From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-security@gnu.org, guix-maintainers@gnu.org, bug-guix@gnu.org Resent-Date: Mon, 14 Oct 2019 07:48:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 37744@debbugs.gnu.org Cc: guix-security@gnu.org, GNU Guix maintainers X-Debbugs-Original-To: bug-guix@gnu.org X-Debbugs-Original-Xcc: guix-security@gnu.org, GNU Guix maintainers Received: via spool by submit@debbugs.gnu.org id=B.15710392673871 (code B ref -1); Mon, 14 Oct 2019 07:48:02 +0000 Received: (at submit) by debbugs.gnu.org; 14 Oct 2019 07:47:47 +0000 Received: from localhost ([127.0.0.1]:38004 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iJv51-000107-8J for submit@debbugs.gnu.org; Mon, 14 Oct 2019 03:47:47 -0400 Received: from lists.gnu.org ([209.51.188.17]:55225) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iJv4z-0000z4-JT for submit@debbugs.gnu.org; Mon, 14 Oct 2019 03:47:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48403) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iJv4y-0008BU-9M for bug-guix@gnu.org; Mon, 14 Oct 2019 03:47:45 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:470:142:3::e]:48240) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iJv4y-0007Yu-5L for bug-guix@gnu.org; Mon, 14 Oct 2019 03:47:44 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=36064 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iJv4s-0008El-Qq for bug-guix@gnu.org; Mon, 14 Oct 2019 03:47:43 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 23 =?UTF-8?Q?Vend=C3=A9miaire?= an 228 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 14 Oct 2019 09:47:35 +0200 Message-ID: <87o8yjsr8o.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello Guix, That the per-user profile directory is world-writable allows an attacker to hijack code run by other users, as has been reported in the context of Nix: https://www.openwall.com/lists/oss-security/2019/10/09/4 I believe it applies to Guix as well. Nix people are tracking it here: https://github.com/NixOS/nix/pull/3134 https://github.com/NixOS/nix/issues/509 Looks like we=E2=80=99ll need to do something similar to: . Thoughts? Thanks, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 14 03:54:16 2019 Received: (at control) by debbugs.gnu.org; 14 Oct 2019 07:54:16 +0000 Received: from localhost ([127.0.0.1]:38011 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iJvBI-0001Gs-5N for submit@debbugs.gnu.org; Mon, 14 Oct 2019 03:54:16 -0400 Received: from eggs.gnu.org ([209.51.188.92]:40233) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iJvBG-0001Gg-GD for control@debbugs.gnu.org; Mon, 14 Oct 2019 03:54:14 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:48302) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iJvBB-0002al-8q for control@debbugs.gnu.org; Mon, 14 Oct 2019 03:54:09 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=36102 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iJvB9-0004Wu-Gn for control@debbugs.gnu.org; Mon, 14 Oct 2019 03:54:08 -0400 Date: Mon, 14 Oct 2019 09:54:06 +0200 Message-Id: <87mue3sqxt.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #37744 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) tags 37744 + security quit From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 14 03:54:28 2019 Received: (at control) by debbugs.gnu.org; 14 Oct 2019 07:54:28 +0000 Received: from localhost ([127.0.0.1]:38014 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iJvBT-0001HK-Ha for submit@debbugs.gnu.org; Mon, 14 Oct 2019 03:54:28 -0400 Received: from eggs.gnu.org ([209.51.188.92]:40259) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iJvBR-0001H6-On for control@debbugs.gnu.org; Mon, 14 Oct 2019 03:54:26 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:48306) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iJvBM-0002gG-H8 for control@debbugs.gnu.org; Mon, 14 Oct 2019 03:54:20 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=36106 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iJvBL-0004gd-SJ for control@debbugs.gnu.org; Mon, 14 Oct 2019 03:54:20 -0400 Date: Mon, 14 Oct 2019 09:54:18 +0200 Message-Id: <87lftnsqxh.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #37744 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) severity 37744 important quit From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 14 Oct 2019 07:59:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 37744@debbugs.gnu.org Cc: GNU Guix maintainers , guix-security@gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.15710399385384 (code B ref 37744); Mon, 14 Oct 2019 07:59:02 +0000 Received: (at 37744) by debbugs.gnu.org; 14 Oct 2019 07:58:58 +0000 Received: from localhost ([127.0.0.1]:38025 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iJvFp-0001Om-RG for submit@debbugs.gnu.org; Mon, 14 Oct 2019 03:58:58 -0400 Received: from eggs.gnu.org ([209.51.188.92]:40991) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iJvFp-0001Ob-0I for 37744@debbugs.gnu.org; Mon, 14 Oct 2019 03:58:57 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:48350) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iJvFi-0005Vi-Gl; Mon, 14 Oct 2019 03:58:50 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=36110 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iJvFh-0001ju-4E; Mon, 14 Oct 2019 03:58:49 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87o8yjsr8o.fsf@gnu.org> Date: Mon, 14 Oct 2019 09:58:47 +0200 In-Reply-To: <87o8yjsr8o.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Mon, 14 Oct 2019 09:47:35 +0200") Message-ID: <87blujsqq0.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Ludovic Court=C3=A8s skribis: > Looks like we=E2=80=99ll need to do something similar to: > . Compared to the Nix build daemon, our daemon can accept connections over TCP in addition to Unix-domain sockets, so the bit that does: store->createUser(userName, userId); won=E2=80=99t work in that context (it would create =E2=80=98per-user/root= =E2=80=99.) I don=E2=80=99t see how to let the daemon create =E2=80=98per-user/$USER=E2= =80=99 on behalf of the client for clients connecting over TCP. Or we=E2=80=99d need to add a challenge mechanism or authentication. Thoughts? Ludo=E2=80=99. From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 14 Oct 2019 11:54:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 37744@debbugs.gnu.org, GNU Guix maintainers , guix-security@gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.157105402218892 (code B ref 37744); Mon, 14 Oct 2019 11:54:02 +0000 Received: (at 37744) by debbugs.gnu.org; 14 Oct 2019 11:53:42 +0000 Received: from localhost ([127.0.0.1]:38234 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iJyv0-0004ue-Gj for submit@debbugs.gnu.org; Mon, 14 Oct 2019 07:53:42 -0400 Received: from tobias.gr ([80.241.217.52]:33946) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iJyuy-0004uU-KF for 37744@debbugs.gnu.org; Mon, 14 Oct 2019 07:53:41 -0400 Received: by tobias.gr (OpenSMTPD) with ESMTP id 83bd6219; Mon, 14 Oct 2019 11:53:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=tobias.gr; h=from:to:cc :subject:message-id:references:in-reply-to:date:mime-version :content-type; s=2018; i=me@tobias.gr; bh=mo64gS4uBlAL2E/Q4PvN6b zmNj3pHhamTFcGI/bWORE=; b=FOp47UXXBIKlC71fW1pRKPD/iZHCCveI19k40n dGY808VoVhWx9aTVaV2nlPM5cMCdKH9qBwyLPIGL2yTTjDP0Lpirg8zMNsdk9zf2 mCPxAQyIWKH+21ZRqrF7SrV2gaSECvQdBX4NSnbWpsRQOfPf0xqBPmAEHvC0iroJ /T1DGApAiJRmo7GA401VpTCENgoJsOe44CSKQBeJk+FhrveHwpx3Kw4kjXArWStU IIQYxt3EDs9pVgUiljIvOYV7RW0lafxOPkMgLAqiHyTZWk+03DAp1f3rsUgVHcFx 7l3J7WJYOZyJl84zQrYAf020pE62d66V0JjVOegy4Hh7kS6Q== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id af3f9cd1 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Mon, 14 Oct 2019 11:53:37 +0000 (UTC) From: Tobias Geerinckx-Rice Message-ID: <87y2xno85o.fsf@nckx> References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> In-reply-to: <87blujsqq0.fsf@gnu.org> Date: Mon, 14 Oct 2019 13:53:35 +0200 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Ludo', Thanks for your report :-p The 1777 is obviously very bad, no question. However: question: Ludovic Court=C3=A8s =E5=86=99=E9=81=93=EF=BC=9A > I don=E2=80=99t see how to let the daemon create =E2=80=98per-user/$USER= =E2=80=99 on=20 > behalf of > the client for clients connecting over TCP. Or we=E2=80=99d need to add= =20 > a > challenge mechanism or authentication. I need more cluebat please: say I'm an attacker and connect to=20 your daemon (over TCP, why not), asking it to create an empty=20 =E2=80=98per-user/ludo=E2=80=99. Assuming the daemon creates it with sane permissions (say 0755) &=20 without any race conditions, what's my evil plan now? Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl2kYb8ACgkQ2Imw8BjF STypnA/+LRcRUA15xM+hQ6XE6s9ij6GSJXtAkC9E1F7L4FYSK78WLG5cZNSrAknz ekXbxMjotGMnPgeSnOHYD8opZUPPUvl8lqOVuToGrufyzrlyxdvUXBJnwGC4A/f1 //cd1d4lgt6MRuqMZphu4dm1qX+fRwGze6eWh5UF4pZGYfXZ2jzmPOG0/vZjGUlh TEjxauL2X6qS2mWBIU6SZmTfYyT4R8yR2jNjvOQt0/LhIZasq+gt3RaODGLtbrn7 lQxX82R2NIr/xO0ykMWoCuSug3wcVKWJkMMLEgPPkOpxtH+MRDhPCatM3DO0MScV OssNS4V+3wqvRVwzSbwUzo4TvaG0qtTSlWlvBro3qQAkELDzyfwQtAuh8SRS8R+4 /YFCGOtW4v7m9dnmwxklEzH7MIcbL+K4Evu65EOptqzN6MX4lGSrYR0lnJNXTw4J dny6XP76NZp7vs7Nk0oVi9FUCqLf6pZT988sA0OCiaGRGWhZdTZ4CqUE0GMJVGSY nM5kwe6gzfoZtcR5DPiyR1B6jQZ1MVTSBskIRR7UyEqoAQqiaHM0xpQyRIFu8voH 9sOxTdyboBGPDNlTv5rcMQHZ6wM2oyEAJPYZ4JpO+IIZKbTN+MEdexULOoEm33P9 Enm4lKsXEzm2no9eMGUdBA1ib7ZfQsuXRVRa6LpZ2G62DTY+RDc= =mxLC -----END PGP SIGNATURE----- --=-=-=-- From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Mon, 14 Oct 2019 16:38:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Tobias Geerinckx-Rice Cc: GNU Guix maintainers , Ludovic =?UTF-8?Q?Court=C3=A8s?= , 37744@debbugs.gnu.org, guix-security@gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.15710710817788 (code B ref 37744); Mon, 14 Oct 2019 16:38:02 +0000 Received: (at 37744) by debbugs.gnu.org; 14 Oct 2019 16:38:01 +0000 Received: from localhost ([127.0.0.1]:41594 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iK3M8-00021X-WA for submit@debbugs.gnu.org; Mon, 14 Oct 2019 12:38:01 -0400 Received: from mail-qk1-f178.google.com ([209.85.222.178]:44143) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iK3M6-00021J-CC for 37744@debbugs.gnu.org; Mon, 14 Oct 2019 12:37:59 -0400 Received: by mail-qk1-f178.google.com with SMTP id u22so16408108qkk.11 for <37744@debbugs.gnu.org>; Mon, 14 Oct 2019 09:37:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-transfer-encoding; bh=HffCaUsLXr/saEpxwv8o+Hn+YO71HqPhA81JSdTJTJI=; b=YSu7Or2XP9KTevfb+tCFt5y3K01Ovv6ieRow3iBQVqOg7n6CluMYMpQAdYnLt5Gy2l jO1/gKII54av0DuOldTwlkbxxfM/JNZzyhZcFzQINQtgtbb2VgwqbuoYdKNj0bgTzRsd tDmpAQ5kv7EfrW+I+nerLxpC5/WuCWMKs3E0ARG4T4F7Si0qcyv6xHmWStul9zbP48De 0daIDQIaLvRQquOCED0D1bhNVLyJM2R0/NAuzc6bpVlemfaUXoOiEkQYYJLCtwF7vrQQ /PnZWzq2sY85tlgCIuT5eLySQwOBm98ggW4AyY8Ww01C+PxWRfXpjeSCJqtjt/HapOVi XrnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-transfer-encoding; bh=HffCaUsLXr/saEpxwv8o+Hn+YO71HqPhA81JSdTJTJI=; b=VBeOsMwAqZgleuZZgjXzIfAQ8ZS1eH1yWRdedmA5IjnopA1nYE295f83CsH6b5hwLO rl/MVu6drKVPmD2I482EVxAaLcCFozzvnDDNHnbLzhDNo6EX9NoXAOYY9tSDPwXUVWeE v0+xM0SFdawnaxf8vkD0TLbZFHuMqMIyc4R2ceef8hlgSg6k2emfH0IUPkqDW753OPdt 1/RkwEJ/imhMUu9plJgLRvZC6TyYbFgR0nj9H4KAMmFnaZLci351d/ZLqQPnQ6gMJILL fJG4veYRPqITyWGG4wZHsKrmctQ8qbVI3jdF9k6RMogIEIpPCPHBou6fomNHNmRIcx37 836w== X-Gm-Message-State: APjAAAVtlNmwjp/ngNc7UWkbXpONVMkUF5VnDGDTic6HVh1QG81H0fok 12tnSn3l+K1NRY5anNbzkutGTZLR X-Google-Smtp-Source: APXvYqyYFTQZ1Fk2lBrXXHHIY7eDheBhkt7l/eikXQDSLVy3POlLGmp9XFD/BeunDJIPjys5eNN4aQ== X-Received: by 2002:a37:9f57:: with SMTP id i84mr29023879qke.406.1571071072794; Mon, 14 Oct 2019 09:37:52 -0700 (PDT) Received: from apteryx (dsl-10-131-5.b2b2c.ca. [72.10.131.5]) by smtp.gmail.com with ESMTPSA id x33sm9071985qtd.79.2019.10.14.09.37.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Oct 2019 09:37:51 -0700 (PDT) From: Maxim Cournoyer References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> Date: Mon, 14 Oct 2019 12:37:49 -0400 In-Reply-To: <87y2xno85o.fsf@nckx> (Tobias Geerinckx-Rice's message of "Mon, 14 Oct 2019 13:53:35 +0200") Message-ID: <87sgnvp9k2.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hello, Tobias Geerinckx-Rice writes: > Ludo', > > Thanks for your report :-p > > The 1777 is obviously very bad, no question. However: question: > > Ludovic Court=C3=A8s =E5=86=99=E9=81=93=EF=BC=9A >> I don=E2=80=99t see how to let the daemon create =E2=80=98per-user/$USER= =E2=80=99 on behalf >> of >> the client for clients connecting over TCP. Or we=E2=80=99d need to add= a >> challenge mechanism or authentication. > > I need more cluebat please: say I'm an attacker and connect to your > daemon (over TCP, why not), asking it to create an empty > =E2=80=98per-user/ludo=E2=80=99. > > Assuming the daemon creates it with sane permissions (say 0755) & > without any race conditions, what's my evil plan now? > > Kind regards, > > T G-R It's not yet clear to me how an actual attack would work, but IIUC when connecting over TCP there's no 'trusted' way to verify the user is actually the user it says they are; so they could impersonate at will (and make use of another user's local directory, perhaps arranging to write something nasty in there). Is my understanding correct? Maxim From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 15 Oct 2019 12:36:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Tobias Geerinckx-Rice Cc: 37744@debbugs.gnu.org, guix-security@gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.15711429028876 (code B ref 37744); Tue, 15 Oct 2019 12:36:02 +0000 Received: (at 37744) by debbugs.gnu.org; 15 Oct 2019 12:35:02 +0000 Received: from localhost ([127.0.0.1]:42887 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKM2Y-0002J5-D5 for submit@debbugs.gnu.org; Tue, 15 Oct 2019 08:35:02 -0400 Received: from eggs.gnu.org ([209.51.188.92]:60556) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKM2W-0002IY-7E for 37744@debbugs.gnu.org; Tue, 15 Oct 2019 08:35:01 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:46725) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iKM2P-0000vn-7K; Tue, 15 Oct 2019 08:34:53 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=45864 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iKM2L-0003hZ-KC; Tue, 15 Oct 2019 08:34:51 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> Date: Tue, 15 Oct 2019 14:34:46 +0200 In-Reply-To: <87y2xno85o.fsf@nckx> (Tobias Geerinckx-Rice's message of "Mon, 14 Oct 2019 13:53:35 +0200") Message-ID: <87d0eyuqzd.