GNU bug report logs - #28751
GuixSD setuid-programs handling creates setuid binaries in the store

Previous Next

Package: guix;

Reported by: ludo <at> gnu.org (Ludovic Courtès)

Date: Sun, 8 Oct 2017 19:26:01 UTC

Severity: important

Tags: security

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: ludo <at> gnu.org (Ludovic Courtès)
Subject: bug#28751: closed (Re: bug#28751: GuixSD setuid-programs handling
 creates setuid binaries in the store)
Date: Sun, 08 Oct 2017 19:55:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#28751: GuixSD setuid-programs handling creates setuid binaries in the store

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 28751 <at> debbugs.gnu.org.

-- 
28751: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=28751
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: ludo <at> gnu.org (Ludovic Courtès)
To: 28751-done <at> debbugs.gnu.org
Subject: Re: bug#28751: GuixSD setuid-programs handling creates setuid
 binaries in the store
Date: Sun, 08 Oct 2017 21:54:22 +0200

ludo <at> gnu.org (Ludovic Courtès) skribis:

> ludo <at> gnu.org (Ludovic Courtès) skribis:
>
>> On GuixSD, ‘activate-setuid-programs’ in (gnu build activation) would
>> create setuid-root binaries under /gnu/store for all the programs listed
>> under ‘setuid-programs’ in the ‘operating-system’ declaration.
>
> Fixed by
> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5e66574a128937e7f2fcf146d146225703ccfd5d>.

Detailed announcement at:

  https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html

Ludo’.


[Message part 3 (message/rfc822, inline)]
From: ludo <at> gnu.org (Ludovic Courtès)
To: bug-guix <at> gnu.org
Subject: GuixSD setuid-programs handling creates setuid binaries in the store
Date: Sun, 08 Oct 2017 21:25:15 +0200

On GuixSD, ‘activate-setuid-programs’ in (gnu build activation) would
create setuid-root binaries under /gnu/store for all the programs listed
under ‘setuid-programs’ in the ‘operating-system’ declaration.

‘activate-setuid-programs’ in (gnu build activation) does this:

  (define (make-setuid-program prog)
    (let ((target (string-append %setuid-directory
                                 "/" (basename prog))))
      (link-or-copy prog target)
      (chown target 0 0)
      (chmod target #o6555)))

which amounts to:

  1. ln /gnu/store/…/bin/su /run/setuid-programs/su
  2. chmod +s /run/setuid-programs/su

meaning that *both* ‘su’ files become setuid root.

This leads to setuid-root files in the store, which is a violation of a
fundamental assumption that setuid files cannot exist in the store.

Detailed announcement and fix coming.

Ludo’.
This bug report was last modified 7 years and 146 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.