From unknown Fri Jun 20 18:25:05 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28751: GuixSD setuid-programs handling creates setuid binaries in the store Resent-From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sun, 08 Oct 2017 19:26:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 28751 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 28751@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.15074907298539 (code B ref -1); Sun, 08 Oct 2017 19:26:01 +0000 Received: (at submit) by debbugs.gnu.org; 8 Oct 2017 19:25:29 +0000 Received: from localhost ([127.0.0.1]:56665 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e1HCb-0002Df-Kb for submit@debbugs.gnu.org; Sun, 08 Oct 2017 15:25:29 -0400 Received: from eggs.gnu.org ([208.118.235.92]:53793) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e1HCa-0002DT-Aw for submit@debbugs.gnu.org; Sun, 08 Oct 2017 15:25:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e1HCT-0003tP-V9 for submit@debbugs.gnu.org; Sun, 08 Oct 2017 15:25:23 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:42113) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1e1HCT-0003ss-NU for submit@debbugs.gnu.org; Sun, 08 Oct 2017 15:25:21 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:44759) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e1HCS-0005mx-J3 for bug-guix@gnu.org; Sun, 08 Oct 2017 15:25:21 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e1HCR-0003qC-Gw for bug-guix@gnu.org; Sun, 08 Oct 2017 15:25:20 -0400 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:42637) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e1HCR-0003q8-D0 for bug-guix@gnu.org; Sun, 08 Oct 2017 15:25:19 -0400 Received: from vpn-0-27.aquilenet.fr ([2a01:474:4:27::]:39830 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1e1HCP-0003cd-US for bug-guix@gnu.org; Sun, 08 Oct 2017 15:25:19 -0400 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 17 =?UTF-8?Q?Vend=C3=A9miaire?= an 226 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Sun, 08 Oct 2017 21:25:15 +0200 Message-ID: <87h8v9cuhw.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) On GuixSD, =E2=80=98activate-setuid-programs=E2=80=99 in (gnu build activat= ion) would create setuid-root binaries under /gnu/store for all the programs listed under =E2=80=98setuid-programs=E2=80=99 in the =E2=80=98operating-system=E2= =80=99 declaration. =E2=80=98activate-setuid-programs=E2=80=99 in (gnu build activation) does t= his: (define (make-setuid-program prog) (let ((target (string-append %setuid-directory "/" (basename prog)))) (link-or-copy prog target) (chown target 0 0) (chmod target #o6555))) which amounts to: 1. ln /gnu/store/=E2=80=A6/bin/su /run/setuid-programs/su 2. chmod +s /run/setuid-programs/su meaning that *both* =E2=80=98su=E2=80=99 files become setuid root. This leads to setuid-root files in the store, which is a violation of a fundamental assumption that setuid files cannot exist in the store. Detailed announcement and fix coming. Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 08 15:32:15 2017 Received: (at control) by debbugs.gnu.org; 8 Oct 2017 19:32:15 +0000 Received: from localhost ([127.0.0.1]:56670 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e1HJ9-0002P4-Bv for submit@debbugs.gnu.org; Sun, 08 Oct 2017 15:32:15 -0400 Received: from eggs.gnu.org ([208.118.235.92]:55145) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e1HJ7-0002Or-OI for control@debbugs.gnu.org; Sun, 08 Oct 2017 15:32:14 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e1HJ1-0007Yy-PX for control@debbugs.gnu.org; Sun, 08 Oct 2017 15:32:08 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:42758) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e1HJ1-0007Yo-N2 for control@debbugs.gnu.org; Sun, 08 Oct 2017 15:32:07 -0400 Received: from vpn-0-27.aquilenet.fr ([2a01:474:4:27::]:39934 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1e1HJ1-0002p5-35 for control@debbugs.gnu.org; Sun, 08 Oct 2017 15:32:07 -0400 Date: Sun, 08 Oct 2017 21:32:04 +0200 Message-Id: <87d15xcu6j.fsf@gnu.org> To: control@debbugs.gnu.org From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: control message for bug #28751 