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi! Tobias Geerinckx-Rice skribis: > The 1777 is obviously very bad, no question. However: question: > > Ludovic Court=C3=A8s =E5=86=99=E9=81=93=EF=BC=9A >> I don=E2=80=99t see how to let the daemon create =E2=80=98per-user/$USER= =E2=80=99 on behalf >> of >> the client for clients connecting over TCP. Or we=E2=80=99d need to add= a >> challenge mechanism or authentication. > > I need more cluebat please: say I'm an attacker and connect to your > daemon (over TCP, why not), asking it to create an empty > =E2=80=98per-user/ludo=E2=80=99. You wouldn=E2=80=99t be able to do that because over TCP because the daemon can=E2=80=99t tell what user you are. Note that TCP has to be explicitly enabled through =E2=80=98guix-daemon --listen=3D0.0.0.0=E2=80=99. It=E2=80=99s meant for cluster setups where y= ou have one head node that clients connect to from remote nodes. I suppose we won=E2=80=99t be able to address the problem in this particular setup, unless we had some authentication mechanism like I wrote above (it could be a challenge like the MIT-MAGIC-COOKIE.) Ludo=E2=80=99. From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 15 Oct 2019 14:32:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 37744@debbugs.gnu.org, guix-security@gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.157114991321358 (code B ref 37744); Tue, 15 Oct 2019 14:32:01 +0000 Received: (at 37744) by debbugs.gnu.org; 15 Oct 2019 14:31:53 +0000 Received: from localhost ([127.0.0.1]:44668 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKNrc-0005YQ-Uv for submit@debbugs.gnu.org; Tue, 15 Oct 2019 10:31:53 -0400 Received: from tobias.gr ([80.241.217.52]:39464) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKNrZ-0005YF-4W for 37744@debbugs.gnu.org; Tue, 15 Oct 2019 10:31:51 -0400 Received: by tobias.gr (OpenSMTPD) with ESMTP id 34bb2212; Tue, 15 Oct 2019 14:31:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=tobias.gr; h=from:to:cc :subject:message-id:references:in-reply-to:date:mime-version :content-type; s=2018; i=me@tobias.gr; bh=yrl9K127aJUb2iZRYk4CE1 OaIcAGeE64CbBPo3R+lyo=; b=kXF2a200IZPOxQkMu743TuJvdI7PO0RiaZg8QD wTp2vrw9zqzsnlGkLwHJb5NY+L4wqdwayGjJRpDyOKqU2SEbn5NCzItACoty9Erw Jay/8kBIz+GCBZR+40zL4xAy10Qz3suAQNmonGPcPmjLcqDZ8BFELuBcUYBpKsJy t1xSndLbmM/QhjdbPBxx7ArLqKB7RZNXUZ1ETC2wY2vOFBn/XMoP/YU3j+JxYiPC U+wviRHhsdVqZlx0yIxXK9DFhO8PSjVqpwEabx9YDw/aIzgfBhMixdyLdotHso/E ZWIEznLoo2z+eB/ysuLPNLImzUdksrPRwtvijsIJA5uS5LtQ== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 566ff0b8 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Tue, 15 Oct 2019 14:31:45 +0000 (UTC) From: Tobias Geerinckx-Rice Message-ID: <87mue2nkrj.fsf@nckx> References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> In-reply-to: <87d0eyuqzd.fsf@gnu.org> Date: Tue, 15 Oct 2019 16:31:40 +0200 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Ludo', Thanks for your answer. Ludovic Court=C3=A8s =E5=86=99=E9=81=93=EF=BC=9A >> I need more cluebat please: say I'm an attacker and connect to=20 >> your >> daemon (over TCP, why not), asking it to create an empty >> =E2=80=98per-user/ludo=E2=80=99. > > You wouldn=E2=80=99t be able to do that because over TCP because the=20 > daemon > can=E2=80=99t tell what user you are. No, I ask it nicely: =E2=80=98hullo daemon, I'm, er, "ludo"=E2=80=99. Of course the remote daemon doesn't trust me beyond pre-creating=20 an empty per-user directory owned by the local "ludo" user only if=20 such a user exists. It doesn't even report succes or failure to=20 avoid leaking valid user names. You already trust the network not to DoS you with webkitgtks, how=20 does this new step decrease security? Sure, it bumps the protocol version; I'm aware of that. > It=E2=80=99s meant for cluster setups where you have one > head node that clients connect to from remote nodes. And likely some kind of centralised user management so it's not=20 unreasonable to handle this differently/manually. Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl2l2EwACgkQ2Imw8BjF STzSrg//STsCmgYG7y1rrXkImrbsS3ueh522GvPjHvSEfn4WFJrxRk2VeIi9T0Ln RY7BnOwEDoD7tLsJNH/t6RZYVTyNHpNBQr13UPQW59VMz2W32lIgpmxaiAKySZVR quuX9nQPeKSTHT1h0bDwtiXvFbxE2pcBm+fAMNwTT1nsLiEWyw5DodaCKKo/lPCI +o0XbJs6/klXrPyHFSOjB5xd17olKT1O/mHRx78cpW2ZxwaIN6kdO/eXONuajrUb gb+cMcLIp8Y0MMkJuB9uPyC1gJq84SpxbcrMY2M2VuRnA4usoPs8RB2CQ9ek35wz bWPwPpBz2unE0juh/yE9hleGBlRLBpsLQQhP/Z4Fb+mNo/SMlViWWHEbLzDRrsIX mtlfz81nWqbMaSGMttDW3FRZnQS479Snh+SgxUI6kxnpYC12u7iJ5CCLidAxBoCr 0zx5Qjt0zOUFet4Qb70QZil2jEU3pK6WrAgD3avSEnUsjcULCgfuIXEG6YYS6nnn fqnp9B4M6j3h46BAF6MGDZoYnQaDJn2EPt9XmIiZow1MMZtOZSX7hCInvvamVYD4 aAN96ri+yladlm3dregzrYY3S1NxyvzKWY6q28Oj1PhNV7pNHwTDJmzYLIGU5gaj RaymzSVVbWusNygkQ14EdwdZ3ncms1Wwt+JBwrvVKbWuf1Ao9l8= =TyMl -----END PGP SIGNATURE----- --=-=-=-- From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 16 Oct 2019 06:58:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Tobias Geerinckx-Rice Cc: 37744@debbugs.gnu.org, guix-security@gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.157120904920582 (code B ref 37744); Wed, 16 Oct 2019 06:58:01 +0000 Received: (at 37744) by debbugs.gnu.org; 16 Oct 2019 06:57:29 +0000 Received: from localhost ([127.0.0.1]:45122 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKdFR-0005Lt-Cn for submit@debbugs.gnu.org; Wed, 16 Oct 2019 02:57:29 -0400 Received: from eggs.gnu.org ([209.51.188.92]:52130) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKdFO-0005Lf-Ij for 37744@debbugs.gnu.org; Wed, 16 Oct 2019 02:57:27 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:36627) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iKdFI-0006LV-Pu; Wed, 16 Oct 2019 02:57:20 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=34900 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iKdF8-0007Wv-DP; Wed, 16 Oct 2019 02:57:16 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> Date: Wed, 16 Oct 2019 08:57:05 +0200 In-Reply-To: <87mue2nkrj.fsf@nckx> (Tobias Geerinckx-Rice's message of "Tue, 15 Oct 2019 16:31:40 +0200") Message-ID: <8736fttby6.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi Tobias, Tobias Geerinckx-Rice skribis: > No, I ask it nicely: =E2=80=98hullo daemon, I'm, er, "ludo"=E2=80=99. > > Of course the remote daemon doesn't trust me beyond pre-creating an > empty per-user directory owned by the local "ludo" user only if such a > user exists. It doesn't even report succes or failure to avoid > leaking valid user names. Ah you=E2=80=99re right, the worst that can happen is that an empty directo= ry is created for someone else. Sounds like a plan. Ludo=E2=80=99. From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 16 Oct 2019 10:23:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Tobias Geerinckx-Rice Cc: 37744@debbugs.gnu.org, guix-security@gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.15712213757344 (code B ref 37744); Wed, 16 Oct 2019 10:23:01 +0000 Received: (at 37744) by debbugs.gnu.org; 16 Oct 2019 10:22:55 +0000 Received: from localhost ([127.0.0.1]:45265 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKgS8-0001uI-M9 for submit@debbugs.gnu.org; Wed, 16 Oct 2019 06:22:54 -0400 Received: from eggs.gnu.org ([209.51.188.92]:54090) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKgS6-0001u5-6k for 37744@debbugs.gnu.org; Wed, 16 Oct 2019 06:22:47 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:39205) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iKgRx-0003kS-Tt; Wed, 16 Oct 2019 06:22:38 -0400 Received: from no3.u-bordeaux.fr ([147.210.245.180]:37774 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iKgRw-0002vc-UR; Wed, 16 Oct 2019 06:22:37 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> Date: Wed, 16 Oct 2019 12:22:33 +0200 In-Reply-To: <8736fttby6.