GNU bug report logs -
#28751
GuixSD setuid-programs handling creates setuid binaries in the store
Previous Next
Reported by: ludo <at> gnu.org (Ludovic Courtès)
Date: Sun, 8 Oct 2017 19:26:01 UTC
Severity: important
Tags: security
Done: ludo <at> gnu.org (Ludovic Courtès)
Bug is archived. No further changes may be made.
Full log
Message #24 received at 28751 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Sun, Oct 08, 2017 at 09:54:22PM +0200, Ludovic Courtès wrote:
> ludo <at> gnu.org (Ludovic Courtès) skribis:
>
> > ludo <at> gnu.org (Ludovic Courtès) skribis:
> >
> >> On GuixSD, ‘activate-setuid-programs’ in (gnu build activation) would
> >> create setuid-root binaries under /gnu/store for all the programs listed
> >> under ‘setuid-programs’ in the ‘operating-system’ declaration.
> >
> > Fixed by
> > <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5e66574a128937e7f2fcf146d146225703ccfd5d>.
>
> Detailed announcement at:
>
> https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html
FYI, this was assigned CVE-2017-1000455.
I just received the attached JSON from the Distributed Weakness Filing
project (DWF) in response to my CVE application.
I assume it will show up in the regular places (MITRE etc) eventually.
Having thought about this bug for a while, I think it was not too bad in
practice. The setuid executable files could be copied or preserved
somehow by an attacker whether they were in the store or in
/run/setuid-programs.
[CVE-2017-1000455.json (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 7 years and 146 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.