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) tags 28751 security From debbugs-submit-bounces@debbugs.gnu.org Sun Oct 08 15:32:20 2017 Received: (at control) by debbugs.gnu.org; 8 Oct 2017 19:32:20 +0000 Received: from localhost ([127.0.0.1]:56673 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e1HJE-0002PR-IG for submit@debbugs.gnu.org; Sun, 08 Oct 2017 15:32:20 -0400 Received: from eggs.gnu.org ([208.118.235.92]:55156) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e1HJD-0002Ox-0y for control@debbugs.gnu.org; Sun, 08 Oct 2017 15:32:19 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e1HJ7-0007af-8m for control@debbugs.gnu.org; Sun, 08 Oct 2017 15:32:13 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:42759) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e1HJ7-0007aZ-5E for control@debbugs.gnu.org; Sun, 08 Oct 2017 15:32:13 -0400 Received: from vpn-0-27.aquilenet.fr ([2a01:474:4:27::]:39936 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1e1HJ6-0002xI-K5 for control@debbugs.gnu.org; Sun, 08 Oct 2017 15:32:13 -0400 Date: Sun, 08 Oct 2017 21:32:10 +0200 Message-Id: <87bmlhcu6d.fsf@gnu.org> To: control@debbugs.gnu.org From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: control message for bug #28751 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) severity 28751 important From unknown Fri Jun 20 18:25:05 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28751: GuixSD setuid-programs handling creates setuid binaries in the store Resent-From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sun, 08 Oct 2017 19:34:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28751 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 28751@debbugs.gnu.org Received: via spool by 28751-submit@debbugs.gnu.org id=B28751.15074911849381 (code B ref 28751); Sun, 08 Oct 2017 19:34:01 +0000 Received: (at 28751) by debbugs.gnu.org; 8 Oct 2017 19:33:04 +0000 Received: from localhost ([127.0.0.1]:56678 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e1HJv-0002RD-Tz for submit@debbugs.gnu.org; Sun, 08 Oct 2017 15:33:04 -0400 Received: from eggs.gnu.org ([208.118.235.92]:55231) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e1HJu-0002QL-Mh for 28751@debbugs.gnu.org; Sun, 08 Oct 2017 15:33:02 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e1HJo-0007qB-VE for 28751@debbugs.gnu.org; Sun, 08 Oct 2017 15:32:57 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:42824) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e1HJo-0007q7-RM for 28751@debbugs.gnu.org; Sun, 08 Oct 2017 15:32:56 -0400 Received: from vpn-0-27.aquilenet.fr ([2a01:474:4:27::]:39952 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1e1HJo-0003tA-6y for 28751@debbugs.gnu.org; Sun, 08 Oct 2017 15:32:56 -0400 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: <87h8v9cuhw.fsf@gnu.org> Date: Sun, 08 Oct 2017 21:32:53 +0200 In-Reply-To: <87h8v9cuhw.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Sun, 08 Oct 2017 21:25:15 +0200") Message-ID: <877ew5cu56.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) ludo@gnu.org (Ludovic Court=C3=A8s) skribis: > On GuixSD, =E2=80=98activate-setuid-programs=E2=80=99 in (gnu build activ= ation) would > create setuid-root binaries under /gnu/store for all the programs listed > under =E2=80=98setuid-programs=E2=80=99 in the =E2=80=98operating-system= =E2=80=99 declaration. Fixed by . Ludo=E2=80=99. From unknown Fri Jun 20 18:25:05 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Subject: bug#28751: closed (Re: bug#28751: GuixSD setuid-programs handling creates setuid binaries in the store) Message-ID: References: <87lgklbekx.fsf@gnu.org> <87h8v9cuhw.fsf@gnu.org> X-Gnu-PR-Message: they-closed 28751 X-Gnu-PR-Package: guix X-Gnu-PR-Keywords: security Reply-To: 28751@debbugs.gnu.org Date: Sun, 08 Oct 2017 19:55:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1507492502-18591-1" This is a multi-part message in MIME format... ------------=_1507492502-18591-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #28751: GuixSD setuid-programs handling creates setuid binaries in the store which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 28751@debbugs.gnu.org. --=20 