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Wed, 16 Oct 2019 08:57:05 +0200") Message-ID: <87tv89rnva.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello! Here=E2=80=99s a patch that fixes the issue, partly based on what the Nix f= olks did. For the client-connecting-over-TCP case, I added special handling: =E2=80=98set-build-options=E2=80=99 now passes a =E2=80=9Cuser-name=E2=80= =9D property, potentially allowing to create =E2=80=98per-user/$USER=E2=80=99 at that point (like you= suggested, Tobias.) In a cluster setup, it means that the machine that runs =E2=80=98guix-daemo= n=E2=80=99 must see the same users as the machines where its clients run, but that=E2=80=99s basically already what we expect: . There=E2=80=99s one case that won=E2=80=99t be correctly handled: in a clus= ter setup, an old client talking to a new daemon won=E2=80=99t provide info to create =E2=80=98per-user/$USER=E2=80=99, and thus =E2=80=98guix package=E2=80=99 &= co. won=E2=80=99t be able to create the user=E2=80=99s profile it it doesn=E2=80=99t already exist. I think th= at=E2=80=99s hard to avoid though. Thoughts? Thanks, Ludo=E2=80=99. --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline; filename=0001-daemon-Make-profiles-per-user-non-world-writable.patch Content-Transfer-Encoding: quoted-printable >From 7c43fdeb2f9283d86d849007e8fbc138ca2912c4 Mon Sep 17 00:00:00 2001 From: =3D?UTF-8?q?Ludovic=3D20Court=3DC3=3DA8s?=3D Date: Wed, 16 Oct 2019 11:51:42 +0200 Subject: [PATCH 1/2] daemon: Make 'profiles/per-user' non-world-writable. Fixes . Reported at . Based on Nix commit 5a303093dcae1e5ce9212616ef18f2ca51020b0d by Eelco Dolstra . * nix/libstore/local-store.cc (LocalStore::LocalStore): Set 'perUserDir' to #o755 instead of #o1777. (LocalStore::createUser): New function. * nix/libstore/local-store.hh (LocalStore): Add it. * nix/libstore/store-api.hh (StoreAPI): Add it. * nix/nix-daemon/nix-daemon.cc (performOp): In 'wopSetOptions', add condition to handle "user-name" property and honor it. (processConnection): Add 'userId' parameter. Call 'store->createUser' when userId is not -1. * guix/profiles.scm (ensure-profile-directory): Note that this is now handled by the daemon. * guix/store.scm (current-user-name): New procedure. (set-build-options): Add #:user-name parameter and pass it to the daemon. * tests/guix-daemon.sh: Test the creation of 'profiles/per-user' when listening on a TCP socket. * tests/store.scm ("profiles/per-user exists and is not writable") ("profiles/per-user/$USER exists"): New tests. --- guix/profiles.scm | 3 ++- guix/store.scm | 12 ++++++++++++ nix/libstore/local-store.cc | 17 +++++++++++++++-- nix/libstore/local-store.hh | 2 ++ nix/libstore/store-api.hh | 4 ++++ nix/nix-daemon/nix-daemon.cc | 24 ++++++++++++++++++++++-- tests/guix-daemon.sh | 21 +++++++++++++++++++++ tests/store.scm | 13 ++++++++++++- 8 files changed, 90 insertions(+), 6 deletions(-) diff --git a/guix/profiles.scm b/guix/profiles.scm index f5c863945c..cd3b21e390 100644 --- a/guix/profiles.scm +++ b/guix/profiles.scm @@ -1732,7 +1732,8 @@ because the NUMBER is zero.)" (string-append %profile-directory "/guix-profile")) =20 (define (ensure-profile-directory) - "Attempt to create /=E2=80=A6/profiles/per-user/$USER if needed." + "Attempt to create /=E2=80=A6/profiles/per-user/$USER if needed. Nowada= ys this is +taken care of by the daemon." (let ((s (stat %profile-directory #f))) (unless (and s (eq? 'directory (stat:type s))) (catch 'system-error diff --git a/guix/store.scm b/guix/store.scm index d7c603898c..382aad29d9 100644 --- a/guix/store.scm +++ b/guix/store.scm @@ -748,6 +748,14 @@ encoding conversion errors." (cut string-append "http://" <>)) '("ci.guix.gnu.org"))) =20 +(define (current-user-name) + "Return the name of the calling user." + (catch #t + (lambda () + (passwd:name (getpwuid (getuid)))) + (lambda _ + (getenv "USER")))) + (define* (set-build-options server #:key keep-failed? keep-going? fallback? (verbosity 0) @@ -759,6 +767,7 @@ encoding conversion errors." (build-verbosity 0) (log-type 0) (print-build-trace #t) + (user-name (current-user-name)) =20 ;; When true, provide machine-readable "build ;; traces" for use by (guix status). Old clie= nts @@ -849,6 +858,9 @@ encoding conversion errors." `(("build-repeat" . ,(number->string (max 0 (1- rounds))))) '()) + ,@(if user-name + `(("user-name" . ,user-name)) + '()) ,@(if terminal-columns `(("terminal-columns" . ,(number->string terminal-columns))) diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc index 3b08492c64..3793382361 100644 --- a/nix/libstore/local-store.cc +++ b/nix/libstore/local-store.cc @@ -88,8 +88,9 @@ LocalStore::LocalStore(bool reserveSpace) =20 Path perUserDir =3D profilesDir + "/per-user"; createDirs(perUserDir); - if (chmod(perUserDir.c_str(), 01777) =3D=3D -1) - throw SysError(format("could not set permissions on '%1%' to 1= 777") % perUserDir); + if (chmod(perUserDir.c_str(), 0755) =3D=3D -1) + throw SysError(format("could not set permissions on '%1%' to 7= 55") + % perUserDir); =20 mode_t perm =3D 01775; =20 @@ -1642,4 +1643,16 @@ void LocalStore::vacuumDB() } =20 =20 +void LocalStore::createUser(const std::string & userName, uid_t userId) +{ + auto dir =3D settings.nixStateDir + "/profiles/per-user/" + userName; + + createDirs(dir); + if (chmod(dir.c_str(), 0755) =3D=3D -1) + throw SysError(format("changing permissions of directory '%s'") % dir); + if (chown(dir.c_str(), userId, -1) =3D=3D -1) + throw SysError(format("changing owner of directory '%s'") % dir); +} + + } diff --git a/nix/libstore/local-store.hh b/nix/libstore/local-store.hh index 4113fafcb5..2e48cf03e6 100644 --- a/nix/libstore/local-store.hh +++ b/nix/libstore/local-store.hh @@ -180,6 +180,8 @@ public: =20 void setSubstituterEnv(); =20 + void createUser(const std::string & userName, uid_t userId); + private: =20 Path schemaPath; diff --git a/nix/libstore/store-api.hh b/nix/libstore/store-api.hh index 2d9dcbd573..7d2ad2270d 100644 --- a/nix/libstore/store-api.hh +++ b/nix/libstore/store-api.hh @@ -289,6 +289,10 @@ public: /* Check the integrity of the Nix store. Returns true if errors remain. */ virtual bool verifyStore(bool checkContents, bool repair) =3D 0; + + /* Create a profile for the given user. This is done by the daemon + because the 'profiles/per-user' directory is not writable by users.= */ + virtual void createUser(const std::string & userName, uid_t userId) = =3D 0; }; =20 =20 diff --git a/nix/nix-daemon/nix-daemon.cc b/nix/nix-daemon/nix-daemon.cc index 1163a249d1..3dd156ba77 100644 --- a/nix/nix-daemon/nix-daemon.cc +++ b/nix/nix-daemon/nix-daemon.cc @@ -613,6 +613,17 @@ static void performOp(bool trusted, unsigned int clien= tVersion, || name =3D=3D "build-repeat" || name =3D=3D "multiplexed-build-output") settings.set(name, value); + else if (name =3D=3D "user-name" + && settings.clientUid =3D=3D (uid_t) -1) { + /* Create the user profile. This is necessary if + clientUid =3D -1, for instance because the client + connected over TCP. */ + struct passwd *pw =3D getpwnam(value.c_str()); + if (pw !=3D NULL) + store->createUser(value, pw->pw_uid); + else + printMsg(lvlInfo, format("user name %1% not found"= ) % value); + } else settings.set(trusted ? name : "untrusted-" + name, val= ue); } @@ -731,7 +742,7 @@ static void performOp(bool trusted, unsigned int client= Version, } =20 =20 -static void processConnection(bool trusted) +static void processConnection(bool trusted, uid_t userId) { canSendStderr =3D false; _writeToStderr =3D tunnelStderr; @@ -778,6 +789,15 @@ static void processConnection(bool trusted) /* Open the store. */ store =3D std::shared_ptr(new LocalStore(reserveSpace)); =20 + if (userId !