information onhow to report security issues.
#### About GNU Guix
[GNU Guix](https://www.gnu.org/software/guix)is a transactional packagemanager and an advanced distribution of the GNU system that [respectsuserfreedom](https://www.gnu.org/distros/free-system-distribution-guidelines.html).Guix can be used on top of any system running the kernel Linux, or itcan be used as a standalone operating system distribution for i686,x86_64, ARMv7, and AArch64 machines.
In addition to standard package management features, Guix supportstransactional upgrades and roll-backs, unprivileged package management,per-user profiles, and garbage collection. When used as a standaloneGNU/Linux distribution, Guix offers a declarative, stateless approach tooperating system configuration management. Guix is highly customizableand hackable through [Guile](https://www.gnu.org/software/guile)programming interfaces and extensions to the[Scheme](http://schemers.org) language.
T
T
Tobias Geerinckx-Rice wrote on 17 Oct 2019 21:01
(address . 37744@debbugs.gnu.org)
878spjnqlo.fsf@nckx
Ludo',
Ludovic Courtès 写道:
Toggle quote (2 lines)> See https://issues.guix.gnu.org/issue/37744
Will this be automatically linkified?
Toggle quote (9 lines)> This issue was initially [reported by Michael Orlitzky for> Nix](https://www.openwall.com/lists/oss-security/2019/10/09/4)> ([CVE-2019-17365](https://nvd.nist.gov/vuln/detail?vulnId=CVE-2019-17365)).>> # Fix>> The [fix](https://issues.guix.gnu.org/issue/37744) consists in > letting
From the Oxford Dictionaries: 1 (consist of) be composed or made up of (consist in) have as an essential feature
TIL.
Toggle quote (7 lines)> # Upgrading>> On multi-user systems, we recommend upgrading the daemon now.>> To upgrade the daemon on a “foreign distro”, run something along > these
Imperialist nitpick: why list the foreigners first? :-)
Anti-imperialist nitpick: reversing the two allows using ‘other distributions’ instead of ‘foreign’ which always sounds a bit dismissive to my ears.
End nitpick.
Thank you for taking care of this from start to finish,
T G-R
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl2oupMACgkQ2Imw8BjFSTwaxhAAjusdMbOJkvFyVQRbL9WRxA17CLUOQ0zuvtTqhnv4kB7Osfw75HD2qDa4ViAGCUAma4Z6D+i585YFKB98dI8Zx22wgJnLDb+ZT29mDsxRzEKOESx3aPHidUY7Lq2aV26cDPbWMDdSkKs8/bgHSv3q1TnNmYSYfx82OPwglNqP9c1BXMQavHOvod1MhaS7/PJJqBn284m/RI46p4KvqvxWWQMqs5gPSOedYTE1pZ73xqSMmP+daxrT4Oy+8mdQvZyvk020ANdu5o/6cKLpqyCei08CriXOKm4IaZeIvYtpVmQ/mzfqNUetEvZDSAtEhLFkMMO7dqsWI2AZPj7ficQfiy9MpX8e2SiIiaAJoOdHs4Jo2BgEnCUhufMYCIAL9mNtCSjMUjBvWWwb2aaTrg9EargEeXcNjKevgJhm0c3kQ8cNgLlEjmukkZPk07GQxuvqNO9aSNUY2Ulro08zU1+vzFDtTAGk6t+AgiYXYUQc0jV3BLq8n0Eln7XwU4X7tdHQ8VRPIkZ7qnutM5UxOSqizU80KPAzzldaFJjA9wsWpZPFrx7bmuEzepucznR4hRXX9cFcoouVrucVT0FsVWmCFLUfT9U4fbAg6E2a1xBPiyobUMFU7hA9Yc+xZ+Us7hX/7hWRIrSn3gT/xnu+EyISHrlnwsUOKrawLZgUWg2C6Nk==XkaC-----END PGP SIGNATURE-----
L
L
Ludovic Courtès wrote on 17 Oct 2019 22:25
(name . Tobias Geerinckx-Rice)(address . me@tobias.gr)(address . 37744@debbugs.gnu.org)
87k193ktk9.fsf@gnu.org
Hallo!