28751: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D28751 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1507492502-18591-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 28751-done) by debbugs.gnu.org; 8 Oct 2017 19:54:33 +0000 Received: from localhost ([127.0.0.1]:56706 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e1Hej-0004p8-5q for submit@debbugs.gnu.org; Sun, 08 Oct 2017 15:54:33 -0400 Received: from eggs.gnu.org ([208.118.235.92]:59590) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e1Heh-0004ot-74 for 28751-done@debbugs.gnu.org; Sun, 08 Oct 2017 15:54:31 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e1Heb-0003P1-8y for 28751-done@debbugs.gnu.org; Sun, 08 Oct 2017 15:54:26 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:43145) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e1Heb-0003Ov-5k for 28751-done@debbugs.gnu.org; Sun, 08 Oct 2017 15:54:25 -0400 Received: from vpn-0-27.aquilenet.fr ([2a01:474:4:27::]:40244 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1e1Hea-00013N-I8 for 28751-done@debbugs.gnu.org; Sun, 08 Oct 2017 15:54:25 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: 28751-done@debbugs.gnu.org Subject: Re: bug#28751: GuixSD setuid-programs handling creates setuid binaries in the store References: <87h8v9cuhw.fsf@gnu.org> <877ew5cu56.fsf@gnu.org> Date: Sun, 08 Oct 2017 21:54:22 +0200 In-Reply-To: <877ew5cu56.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Sun, 08 Oct 2017 21:32:53 +0200") Message-ID: <87lgklbekx.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 28751-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) ludo@gnu.org (Ludovic Court=C3=A8s) skribis: > ludo@gnu.org (Ludovic Court=C3=A8s) skribis: > >> On GuixSD, =E2=80=98activate-setuid-programs=E2=80=99 in (gnu build acti= vation) would >> create setuid-root binaries under /gnu/store for all the programs listed >> under =E2=80=98setuid-programs=E2=80=99 in the =E2=80=98operating-system= =E2=80=99 declaration. > > Fixed by > . Detailed announcement at: https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html Ludo=E2=80=99. ------------=_1507492502-18591-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 8 Oct 2017 19:25:29 +0000 Received: from localhost ([127.0.0.1]:56665 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e1HCb-0002Df-Kb for submit@debbugs.gnu.org; Sun, 08 Oct 2017 15:25:29 -0400 Received: from eggs.gnu.org ([208.118.235.92]:53793) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e1HCa-0002DT-Aw for submit@debbugs.gnu.org; Sun, 08 Oct 2017 15:25:28 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e1HCT-0003tP-V9 for submit@debbugs.gnu.org; Sun, 08 Oct 2017 15:25:23 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:42113) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1e1HCT-0003ss-NU for submit@debbugs.gnu.org; Sun, 08 Oct 2017 15:25:21 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:44759) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e1HCS-0005mx-J3 for bug-guix@gnu.org; Sun, 08 Oct 2017 15:25:21 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1e1HCR-0003qC-Gw for bug-guix@gnu.org; Sun, 08 Oct 2017 15:25:20 -0400 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:42637) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1e1HCR-0003q8-D0 for bug-guix@gnu.org; Sun, 08 Oct 2017 15:25:19 -0400 Received: from vpn-0-27.aquilenet.fr ([2a01:474:4:27::]:39830 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1e1HCP-0003cd-US for bug-guix@gnu.org; Sun, 08 Oct 2017 15:25:19 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: bug-guix@gnu.org Subject: GuixSD setuid-programs handling creates setuid binaries in the store X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 17 =?utf-8?Q?Vend=C3=A9miaire?= an 226 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Sun, 08 Oct 2017 21:25:15 +0200 Message-ID: <87h8v9cuhw.