Risk of local privilege escalation via setuid programs
On Guix System, setuid
programs
were, until now, installed as setuid-root and setgid-root (in the
/run/setuid-programs
directory). However, most of these programs are
meant to run as setuid-root, but not setgid-root. Thus, this setting
posed a risk of local privilege escalation (users of Guix on a “foreign
distro” are unaffected).
This bug has been fixed and users are advised to upgrade their system, with commands along the lines of:
guix pull
sudo guix system reconfigure /run/current-system/configuration.scm
This issue is tracked as bug #46305; you can read the thread for more information. There are no known exploitation of this issue to date. Many thanks to Duncan Overbruck for reporting it.
Please report any issues you may have to
guix-devel@gnu.org
. See the
security web page for information
on how to report security issues.
About GNU Guix
GNU Guix is a transactional package manager and an advanced distribution of the GNU system that respects user freedom. Guix can be used on top of any system running the Hurd or the Linux kernel, or it can be used as a standalone operating system distribution for i686, x86_64, ARMv7, and AArch64 machines.
In addition to standard package management features, Guix supports transactional upgrades and roll-backs, unprivileged package management, per-user profiles, and garbage collection. When used as a standalone GNU/Linux distribution, Guix offers a declarative, stateless approach to operating system configuration management. Guix is highly customizable and hackable through Guile programming interfaces and extensions to the Scheme language.
除非另有说明,否则本网站上的博客文章的版权归其各自作者所有,并根据以下条款发布 CC-BY-SA 4.0 许可证和 GNU 自由文档许可证(版本 1.3 或更高版本,没有不变部分,没有封面文字,无封底文字)。