Tobias Geerinckx-Rice <me@tobias.gr> skribis:
Toggle quote (5 lines)> Ludovic Courtès 写道:>> See https://issues.guix.gnu.org/issue/37744>> Will this be automatically linkified?
Yes, I think so.
Toggle quote (15 lines)>> # Upgrading>>>> On multi-user systems, we recommend upgrading the daemon now.>>>> To upgrade the daemon on a “foreign distro”, run something along>> these>> Imperialist nitpick: why list the foreigners first? :-)>> Anti-imperialist nitpick: reversing the two allows using ‘other> distributions’ instead of ‘foreign’ which always sounds a bit> dismissive to my ears.>> End nitpick.
That makes sense to me; I’m not satisfied with “foreign” either (I thinkthe inspiration came from FFIs, but still). Maybe “fellow distros”?:-)
I’ve received the CVE ID (CVE-2019-18192) just now so I’ve added it tothe article and pushed it.
It should show up on line shortly.
Thank you for your feedback!
Ludo’.
L
L
Ludovic Courtès wrote on 17 Oct 2019 22:26
control message for bug #37744
(address . control@debbugs.gnu.org)
87imonktjo.fsf@gnu.org
retitle 37744 Insecure permissions on /var/guix/profiles/per-user (CVE-2019-18192)quit
B
B
Bengt Richter wrote on 18 Oct 2019 04:21
Re: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)
(name . Ludovic Courtès)(address . ludo@gnu.org)
20191018022128.GA1765@PhantoNv4ArchGx.localdomain
Hi Ludo, Tobias,
On +2019-10-17 22:25:58 +0200, Ludovic Courtès wrote:
Toggle quote (30 lines)> Hallo!> > Tobias Geerinckx-Rice <me@tobias.gr> skribis:> > > Ludovic Courtès 写道:> >> See https://issues.guix.gnu.org/issue/37744> >> > Will this be automatically linkified?> > Yes, I think so.> > >> # Upgrading> >>> >> On multi-user systems, we recommend upgrading the daemon now.> >>> >> To upgrade the daemon on a “foreign distro”, run something along> >> these> >> > Imperialist nitpick: why list the foreigners first? :-)> >> > Anti-imperialist nitpick: reversing the two allows using ‘other> > distributions’ instead of ‘foreign’ which always sounds a bit> > dismissive to my ears.> >> > End nitpick.> > That makes sense to me; I’m not satisfied with “foreign” either (I think> the inspiration came from FFIs, but still). Maybe “fellow distros”?> :-)
Is not the important distinction whether the "foreign distro" can be generatedwith pure guix libre components using a pure guix tool chain vs not?
Maybe define a (guix-auditable? "/") test and then s/foreign/non-guix-auditable/gin docs and discussions?
Just a thought :)__Regards,Bengt Richter
L
L
Ludovic Courtès wrote on 18 Oct 2019 16:36
(name . Bengt Richter)(address . bokr@bokr.com)
877e5215ox.fsf@gnu.org
Bengt Richter <bokr@bokr.com> skribis:
Toggle quote (2 lines)> On +2019-10-17 22:25:58 +0200, Ludovic Courtès wrote:
[...]
Toggle quote (15 lines)>> > Imperialist nitpick: why list the foreigners first? :-)>> >>> > Anti-imperialist nitpick: reversing the two allows using ‘other>> > distributions’ instead of ‘foreign’ which always sounds a bit>> > dismissive to my ears.>> >>> > End nitpick.>> >> That makes sense to me; I’m not satisfied with “foreign” either (I think>> the inspiration came from FFIs, but still). Maybe “fellow distros”?>> :-)>> Is not the important distinction whether the "foreign distro" can be generated> with pure guix libre components using a pure guix tool chain vs not?
“Foreign distro” designates any distro other than Guix System. From atechnical viewpoint, it’s sometimes useful to be able to make thatdistinction.
HTH,Ludo’.