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) On GuixSD, =E2=80=98activate-setuid-programs=E2=80=99 in (gnu build activat= ion) would create setuid-root binaries under /gnu/store for all the programs listed under =E2=80=98setuid-programs=E2=80=99 in the =E2=80=98operating-system=E2= =80=99 declaration. =E2=80=98activate-setuid-programs=E2=80=99 in (gnu build activation) does t= his: (define (make-setuid-program prog) (let ((target (string-append %setuid-directory "/" (basename prog)))) (link-or-copy prog target) (chown target 0 0) (chmod target #o6555))) which amounts to: 1. ln /gnu/store/=E2=80=A6/bin/su /run/setuid-programs/su 2. chmod +s /run/setuid-programs/su meaning that *both* =E2=80=98su=E2=80=99 files become setuid root. This leads to setuid-root files in the store, which is a violation of a fundamental assumption that setuid files cannot exist in the store. Detailed announcement and fix coming. Ludo=E2=80=99. ------------=_1507492502-18591-1-- From debbugs-submit-bounces@debbugs.gnu.org Fri Dec 29 17:59:05 2017 Received: (at control) by debbugs.gnu.org; 29 Dec 2017 22:59:05 +0000 Received: from localhost ([127.0.0.1]:57020 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eV3cG-0002Mf-R0 for submit@debbugs.gnu.org; Fri, 29 Dec 2017 17:59:04 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:57217) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eV3cF-0002MX-58 for control@debbugs.gnu.org; Fri, 29 Dec 2017 17:59:03 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id C495D21751; Fri, 29 Dec 2017 17:59:02 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute4.internal (MEProxy); Fri, 29 Dec 2017 17:59:02 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=content-type:date:from:message-id:mime-version:to:x-me-sender :x-me-sender:x-sasl-enc; s=mesmtp; bh=Tj9+Bg8lTReen8/AUgC/La/0SL JEecNy49gkO2WTh0o=; b=Y+B8uJQQCz+UJOoaDUVtZlRlrYzvDUZEmChIts4DtU Bv/gzFRTB+g4w/mEYpgAXlE+c2+eh1BFUAhF29vrgSeSNUvPj1E+fqcahI4NBsh1 WjOE4Hz/riVV3zMFbaPhAj/KMKK6Sq248o8qDTikvtUlT42tszP9ToJe92K3JgVl 8= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=T j9+Bg8lTReen8/AUgC/La/0SLJEecNy49gkO2WTh0o=; b=OOnZ8Uk1+xO8XfdTD u/5yRJ9x/jMzxm5uUy/L0G+E1hPf3FuKhqiZptv6C007S8Xo9IxmqXF72m0U9yeU YjOY1A0Vk+ir0Ac66qjE8+Fpm2iTHTxV7g/2gp7iTMVAYq1uS2MP6jJIsMSnu3Hj kvCYW03EwlWNp6DmQD5zMtvC9wjVvUms1IxpqoJAGM0dq4bvLmxTeDA/Oux+WkGK IX0OA5j0ldMJWmxrp/l14asF6qrWXRHpydPHuzqUiM4emXackmpwLvvKr9LRybsD PWDWE6cwbU7dQtklgWBWZOL9oIPeLV4fjfrU3hl7YS1W9G9j9HTa2lwcMhsvokLU pFPVg== X-ME-Sender: Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id 7671B7E168 for ; Fri, 29 Dec 2017 17:59:02 -0500 (EST) Date: Fri, 29 Dec 2017 17:59:01 -0500 From: Leo Famulari To: control@debbugs.gnu.org Message-ID: <20171229225901.GA30273@jasmine.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.9.2 (2017-12-15) X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: unarchive 28751 [...] Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [66.111.4.26 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [66.111.4.26 listed in wl.mailspike.net] 0.0 TVD_SPACE_RATIO No description available. -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: unarchive 28751 [...] Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [66.111.4.26 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [66.111.4.26 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 TVD_SPACE_RATIO No description available. -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 1.8 MISSING_SUBJECT Missing Subject: header 0.2 NO_SUBJECT Extra score for no subject 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid unarchive 28751 From unknown Fri Jun 20 18:25:05 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28751: GuixSD setuid-programs handling creates setuid binaries in the store Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 29 Dec 2017 23:10:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28751 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 28751@debbugs.gnu.org Received: via spool by 28751-submit@debbugs.gnu.org id=B28751.151458899710123 (code B ref 28751); Fri, 29 Dec 2017 23:10:01 +0000 Received: (at 28751) by debbugs.gnu.org; 29 Dec 2017 23:09:57 +0000 Received: from localhost ([127.0.0.1]:57033 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eV3mn-0002dC-7o for submit@debbugs.gnu.org; Fri, 29 Dec 2017 18:09:57 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:60393) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eV3ml-0002d5-CV