A TOCTTOU (time-of-check to time-of-use) vulnerability has been found in the activation code of user accounts, more specifically in the code that copies the account skeletons. * Vulnerability The attack consists of the user being logged in after the account skeletons have been copied to the home directory, but before the owner of the account skeletons have been set. The user then deletes a copied account skeleton (e.g. @file{$HOME/.gdbinit}) and replaces it with a symbolic link to a file not owned by the user, such as @file{/etc/shadow}. The activation code then changes the ownership of the file the symbolic link points to instead of the symbolic link itself. At that point, the user has read-write access to the target file. * Where in the code does this happen? Module: (gnu build activation). Procedures: 'copy-account-skeletons' and 'activate-user-home'. 'copy-account-skeletons' creates the home directory, sets it owner, copies the account skeletons, and chowns the copied skeletons, in that order. The bug is that it dereferences symbolic links. It is called from 'activate-user-home' if the home directory does not already exist. * Fix The fix consist of initially creating the home directory root-owned and only changing the owner of the home directory once all skeletons have been copied and their owner has been set. * Extra notes A blog post, a news entry and a fix have been prepared and will be posted and hopefully merged soon. The following tests succeeded: $ make check-system TESTS='switch-to-system upgrade-services install-bootloader basic' $ make check