B
B
Bengt Richter wrote on 19 Oct 2019 03:32
(name . Ludovic Courtès)(address . ludo@gnu.org)
20191018224519.GA81713@PhantoNv4ArchGx.localdomain
Hi Ludo,
On +2019-10-18 16:36:30 +0200, Ludovic Courtès wrote:
Toggle quote (28 lines)> Bengt Richter <bokr@bokr.com> skribis:> > > On +2019-10-17 22:25:58 +0200, Ludovic Courtès wrote:> > [...]> > >> > Imperialist nitpick: why list the foreigners first? :-)> >> >> >> > Anti-imperialist nitpick: reversing the two allows using ‘other> >> > distributions’ instead of ‘foreign’ which always sounds a bit> >> > dismissive to my ears.> >> >> >> > End nitpick.> >> > >> That makes sense to me; I’m not satisfied with “foreign” either (I think> >> the inspiration came from FFIs, but still). Maybe “fellow distros”?> >> :-)> >> > Is not the important distinction whether the "foreign distro" can be generated> > with pure guix libre components using a pure guix tool chain vs not?> > “Foreign distro” designates any distro other than Guix System. From a> technical viewpoint, it’s sometimes useful to be able to make that> distinction.> > HTH,> Ludo’.
I was trying to get to a more exact definition of "that distinction" :)
I have read the page at "info guix installation", where "foreign" is explained:--------------------------- Note: We recommend the use of this shell installer script (https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh) to install Guix on top of a running GNU/Linux system, thereafter called a “foreign distro”.(1) The script automates the download, installation, and initial configuration of Guix. It should be run as the root user.
When installed on a foreign distro, GNU Guix complements theavailable tools without interference. Its data lives exclusively in twodirectories, usually ‘/gnu/store’ and ‘/var/guix’; other files on yoursystem, such as ‘/etc’, are left untouched.[...]
(1) This section is concerned with the installation of the packagemanager, which can be done on top of a running GNU/Linux system. If,instead, you want to install the complete GNU operating system, *noteSystem Installation::.---------------------------
I have also read from "info guix introduction":----------------- (2) We used to refer to Guix System as “Guix System Distribution” or“GuixSD”. We now consider it makes more sense to group everything underthe “Guix” banner since, after all, Guix System is readily availablethrough the ‘guix system’ command, even if you’re using a differentdistro underneath!----------------
further along it says:----------------------- With Guix System, you _declare_ all aspects of the operating systemconfiguration and Guix takes care of instantiating the configuration ina transactional, reproducible, and stateless fashion (*note SystemConfiguration::). Guix System uses the Linux-libre kernel, the Shepherdinitialization system (*note (shepherd)Introduction::), the well-knownGNU utilities and tool chain, as well as the graphical environment orsystem services of your choice.-----------------------
That sounds more restricted than "... even if you’re using a differentdistro underneath!"
When you say "Guix System," do/should you really mean _only_ a system specificallyrunning a linux-libre kernel, built with no dependencies outside of GuixSDofficial sources, and using Shepherd initialization??
E.g., the purism OS has (UIAM) been recognized as free as in RMS's "ryf" but is itcompiled entirely using only tools in /gnu/store/... ?
Ask them, right? ;-)(BTW, does anyone in the guix community have contact with them?I think they are trying to contribute upstream and do "The Right Thing"(TM))
My point is, if e.g. a bug is caused by something that is different in their kernel imagefrom the one you generate from linux-libre and GuixSD sources, then we will be chasing a bugin their build process, not ours.
Sometimes it might be "useful to be able to make that distinction" no? :)
(kernel image is just an example, likewise for initrd's or anything that runs that was not derivedfrom official guix/GuixSD sources).
BTW, Is it safe to do "guix system reconfigure" naively, "... even if you’re using a differentdistro underneath!" ?? I am afraid to try it :)
--Regards,Bengt Richter
PS. I think it would be useful if there were a LD_IMPURE_REFERENCE_LOG="path/to/logfile.txt"in an easy-to-edit place that, if present, would cause the ld wrapper to append to log whatit finds (even if otherwise ignoring impure refs)WDYT?
?
Your comment

This issue is archived.

To comment on this conversation send email to 37744@debbugs.gnu.org