for 28751@debbugs.gnu.org; Fri, 29 Dec 2017 18:09:55 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 383ED216CD; Fri, 29 Dec 2017 18:09:55 -0500 (EST) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Fri, 29 Dec 2017 18:09:55 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= mesmtp; bh=574KhnnHteuYn7jJAn+HgN7IbsevSsj/VJZPHjiEZto=; b=HeQOS y+cAkQJqPqIQLaKHMll0RovOmU2AdrIlQj0XQFN9DRcd7L+oa9F6ToDQMTGhsGsq tjATao90aiuMGzwRRi+hBPnfLtp5f9BR04xKO6l3w8SfMcM06qRlm6mZ7OPqDwc7 BnNz01scHeO8UTmkqny26Jf+Cl57T5Y+6DBd/s= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=574KhnnHteuYn7jJAn+HgN7IbsevS sj/VJZPHjiEZto=; b=JDubrOg11wqjKPkt3ywsNnEPMw552AtkHupi8deQGnxGc h3p/k186QP4QuqbSp5nkO+DRP2ciDxo6677hskLu8OD5GLj/bZkdJI9QfPRdyEQr Dqroa+PCkd166KNUnD3M1NvjyXl40EIrPQT4hLzrK6Y5df/HdS/926Zfdp2yO6jZ D6uwrvdCm63h65FxHbg6ZF9h+3ZD5dHn9U9rzni7ttALe5ByqXvsS9kl9EqMLngz QX7VDZtpfS8ECFt3l1IJVK8WYfHQukUONsIEHLmScEmHJj4HXdLrJBWKQsOe+Tg2 oFhH5fB/mVE7lC1K5u+kA0gUysD7Q1UesMBnB7V/g== X-ME-Sender: Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id E8AE9244C7 for <28751@debbugs.gnu.org>; Fri, 29 Dec 2017 18:09:54 -0500 (EST) Date: Fri, 29 Dec 2017 18:09:53 -0500 From: Leo Famulari Message-ID: <20171229230953.GA10185@jasmine.lan> References: <87h8v9cuhw.fsf@gnu.org> <877ew5cu56.fsf@gnu.org> <87lgklbekx.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="/NkBOFFp2J2Af1nK" Content-Disposition: inline In-Reply-To: <87lgklbekx.fsf@gnu.org> User-Agent: Mutt/1.9.2 (2017-12-15) X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --/NkBOFFp2J2Af1nK Content-Type: multipart/mixed; boundary="qMm9M+Fa2AknHoGS" Content-Disposition: inline --qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Oct 08, 2017 at 09:54:22PM +0200, Ludovic Court=C3=A8s wrote: > ludo@gnu.org (Ludovic Court=C3=A8s) skribis: >=20 > > ludo@gnu.org (Ludovic Court=C3=A8s) skribis: > > > >> On GuixSD, =E2=80=98activate-setuid-programs=E2=80=99 in (gnu build ac= tivation) would > >> create setuid-root binaries under /gnu/store for all the programs list= ed > >> under =E2=80=98setuid-programs=E2=80=99 in the =E2=80=98operating-syst= em=E2=80=99 declaration. > > > > Fixed by > > . >=20 > Detailed announcement at: >=20 > https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html FYI, this was assigned CVE-2017-1000455. I just received the attached JSON from the Distributed Weakness Filing project (DWF) in response to my CVE application. I assume it will show up in the regular places (MITRE etc) eventually. Having thought about this bug for a while, I think it was not too bad in practice. The setuid executable files could be copied or preserved somehow by an attacker whether they were in the store or in /run/setuid-programs. --qMm9M+Fa2AknHoGS Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="CVE-2017-1000455.json" {"data_version": "4.0","references": {"reference_data": [{"url": "https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html"}]},"description": {"description_data": [{"lang": "eng","value": "GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d used POSIX hard links incorrectly, leading the creation of setuid executables in \"the store\", violating a fundamental security assumption of GNU Guix."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "All versions of GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d"}]},"product_name": "GuixSD"}]},"vendor_name": "GNU Guix"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2017-12-29","ID": "CVE-2017-1000455","ASSIGNER": "kurt@seifried.org","REQUESTER": "leo@famulari.name"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "Insecure Permissions"}]}]}} --qMm9M+Fa2AknHoGS-- --/NkBOFFp2J2Af1nK Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlpGyz0ACgkQJkb6MLrK fwhVSw//ZoHQVXfDHM7kTxA2gVksbS285t2C3C4GgvCNRlFTsgyOGcsZyAiyWvUP Gf9J2MXon6v7G/k6fSBjRyNWy5zs9Dmxxyis+I+e8LWQayyodlsOctmo0qzeul4m QJPsX9HNuOAf5Xt1M35Wurl45+sMpDMSybQzB/gBmUc6/uCEx91qeVPYW8LnCVBs B4/MpGAcrPxbGa04lviqWUv+BxpTtbsu2xFBeOqgHkms4oq/X0R4N59cJ57t/mAO GwF61xF3xkiO3oTbCd2DOpsF9xafhInHlapfL/WpwWPr9vNvhkG7cR7//5JimXQ7 DgYDz3EKBU67WXOrwJ5W9ndEM/zteoPELXaySqc6h7Ool8NZeK2wtE6vfRREO8fK tzjwUr2hOjH3kTKsmtRSyRL8aveRQDQ7EFJSDy8XoE25Iknkbh4qtykH91hbr1Rj