=3D (uid_t) -1) { + /* Create the user profile. */ + struct passwd *pw =3D getpwuid(userId); + if (pw !=3D NULL && pw->pw_name !=3D NULL) + store->createUser(pw->pw_name, userId); + else + printMsg(lvlInfo, format("user with UID %1% not found") % = userId); + } + stopWork(); to.flush(); =20 @@ -963,7 +983,7 @@ static void acceptConnection(int fdSocket) /* Handle the connection. */ from.fd =3D remote; to.fd =3D remote; - processConnection(trusted); + processConnection(trusted, clientUid); =20 exit(0); }, false, "unexpected build daemon error: ", true); diff --git a/tests/guix-daemon.sh b/tests/guix-daemon.sh index 758f18cc36..b58500966b 100644 --- a/tests/guix-daemon.sh +++ b/tests/guix-daemon.sh @@ -94,6 +94,27 @@ done =20 kill "$daemon_pid" =20 +# Make sure 'profiles/per-user' is created when connecting over TCP. + +orig_GUIX_STATE_DIRECTORY=3D"$GUIX_STATE_DIRECTORY" +GUIX_STATE_DIRECTORY=3D"$GUIX_STATE_DIRECTORY-2" + +guix-daemon --disable-chroot --listen=3D"localhost:9877" & +daemon_pid=3D$! + +GUIX_DAEMON_SOCKET=3D"guix://localhost:9877" +export GUIX_DAEMON_SOCKET + +test ! -d "$GUIX_STATE_DIRECTORY/profiles/per-user" + +guix build guile-bootstrap -d + +test -d "$GUIX_STATE_DIRECTORY/profiles/per-user/$USER" + +kill "$daemon_pid" +unset GUIX_DAEMON_SOCKET +GUIX_STATE_DIRECTORY=3D"$orig_GUIX_STATE_DIRECTORY" + # Check the failed build cache. =20 guix-daemon --no-substitutes --listen=3D"$socket" --disable-chroot \ diff --git a/tests/store.scm b/tests/store.scm index 518750d26a..2b14a4af0a 100644 --- a/tests/store.scm +++ b/tests/store.scm @@ -18,6 +18,7 @@ =20 (define-module (test-store) #:use-module (guix tests) + #:use-module (guix config) #:use-module (guix store) #:use-module (guix utils) #:use-module (guix monads) @@ -102,7 +103,17 @@ "/283gqy39v3g9dxjy26rynl0zls82fmcg-guile-2.0.7/bin/guile"))) (not (direct-store-path? (%store-prefix))))) =20 -(test-skip (if %store 0 13)) +(test-skip (if %store 0 15)) + +(test-equal "profiles/per-user exists and is not writable" + #o755 + (stat:perms (stat (string-append %state-directory "/profiles/per-user"))= )) + +(test-equal "profiles/per-user/$USER exists" + (list (getuid) #o755) + (let ((s (stat (string-append %state-directory "/profiles/per-user/" + (passwd:name (getpwuid (getuid))))))) + (list (stat:uid s) (stat:perms s)))) =20 (test-equal "add-data-to-store" #vu8(1 2 3 4 5) --=20 2.23.0 --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0002-DRAFT-news-Add-entry-for-security-issue-with-var-gui.patch >From 07126db581f1854a2235c271fcdaecfb36705d5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Wed, 16 Oct 2019 12:16:20 +0200 Subject: [PATCH 2/2] DRAFT news: Add entry for security issue with /var/guix/profiles/per-user. DRAFT: Update commit before pushing. * etc/news.scm: Add entry for security issue in multi-user setups. --- etc/news.scm | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/etc/news.scm b/etc/news.scm index e19dec38dd..afcf5fadaa 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -9,6 +9,27 @@ (channel-news (version 0) + (entry (commit "FIXME") + (title (en "Security issue with profiles in multi-user setups")) + (body + (en "The default user profile, @file{~/.guix-profile}, points to +@file{/var/guix/profiles/per-user/$USER}. Until now, +@file{/var/guix/profiles/per-user} was world-writable, allowing the +@command{guix} command to create the @code{$USER} sub-directory. + +On a multi-user system, this allowed a malicious user to create and populate +that @code{$USER} sub-directory for another user that had not yet logged in. +Since @code{$USER} is in @code{$PATH}, the target user could end up running +attacker-provided code. See @uref{https://issues.guix.gnu.org/issue/37744} +for more information. + +This is now fixed by letting @command{guix-daemon} create these directories on +behalf of users and removing the world-writable permissions on +@code{per-user}. On multi-user systems, we recommend updating the daemon now. +To do that, run @code{sudo guix pull} if you're on a foreign distro, or run +@code{sudo guix pull && sudo guix system reconfigure @dots{}} on Guix +System."))) + (entry (commit "5f3f70391809f8791c55c05bd1646bc58508fa2c") (title (en "GNU C Library upgraded") (de "GNU-C-Bibliothek aktualisiert") -- 2.23.0 --=-=-=-- From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 16 Oct 2019 13:27:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 37744@debbugs.gnu.org, guix-security@gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.157123236632394 (code B ref 37744); Wed, 16 Oct 2019 13:27:02 +0000 Received: (at 37744) by debbugs.gnu.org; 16 Oct 2019 13:26:06 +0000 Received: from localhost ([127.0.0.1]:45420 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKjJV-0008QQ-SZ for submit@debbugs.gnu.org; Wed, 16 Oct 2019 09:26:06 -0400 Received: from eggs.gnu.org ([209.51.188.92]:48003) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKjJU-0008Q5-Pz for 37744@debbugs.gnu.org; Wed, 16 Oct 2019 09:26:05 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:41957) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iKjJP-0008Hd-Mj; Wed, 16 Oct 2019 09:25:59 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=57816 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iKjJO-0007YN-UT; Wed, 16 Oct 2019 09:25:59 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> Date: Wed, 16 Oct 2019 15:25:56 +0200 In-Reply-To: <87tv89rnva.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Wed, 16 Oct 2019 12:22:33 +0200") Message-ID: <878spksty3.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello! In addition to the news entry that =E2=80=98guix pull=E2=80=99 will display= , we may want to publicize the issue. In particular, should we: 1. Apply for a new CVE? 2. Post an article on the blog to explain in detail what happened? That should probably include an analysis like that at , given that Guix does things not entirely like Nix here. 3. Email that analysis to oss-security? 4. Push a new release? I=E2=80=99m tempted to think that we should do 1 to 3, as quickly as we can. Help welcome, in particular on #2! As for #4, I think we should push a new release soon anyway, but maybe not just specifically for this issue since it can be addressed simply by upgrading. Thoughts? Ludo=E2=80=99. From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 16 Oct 2019 14:14:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 37744@debbugs.gnu.org, guix-security@gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.15712351815069 (code B ref 37744); Wed, 16 Oct 2019 14:14:01 +0000 Received: (at 37744) by debbugs.gnu.org; 16 Oct 2019 14:13:01 +0000 Received: from localhost ([127.0.0.1]:46333 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKk2v-0001JX-Kp for submit@debbugs.gnu.org; Wed, 16 Oct 2019 10:13:01 -0400 Received: from tobias.gr ([80.241.217.52]:46274) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKk2t-0001JH-GN for 37744@debbugs.gnu.org; Wed, 16 Oct 2019 10:13:01 -0400 Received: by tobias.gr (OpenSMTPD) with ESMTP id 1278db18; Wed, 16 Oct 2019 14:12:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=tobias.gr; h=from:to:cc :subject:references:in-reply-to:date:message-id:mime-version :content-type; s=2018; i=me@tobias.gr; bh=PbZ3+oqmqfPTGEwPAJcWwT 3kxqvyg2iUJEHMNraS+Mc=; b=WeodXvZUcT43z0wD38l58wNeEc5Ok5JtA0uONd XEJb61d6QMbAlb0vOBak3wYZKPoCCkBtjcw/yn2h1gmFOFXVUSgddgnOLhJhfFo3 VGO3pKfzRyPKNpFMgGjpvl6pf+yxOQEiKJOgnqU5HLdVFWIymz6DHho0tnzq6su5 ijAzgnKjfhAF014UZXChZxc6aUsr4+0J5LDf3NBnz13yzwHgOK9xM2HaqOeJJZH9 1SmZjVghl/NXS7PsYFpixhhYdbSGDJGxJl/ojj3n51rqmI3EjQD6a0YmV8tRHqQ5 uOduPcXt8T1liRxcKtWtbXOeESFvl9+CXAGt6yQSBMIU24VA== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 07ab53aa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Wed, 16 Oct 2019 14:12:52 +0000 (UTC) From: Tobias Geerinckx-Rice References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> In-reply-to: <87tv89rnva.fsf@gnu.org> Date: Wed, 16 Oct 2019 16:12:50 +0200 Message-ID: <87imoook2l.