Insecure permissions on profile directory (CVE-2019-18192)
We have become aware of a security issue for Guix on multi-user systems
that we have just fixed
(CVE-2019-18192).
Anyone running Guix on a multi-user system is encouraged to upgrade
guix-daemon
—see below for instructions.
Context
The default user profile, ~/.guix-profile
, points to
/var/guix/profiles/per-user/$USER
. Until now,
/var/guix/profiles/per-user
was world-writable, allowing the guix
command to create the $USER
sub-directory.
On a multi-user system, this allowed a malicious user to create and
populate that $USER
sub-directory for another user that had not yet
logged in. Since /var/…/$USER
is in $PATH
, the target user could
end up running attacker-provided code. See
the bug report for more information.
This issue was initially reported by Michael Orlitzky for Nix (CVE-2019-17365).
Fix
The fix
consists in letting
guix-daemon
create these directories on behalf of users and removing
the world-writable permissions on per-user
.
For cluster
setups
where clients connect to the daemon over TCP (thanks to the --listen
option of
guix-daemon
),
the fix requires guix-daemon
to be able to resolve user names so
that it can create /var/…/per-user/$USER
with the right ownership.
Note also that the guix
command prior to this fix would not
communicate the user name it’s running under to the daemon, thereby
preventing it from creating that directory on its behalf.
Upgrading
On multi-user systems, we recommend upgrading the daemon now.
To upgrade the daemon on Guix System, run:
guix pull
sudo guix system reconfigure /etc/config.scm
sudo herd restart guix-daemon
On other distros, run something along these lines:
sudo guix pull
sudo systemctl restart guix-daemon.service
Once you’ve run guix build hello
or any other guix
command, you
should see that /var/guix/profiles/per-user
is no longer
world-writable:
$ ls -ld /var/guix/profiles/per-user
drwxr-xr-x 5 root root 4096 Jun 23 2017 /var/guix/profiles/per-user
Please report any issues you may have to
guix-devel@gnu.org
. See the
security web page for information on
how to report security issues.
About GNU Guix
GNU Guix is a transactional package manager and an advanced distribution of the GNU system that respects user freedom. Guix can be used on top of any system running the kernel Linux, or it can be used as a standalone operating system distribution for i686, x86_64, ARMv7, and AArch64 machines.
In addition to standard package management features, Guix supports transactional upgrades and roll-backs, unprivileged package management, per-user profiles, and garbage collection. When used as a standalone GNU/Linux distribution, Guix offers a declarative, stateless approach to operating system configuration management. Guix is highly customizable and hackable through Guile programming interfaces and extensions to the Scheme language.
Pokud není uvedeno jinak, příspěvky na blogu na těchto stránkách jsou chráněny autorskými právy příslušných autorů a zveřejněny za podmínek licence CC-BY-SA 4.0 a podmínek licence GNU Free Documentation License (verze 1.3 nebo novější, bez invariantních částí, bez textů na přední straně obálky a bez textů na zadní straně obálky).