yez7gmJ9dGHcLioOEYPyGUezUzldEzJDiDXLPGIfDikZd9wB1szdOna6Qv9aMvNl PP7T2kjZWLhG+k9b7GrM90VMPPjIbQ4gCacOGYk9SvZSPec14/ue/Uaq6dpBImia Sx1FxjA4eK4PyQ2MBFXaaF3XgjcMVEXNG+tomhY7sD6bagGkz3xieysaWY5aAUFP vgHULhueAe8DNQ6rL7nx05qxny9BJHXogcKtwxWMejfFVtslsVk= =mufO -----END PGP SIGNATURE----- --/NkBOFFp2J2Af1nK-- From unknown Fri Jun 20 18:25:05 2025 X-Loop: help-debbugs@gnu.org Subject: bug#28751: GuixSD setuid-programs handling creates setuid binaries in the store Resent-From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 30 Dec 2017 00:29:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 28751 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Leo Famulari Cc: 28751@debbugs.gnu.org Received: via spool by 28751-submit@debbugs.gnu.org id=B28751.151459370524347 (code B ref 28751); Sat, 30 Dec 2017 00:29:01 +0000 Received: (at 28751) by debbugs.gnu.org; 30 Dec 2017 00:28:25 +0000 Received: from localhost ([127.0.0.1]:57058 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eV50j-0006Kc-9D for submit@debbugs.gnu.org; Fri, 29 Dec 2017 19:28:25 -0500 Received: from [141.255.128.1] (port=39958 helo=hera.aquilenet.fr) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1eV50g-0006KT-T1 for 28751@debbugs.gnu.org; Fri, 29 Dec 2017 19:28:23 -0500 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 554291076F; Sat, 30 Dec 2017 01:28:22 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C5zFX-DwPDiG; Sat, 30 Dec 2017 01:28:21 +0100 (CET) Received: from ribbon (unknown [78.250.74.26]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 7A22910601; Sat, 30 Dec 2017 01:28:14 +0100 (CET) From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) In-Reply-To: <20171229223329.GA25194@jasmine.lan> (Leo Famulari's message of "Fri, 29 Dec 2017 17:33:29 -0500") References: <87h8v9cuhw.fsf@gnu.org> <877ew5cu56.fsf@gnu.org> <87lgklbekx.fsf@gnu.org> <20171229223329.GA25194@jasmine.lan> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 10 =?UTF-8?Q?Niv=C3=B4se?= an 226 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Sat, 30 Dec 2017 01:28:09 +0100 Message-ID: <87o9mh2h5y.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 3.7 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Leo Famulari skribis: > On Sun, Oct 08, 2017 at 09:54:22PM +0200, Ludovic =?UTF-8?Q?Court=C3=A8s?= wrote: >> ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) skribis: >> > ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) skribis: >> > >> >> On GuixSD, =?UTF-8?Q?=E2=80=98activate-setuid-programs=E2=80=99?= in (gnu build activation) would >> >> create setuid-root binaries under /gnu/store for all the programs listed >> >> under =?UTF-8?Q?=E2=80=98setuid-programs=E2=80=99?= in the =?UTF-8?Q?=E2=80=98operating-system=E2=80=99?= declaration. >> > >> > Fixed by >> > . >> >> Detailed announcement at: >> >> https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html > > FYI, this was assigned CVE-2017-1000455. > > I just received this JSON from the Distributed Weakness Filing project > (DWF) in response to my CVE application: > > {"data_version": "4.0","references": {"reference_data": [{"url": "https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html"}]},"description": {"description_data": [{"lang": "eng","value": "GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d used POSIX hard links incorrectly, leading the creation of setuid executables in \"the store\", violating a fundamental security assumption of GNU Guix."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "All versions of GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d"}]},"product_name": "GuixSD"}]},"vendor_name": "GNU Guix"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2017-12-29","ID": "CVE-2017-1000455","ASSIGNER": "kurt@seifried.org","REQUESTER": "leo@famulari.name"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "Insecure Permissions"}]}]}} > > I assume it will show up in the regular places (MITRE etc) eventually. [...] Content analysis details: (3.7 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.5 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server [78.250.74.26 listed in dnsbl.sorbs.net] 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=hera.aquilenet.fr;ip=141.255.128.1;r=debbugs.gnu.org] 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 3.7 (+++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Leo Famulari skribis: > On Sun, Oct 08, 2017 at 09:54:22PM +0200, Ludovic =?UTF-8?Q?Court=C3=A8s?