Insecure permissions on profile directory (CVE-2019-18192)
We have become aware of a security issue for Guix on multi-user systems
that we have just fixed
Anyone running Guix on a multi-user system is encouraged to upgrade
guix-daemon—see below for instructions.
The default user profile,
~/.guix-profile, points to
/var/guix/profiles/per-user/$USER. Until now,
/var/guix/profiles/per-user was world-writable, allowing the
command to create the
On a multi-user system, this allowed a malicious user to create and
$USER sub-directory for another user that had not yet
logged in. Since
/var/…/$USER is in
$PATH, the target user could
end up running attacker-provided code. See
the bug report for more information.
This issue was initially reported by Michael Orlitzky for Nix (CVE-2019-17365).
consists in letting
guix-daemon create these directories on behalf of users and removing
the world-writable permissions on
where clients connect to the daemon over TCP (thanks to the
the fix requires
guix-daemon to be able to resolve user names so
that it can create
/var/…/per-user/$USER with the right ownership.
Note also that the
guix command prior to this fix would not
communicate the user name it’s running under to the daemon, thereby
preventing it from creating that directory on its behalf.
On multi-user systems, we recommend upgrading the daemon now.
To upgrade the daemon on Guix System, run:
guix pull sudo guix system reconfigure /etc/config.scm sudo herd restart guix-daemon
On other distros, run something along these lines:
sudo guix pull sudo systemctl restart guix-daemon.service
Once you’ve run
guix build hello or any other
guix command, you
should see that
/var/guix/profiles/per-user is no longer
$ ls -ld /var/guix/profiles/per-user drwxr-xr-x 5 root root 4096 Jun 23 2017 /var/guix/profiles/per-user
Please report any issues you may have to
firstname.lastname@example.org. See the
security web page for information on
how to report security issues.
About GNU Guix
GNU Guix is a transactional package manager and an advanced distribution of the GNU system that respects user freedom. Guix can be used on top of any system running the kernel Linux, or it can be used as a standalone operating system distribution for i686, x86_64, ARMv7, and AArch64 machines.
In addition to standard package management features, Guix supports transactional upgrades and roll-backs, unprivileged package management, per-user profiles, and garbage collection. When used as a standalone GNU/Linux distribution, Guix offers a declarative, stateless approach to operating system configuration management. Guix is highly customizable and hackable through Guile programming interfaces and extensions to the Scheme language.