= wrote: >> ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) skribis: >> > ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) skribis: >> > >> >> On GuixSD, =?UTF-8?Q?=E2=80=98activate-setuid-programs=E2=80=99?= in (gnu build activation) would >> >> create setuid-root binaries under /gnu/store for all the programs listed >> >> under =?UTF-8?Q?=E2=80=98setuid-programs=E2=80=99?= in the =?UTF-8?Q?=E2=80=98operating-system=E2=80=99?= declaration. >> > >> > Fixed by >> > . >> >> Detailed announcement at: >> >> https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html > > FYI, this was assigned CVE-2017-1000455. > > I just received this JSON from the Distributed Weakness Filing project > (DWF) in response to my CVE application: > > {"data_version": "4.0","references": {"reference_data": [{"url": "https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html"}]},"description": {"description_data": [{"lang": "eng","value": "GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d used POSIX hard links incorrectly, leading the creation of setuid executables in \"the store\", violating a fundamental security assumption of GNU Guix."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "All versions of GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d"}]},"product_name": "GuixSD"}]},"vendor_name": "GNU Guix"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2017-12-29","ID": "CVE-2017-1000455","ASSIGNER": "kurt@seifried.org","REQUESTER": "leo@famulari.name"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "Insecure Permissions"}]}]}} > > I assume it will show up in the regular places (MITRE etc) eventually. [...] Content analysis details: (3.7 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.5 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server [78.250.74.26 listed in dnsbl.sorbs.net] 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=helo;id=hera.aquilenet.fr;ip=141.255.128.1;r=debbugs.gnu.org] 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS Leo Famulari skribis: > On Sun, Oct 08, 2017 at 09:54:22PM +0200, Ludovic Court=C3=A8s wrote: >> ludo@gnu.org (Ludovic Court=C3=A8s) skribis: >> > ludo@gnu.org (Ludovic Court=C3=A8s) skribis: >> > >> >> On GuixSD, =E2=80=98activate-setuid-programs=E2=80=99 in (gnu build a= ctivation) would >> >> create setuid-root binaries under /gnu/store for all the programs lis= ted >> >> under =E2=80=98setuid-programs=E2=80=99 in the =E2=80=98operating-sys= tem=E2=80=99 declaration. >> > >> > Fixed by >> > . >>=20 >> Detailed announcement at: >>=20 >> https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html > > FYI, this was assigned CVE-2017-1000455. > > I just received this JSON from the Distributed Weakness Filing project > (DWF) in response to my CVE application: > > {"data_version": "4.0","references": {"reference_data": [{"url": "https:/= /lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html"}]},"descripti= on": {"description_data": [{"lang": "eng","value": "GuixSD prior to Git com= mit 5e66574a128937e7f2fcf146d146225703ccfd5d used POSIX hard links incorrec= tly, leading the creation of setuid executables in \"the store\", violating= a fundamental security assumption of GNU Guix."}]},"data_type": "CVE","aff= ects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version"= : {"version_data": [{"version_value": "All versions of GuixSD prior to Git = commit 5e66574a128937e7f2fcf146d146225703ccfd5d"}]},"product_name": "GuixSD= "}]},"vendor_name": "GNU Guix"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2017= -12-29","ID": "CVE-2017-1000455","ASSIGNER": "kurt@seifried.org","REQUESTER= ": "leo@famulari.name"},"data_format": "MITRE","problemtype": {"problemtype= _data": [{"description": [{"lang": "eng","value": "Insecure Permissions"}]}= ]}} > > I assume it will show up in the regular places (MITRE etc) eventually. Great, thanks for following up! Ludo=E2=80=99.