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Ludo', That was swift, thanks! IANAC++. Ludovic Court=C3=A8s =E5=86=99=E9=81=93=EF=BC=9A > diff --git a/nix/libstore/local-store.cc=20 > b/nix/libstore/local-store.cc > index 3b08492c64..3793382361 100644 > --- a/nix/libstore/local-store.cc > +++ b/nix/libstore/local-store.cc > @@ -88,8 +88,9 @@ LocalStore::LocalStore(bool reserveSpace) >=20=20 > Path perUserDir =3D profilesDir + "/per-user"; > createDirs(perUserDir); > - if (chmod(perUserDir.c_str(), 01777) =3D=3D -1) > - throw SysError(format("could not set permissions on=20 > '%1%' to 1777") % perUserDir); > + if (chmod(perUserDir.c_str(), 0755) =3D=3D -1) > + throw SysError(format("could not set permissions on=20 > '%1%' to 755") > + % perUserDir); >=20=20 > mode_t perm =3D 01775; This is inside if (getuid() =3D=3D 0 && settings.buildUsersGroup !=3D "") { =E2=80=A6 } It's not clear to me why the second condition here is relevant,=20 but I don't have the big picture. Nor do I suspect I want it. Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl2nJWIACgkQ2Imw8BjF STwOGQ//cEyN0EMnK+iPMgVrc0DvagCDnyJ4VnVpTF0hOf+ltfPgB65/Nki+NpRP q5ErZj9pz4oXkZT2GSwot5v8GxhKt82FBckWKVZ8Lxoi6hR7/voPHpDzLnid5TDx XVqNaZUjvUk2jmcbD1fwozswLOma8qD7QPjoVQ9Awp0MU74JGkGW4AUUgwa8BXt1 49BhnCWpl3nh0tKYLCtyhVuK5jIk0U/dkzMXjxx6QM4GmalmnLAYDgOpTZpORmaD 1VrabVBMModfDG+8C1RWClpFrPgVRwqvmBK4Zkopomp+cXB4vDUZ1Sm3vsDMfhvO hst4dvEeesA4npjeq+3nzFqcY1VvMkmHur1tTmrVvOJ7IbmMuyPPIWUTdixeH1OE PJExpaJ3/X1fzVPaoOc5hXQFDOI3VXSgZwqA8K7yE1DUUtt+ZBtldKNUqWz1+Qsb Nf7jYOYC5ftPryax9HULNlQlrW6Ak9f5rNavaHAm/zDrPLmBN0kpaBkAWrT4WTqn 2xVDgF7sroZ9RLOL6AJhfLeXsKi9KOvPshghTVv/NtBxBmlyU5/I4ZZDCcd8S55m Q3afU41ALG1z7vsgVwz7/TkuZ1bpffmGV4n8DHhgc7EgkOJl5gBVg3IoQy+pVbUW jw78Cdet8LgERD+c/aN4ITAJ9hysooby/nADTfEGJznfcs1S1pA= =gjOy -----END PGP SIGNATURE----- --=-=-=-- From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: "pelzflorian (Florian Pelz)" Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 16 Oct 2019 14:23:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 37744@debbugs.gnu.org, guix-security@gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.15712357455992 (code B ref 37744); Wed, 16 Oct 2019 14:23:02 +0000 Received: (at 37744) by debbugs.gnu.org; 16 Oct 2019 14:22:25 +0000 Received: from localhost ([127.0.0.1]:46347 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKkC1-0001Ya-Dj for submit@debbugs.gnu.org; Wed, 16 Oct 2019 10:22:25 -0400 Received: from pelzflorian.de ([5.45.111.108]:38640 helo=mail.pelzflorian.de) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKkBz-0001YS-Fs for 37744@debbugs.gnu.org; Wed, 16 Oct 2019 10:22:24 -0400 Received: from pelzflorian.localdomain (unknown [5.45.111.108]) by mail.pelzflorian.de (Postfix) with ESMTPSA id 1F6C33604DA; Wed, 16 Oct 2019 16:22:21 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=pelzflorian.de; s=mail; t=1571235742; bh=W41Wa74qxtx4xZua6ZbsEslx+CZK+1H9oC5yeE601z8=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=FHWi+OvKyPHsOXeycceGfBMrjrW5mtVwptZXSUe0CvAwscizLJlBUS8MGRi8fOSAv tN6+yCuHNmuGz48jWiCJlNne9kpl5se9noBY8DgPctItPJSGJAQ0Ex+2jjk6UWAm8O HQ75x08Fse2oBsUlObvdV08Vfe7gyYaoSRERZUqo= Date: Wed, 16 Oct 2019 16:22:21 +0200 From: "pelzflorian (Florian Pelz)" Message-ID: <20191016142221.qys2y2cb4spmwscq@pelzflorian.localdomain> References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <878spksty3.fsf@gnu.org> User-Agent: NeoMutt/20180716 X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Thank you for ensuring security issues are fixed. On Wed, Oct 16, 2019 at 12:22:33PM +0200, Ludovic Courts wrote: > +This is now fixed by letting @command{guix-daemon} create these directories on > +behalf of users and removing the world-writable permissions on > +@code{per-user}. On multi-user systems, we recommend updating the daemon now. > +To do that, run @code{sudo guix pull} if you're on a foreign distro, or run > +@code{sudo guix pull && sudo guix system reconfigure @dots{}} on Guix > +System."))) Why sudo guix pull? It should be without sudo, am I wrong? I will translate now and submit a patch. Regards, Florian From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 16 Oct 2019 15:17:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: "pelzflorian \(Florian Pelz\)" , 37744@debbugs.gnu.org, guix-security@gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.157123902111005 (code B ref 37744); Wed, 16 Oct 2019 15:17:01 +0000 Received: (at 37744) by debbugs.gnu.org; 16 Oct 2019 15:17:01 +0000 Received: from localhost ([127.0.0.1]:46364 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKl2q-0002rP-N6 for submit@debbugs.gnu.org; Wed, 16 Oct 2019 11:17:00 -0400 Received: from tobias.gr ([80.241.217.52]:48668) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKl2m-0002rD-SB for 37744@debbugs.gnu.org; Wed, 16 Oct 2019 11:16:58 -0400 Received: by tobias.gr (OpenSMTPD) with ESMTP id 4e2b1592; Wed, 16 Oct 2019 15:16:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=tobias.gr; h=from:to :subject:references:in-reply-to:date:message-id:mime-version :content-type; s=2018; i=me@tobias.gr; bh=DDmoGar2hL51Dt2HX+tilo 1qtjUvL587CHEVuhE25FE=; b=P+gUDveRJV12BcKGt9RC9Nn7943wo318ZQHxas jOjhwvQSbTrFPtybnu31ikDcdNQQmtFWA+F8mJC2DeZ5EgBFxs2eZwA/LhBwZnl5 UYL+xietSCBEbuO4CSWLP9dUeMOQpMqqjM6ttdD5ko7AOmMdBTmmoWbjZyxSQh2c esesWDO5cWl3lL6STlgMmrHxxKkE3/YBpLor8MTNI2zc8N+1cfAs7Fp+C6Y8Mo9y dZWM3205fKlr+N8YjvIg4WiJZhB12nv2FafEegZi7amDhAKB9MYqIl2j3xULw9AO 0ZYkUgjizkXOJcoTqS0OsOD+cHZozO+Nhl3ag446ka03Cs4g== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 72d40364 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Wed, 16 Oct 2019 15:16:53 +0000 (UTC) From: Tobias Geerinckx-Rice References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> <20191016142221.qys2y2cb4spmwscq@pelzflorian.localdomain> In-reply-to: <20191016142221.qys2y2cb4spmwscq@pelzflorian.localdomain> Date: Wed, 16 Oct 2019 17:16:47 +0200 Message-ID: <87ftjsoh40.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable pelzflorian, pelzflorian (Florian Pelz) =E5=86=99=E9=81=93=EF=BC=9A > Why sudo guix pull? It should be without sudo, am I wrong? Guix on =E2=80=98foreign=E2=80=99 distributions uses the root profile for t= he=20 daemon by default (i.e. in guix-daemon.service). You could change this to a regular user's profile, but that=20 amounts to giving this user passwordless root access. Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl2nNF8ACgkQ2Imw8BjF STwTYQ//VTIaPOqmsG/HaW4zZEQ5SH2rmhfWkSTqaRmwRvol82/3/WoRyf6n4cst OMCjTCZGX4+giq3/CPI3bMlR/faHLAR6WdIiuDvtcpz7II4Bw5aeGKIXQYyP5cYq RepfwA0BzzN9yKu8yHxRgVUEToPcrTDwetKb5I2TbsKHdtJhKdKStXH+kjgwJekg 1ZvZswyu5oYkk02hM91TaTksMrWuLT32Ce4ia/TURPmx/PU0TrnGnnUIRqO/7S5l ftovYwfSChfmSj64QBrt1QjCbcZHkwZWmmquyFT8m2JeNy/OQpx3r8F9zdq7LCuS 6u03enL7hVW+I6rYIBSlWULGT2PofDtarLBetYV1sgFdkk+A270uQTmzPYpNX18f 6y31BjYUCDKG9irMDgvC0l5GmbSZD+yeR2ROQb5cAIVoJauUtK2hH8dfLgimRC3X dDpkQd3UhFSiJDXM1+zFgFfWSlK6d2+vBz1+8OZIXnqLhjlM2WZbyUeUVp1ep6qf jSU+AUx1WEiy04begEjyrzXkrLG/K7lKmcQ6rEB9w9/tlZUz/sYINpTsTOB+uf5O FrtIeFqb1JQMPAbEmsWKwVCqSycJ33YU/nxfwOpa+Mwt+PRs3E/HUoj/342zvrzr JMBCXKYH8U/PhXtuz58Ub7dS3cN674uvwQjMkQeUr1h53rL8Lxo= =BsCz -----END PGP SIGNATURE----- --=-=-=-- From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: "pelzflorian (Florian Pelz)" Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 16 Oct 2019 15:20:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Tobias Geerinckx-Rice Cc: 37744@debbugs.gnu.org, guix-security@gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.157123916711261 (code B ref 37744); Wed, 16 Oct 2019 15:20:02 +0000 Received: (at 37744) by debbugs.gnu.org; 16 Oct 2019 15:19:27 +0000 Received: from localhost ([127.0.0.1]:46370 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKl5D-0002vX-6g for submit@debbugs.gnu.org; Wed, 16 Oct 2019 11:19:27 -0400 Received: from pelzflorian.de ([5.45.111.108]:38734 helo=mail.pelzflorian.de) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKl5A-0002vJ-MA for 37744@debbugs.gnu.org; Wed, 16 Oct 2019 11:19:26 -0400 Received: from pelzflorian.localdomain (unknown [5.45.111.108]) by mail.pelzflorian.de (Postfix) with ESMTPSA id 2E6473604DA; Wed, 16 Oct 2019 17:19:23 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=pelzflorian.de; s=mail; t=1571239163; bh=SB1EZwQeEj8c+fx2bhnda0c9JyVWtAD5/YQiW8p9sHo=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=G7lCTpS96UJwCsJKLkFcgSNcgWfHF7sMWZygItMf9uyW+BaIKPhU9n9+hi5yPnsPs CG4w9Q4ho8SsML7nsZshUdRKYsRCFmDbYK8R7YaJoqKyqn9YxX2e3OpUY1pd+q8ge4 IN9Nbj6UGCZMBePFA46g7VXxJNFAccqnYHpy0dIc= Date: Wed, 16 Oct 2019 17:19:22 +0200 From: "pelzflorian (Florian Pelz)" Message-ID: <20191016151922.5fanqbt6kiv4offx@pelzflorian.localdomain> References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> <20191016142221.qys2y2cb4spmwscq@pelzflorian.localdomain> <87ftjsoh40.fsf@nckx> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87ftjsoh40.fsf@nckx> User-Agent: NeoMutt/20180716 X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) On Wed, Oct 16, 2019 at 05:16:47PM +0200, Tobias Geerinckx-Rice wrote: > pelzflorian (Florian Pelz) 写道: > > Why sudo guix pull? It should be without sudo, am I wrong? > > Guix on ‘foreign’ distributions uses the root profile for the daemon by > default (i.e. in guix-daemon.service). > Sorry for being imprecise. I meant on Guix System. Regards, Florian From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 16 Oct 2019 15:24:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: "pelzflorian \(Florian Pelz\)" Cc: 37744@debbugs.gnu.org, guix-security@gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.157123939511680 (code B ref 37744); Wed, 16 Oct 2019 15:24:01 +0000 Received: (at 37744) by debbugs.gnu.org; 16 Oct 2019 15:23:15 +0000 Received: from localhost ([127.0.0.1]:46374 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKl8s-00032J-Tt for submit@debbugs.gnu.org; Wed, 16 Oct 2019 11:23:15 -0400 Received: from tobias.gr ([80.241.217.52]:48826) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKl8q-00032A-BK for 37744@debbugs.gnu.org; Wed, 16 Oct 2019 11:23:13 -0400 Received: by tobias.gr (OpenSMTPD) with ESMTP id 7a3ec57d; Wed, 16 Oct 2019 15:23:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=tobias.gr; h=from:to:cc :subject:references:in-reply-to:date:message-id:mime-version :content-type; s=2018; i=me@tobias.gr; bh=somIveci+nKFYkipyPaYoq BtcWoA6U/zRaN6mpGhwxc=; b=lsS+jhRppmSikGRWLQ7jCFeYQnZAvOPuScMEAK A7rSPZ8Qox54lPCkiNrAb3td6s7jkvZn/C9ensk7Uh+n3a/Yec7iN1JdxKIrsUHt 5wrb56Q8iINDRC79xJr0Xhd+4Of/pX1vL6n+ALjfBM6Z8hMTrvnwoTMQBUimsSbn eRhtTmOOs5SKHo3CES8ijixI2SEtWpU4Lpj3cD4430wOANwF6bCkVBgI4bj3uYt1 zN3aM19BBW2FUh0gunA7tKGNBdHCACzfdF+yd7F05b9ykLuDWYBaXH1QqdyX+5Xh XqS9AxfZO1N3vcOd7ooeX3XrFzCtDnOKXr1mNQXsu6UyYlEg== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 611e90c7 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Wed, 16 Oct 2019 15:23:09 +0000 (UTC) From: Tobias Geerinckx-Rice References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> <20191016142221.qys2y2cb4spmwscq@pelzflorian.localdomain> <87ftjsoh40.fsf@nckx> <20191016151922.5fanqbt6kiv4offx@pelzflorian.localdomain> In-reply-to: <20191016151922.5fanqbt6kiv4offx@pelzflorian.localdomain> Date: Wed, 16 Oct 2019 17:23:08 +0200 Message-ID: <87eezcogtf.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable pelzflorian (Florian Pelz) =E5=86=99=E9=81=93=EF=BC=9A > On Wed, Oct 16, 2019 at 05:16:47PM +0200, Tobias Geerinckx-Rice=20 > wrote: >> blah blah blah > > Sorry for being imprecise. I meant on Guix System. Sorry for misreading, you're right that it shouldn't be needed (or=20 recommended IMO). Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl2nNdwACgkQ2Imw8BjF STyFyxAAladP1ST+Td9ix4x2FEaIjZ44ZITbeSip50xvdIaOX65kxS7gib1Zq6xm nRPnTSwlbq9iTOnerGUDG3s5uDcWl/AJEmhUqHC7PReDCHdRGrxbq/iWWPsXLcf7 ZFydaY0t+DW4iGa1GGPzWo/qCOpvngdh8yloImR7TOApNXljtlWNFTErwxuF9s3d YjrZFSUIIXfxV+bmP1yePLOqAdEivAMvN5bd43Z2ufHgKNGNU1pkoQcGlondyQq7 jYv68jtaCbdVdymCHUZsChdp2RgnWLQTAYCkiBNaK5AWlxwtE9aNk6IxlFrH5T87 p10RXkz5xPOb7/464K6yXQgEr29wXSibFrHCSBvVAHisAdVw+dQJk8RcUSWdk2LY LgJKHted2tLs0Z+trtkqGa0269+a2vCgGotBu0Sy12QfLsMjatGNdky4wsjCDbRu ahaD3vYxhxtZav1pUBgInpdD/y5W58JpPdaNCwfJ4chtNkirb4soA2U57ffLthp7 u05BvRp+dr9YB2ZANsaIJ+SacRpPtA+MKUOL2V8zSWNVZR6YUXV84RhzbNh4puSi 1iwWky0PmyYthM8UqbEQ5TrI0D8ygZSwoBrorIezuKEsBQtZuZuuW+Bjcr6hkpAK 3TD7Am8Xoj00sQElGIDeOfUDtKS5kogsqazA0Q1lyDgFHNIxnbs= =SOn3 -----END PGP SIGNATURE----- --=-=-=-- From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: "pelzflorian (Florian Pelz)" Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 16 Oct 2019 15:38:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 37744@debbugs.gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.157124028013236 (code B ref 37744); Wed, 16 Oct 2019 15:38:02 +0000 Received: (at 37744) by debbugs.gnu.org; 16 Oct 2019 15:38:00 +0000 Received: from localhost ([127.0.0.1]:46387 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKlN9-0003RP-Sx for submit@debbugs.gnu.org; Wed, 16 Oct 2019 11:38:00 -0400 Received: from pelzflorian.de ([5.45.111.108]:38762 helo=mail.pelzflorian.de) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKlN8-0003RE-3h for 37744@debbugs.gnu.org; Wed, 16 Oct 2019 11:37:59 -0400 Received: from pelzflorian.localdomain (unknown [5.45.111.108]) by mail.pelzflorian.de (Postfix) with ESMTPSA id A49363604DA; Wed, 16 Oct 2019 17:37:56 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=pelzflorian.de; s=mail; t=1571240276; bh=i8XAqvvNQFR+8WfjQh71eXG8wnIuRUlEZIFCpibFf8c=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=zNma6NHDlgzQhHooKmiaTggCdwr5Mb3q1cfi8k2WbsKzzruKvC7zJZxgYPtO1oRYn ajRlITCNVb4rA5iDVZKVC70qCT2Mb6VXWv90J3Unv2ZK3KvyO9WLc9YX1JNHE1Qf5p aDJixdKj7NbvSmyU3HMeBvN+ro/udPK/PPo6ijZE= Date: Wed, 16 Oct 2019 17:37:56 +0200 From: "pelzflorian (Florian Pelz)" Message-ID: <20191016153756.xlnhk6axmg6tx35b@pelzflorian.localdomain> References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> <20191016142221.qys2y2cb4spmwscq@pelzflorian.localdomain> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="u3wkk65ivn337n7p" Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20191016142221.qys2y2cb4spmwscq@pelzflorian.localdomain> User-Agent: NeoMutt/20180716 X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --u3wkk65ivn337n7p Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Oct 16, 2019 at 04:22:21PM +0200, pelzflorian (Florian Pelz) wrote: > Why sudo guix pull? It should be without sudo, am I wrong? > The attached patch adds a German translation. Please remove the last sudo from the de translation too if you agree that it is wrong. Regards, Florian --u3wkk65ivn337n7p Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename="0001-nls-Update-de-translation-of-news-entries.patch" Content-Transfer-Encoding: 8bit >From 14d4d176bae1e67c627a169c881720f3f9fb3904 Mon Sep 17 00:00:00 2001 From: Florian Pelz Date: Wed, 16 Oct 2019 16:37:27 +0200 Subject: [PATCH] nls: Update 'de' translation of news entries. * etc/news.scm: Add new 'de' translation. --- etc/news.scm | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/etc/news.scm b/etc/news.scm index afcf5fadaa..27130092c6 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -10,7 +10,8 @@ (version 0) (entry (commit "FIXME") - (title (en "Security issue with profiles in multi-user setups")) + (title (en "Security issue with profiles in multi-user setups") + (de "Sicherheitslücke bei Profilen in Mehrbenutzersystemen")) (body (en "The default user profile, @file{~/.guix-profile}, points to @file{/var/guix/profiles/per-user/$USER}. Until now, @@ -28,7 +29,27 @@ behalf of users and removing the world-writable permissions on @code{per-user}. On multi-user systems, we recommend updating the daemon now. To do that, run @code{sudo guix pull} if you're on a foreign distro, or run @code{sudo guix pull && sudo guix system reconfigure @dots{}} on Guix -System."))) +System.") + (de "Das voreingestellte Benutzerprofil, @file{~/.guix-profile}, +verweist auf @file{/var/guix/profiles/per-user/$USER}. Bisher hatte jeder +Benutzer Schreibzugriff auf @file{/var/guix/profiles/per-user}, wodurch der +@command{guix}-Befehl berechtigt war, das Unterverzeichnis @code{$USER} +anzulegen. + +Wenn mehrere Benutzer dasselbe System benutzen, kann ein böswilliger Benutzer +so das Unterverzeichnis @code{$USER} und Dateien darin für einen anderen +Benutzer anlegen, wenn sich dieser noch nie angemeldet hat. Weil @code{$USER} +auch in @code{$PATH} aufgeführt ist, kann der betroffene Nutzer dazu gebracht +werden, vom Angreifer vorgegebenen Code auszuführen. Siehe +@uref{https://issues.guix.gnu.org/issue/37744} für weitere Informationen. + +Der Fehler wurde nun behoben, indem @command{guix-daemon} diese Verzeichnisse +jetzt selbst anlegt statt das dem jeweiligen Benutzerkonto zu überlassen. Der +Schreibzugriff auf @code{per-user} wird den Benutzern entzogen. Auf einem +System mit mehreren Benutzern empfehlen wir, den Daemon jetzt zu +aktualisieren. Auf einer Fremddistribution führen Sie dazu @code{sudo guix +pull} aus; auf einem Guix-System führen Sie @code{sudo guix pull && sudo guix +system reconfigure …} aus."))) (entry (commit "5f3f70391809f8791c55c05bd1646bc58508fa2c") (title (en "GNU C Library upgraded") -- 2.23.0 --u3wkk65ivn337n7p-- From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Julien Lepiller Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 16 Oct 2019 16:29:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 37744@debbugs.gnu.org, ludo@gnu.org, me@tobias.gr Cc: guix-security@gnu.org X-Debbugs-Original-To: bug-guix@gnu.org, Ludovic =?UTF-8?Q?Court=C3=A8s?= , Tobias Geerinckx-Rice X-Debbugs-Original-Cc: 37744@debbugs.gnu.org, guix-security@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.157124332418040 (code B ref -1); Wed, 16 Oct 2019 16:29:01 +0000 Received: (at submit) by debbugs.gnu.org; 16 Oct 2019 16:28:44 +0000 Received: from localhost ([127.0.0.1]:46431 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKmAF-0004gu-M8 for submit@debbugs.gnu.org; Wed, 16 Oct 2019 12:28:43 -0400 Received: from lists.gnu.org ([209.51.188.17]:45119) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKmAD-0004gm-MY for submit@debbugs.gnu.org; Wed, 16 Oct 2019 12:28:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33929) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iKmAC-0002P1-En for bug-guix@gnu.org; Wed, 16 Oct 2019 12:28:41 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iKmAB-0007hx-7p for bug-guix@gnu.org; Wed, 16 Oct 2019 12:28:40 -0400 Received: from lepiller.eu ([2a00:5884:8208::1]:58014) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iKmAA-0007ZS-Fi; Wed, 16 Oct 2019 12:28:39 -0400 Received: from lepiller.eu (localhost [127.0.0.1]) by lepiller.eu (OpenSMTPD) with ESMTP id 66797d98; Wed, 16 Oct 2019 16:28:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=lepiller.eu; h=date :in-reply-to:references:mime-version:content-type :content-transfer-encoding:subject:to:cc:from:message-id; s= dkim; bh=fPETMt2iGutOgaaR5tZkymS14nc=; b=n/pkBpIXlxBQZ5g3By71MDM Zk3CfU6uLKl4X3+z/D+nXf8LtC6R07W0XNRDdQ8/FoXjtanqP2q7fL5ElxsQlYyC cjM68Dty6A1Xo4ZxXolYpG40TpfHGoQ0XGBAw9tOKzkE2Nz8taOIdfmNWVgYeLnf Yaix5oac3XGKUMzPW/FUB/aFHuFknQgY2qN3KbeLpeed4ytZsAiPpzDIUVO3Uh9t Kt3APv+SqH/7QTVtJ51ASNFecId/QJMBIdlKLjI+g5PaMojKW81f0XUwq485Fti6 SMgAUXx9R8Hqff1re6Sq6CGG+DYYhtg0chqER+5NSGtON1OtuPZmbekfqBa+Okg= = Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id 7b7161df (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Wed, 16 Oct 2019 16:28:24 +0000 (UTC) Date: Wed, 16 Oct 2019 18:28:08 +0200 User-Agent: K-9 Mail for Android In-Reply-To: <87tv89rnva.fsf@gnu.org> References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Julien Lepiller Message-ID: X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a00:5884:8208::1 X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Le 16 octobre 2019 12:22:33 GMT+02:00, "Ludovic Court=C3=A8s" a =C3=A9crit : >Hello! > >Here=E2=80=99s a patch that fixes the issue, partly based on what the Nix= folks >did=2E > >For the client-connecting-over-TCP case, I added special handling: >=E2=80=98set-build-options=E2=80=99 now passes a =E2=80=9Cuser-name=E2=80= =9D property, potentially >allowing to create =E2=80=98per-user/$USER=E2=80=99 at that point (like y= ou suggested, >Tobias=2E) > >In a cluster setup, it means that the machine that runs =E2=80=98guix-dae= mon=E2=80=99 >must see the same users as the machines where its clients run, but >that=E2=80=99s basically already what we expect: >=2E > >There=E2=80=99s one case that won=E2=80=99t be correctly handled: in a cl= uster setup, >an >old client talking to a new daemon won=E2=80=99t provide info to create >=E2=80=98per-user/$USER=E2=80=99, and thus =E2=80=98guix package=E2=80=99= & co=2E won=E2=80=99t be able to create >the user=E2=80=99s profile it it doesn=E2=80=99t already exist=2E I thin= k that=E2=80=99s hard to >avoid though=2E > >Thoughts? > >Thanks, >Ludo=E2=80=99=2E We could advise people to restart the service too, with e=2Eg=2E systemctl= restart guix-daemon From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 16 Oct 2019 17:06:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Tobias Geerinckx-Rice Cc: 37744@debbugs.gnu.org, guix-i18n@gnu.org, "pelzflorian \(Florian Pelz\)" , guix-security@gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.157124556021697 (code B ref 37744); Wed, 16 Oct 2019 17:06:01 +0000 Received: (at 37744) by debbugs.gnu.org; 16 Oct 2019 17:06:00 +0000 Received: from localhost ([127.0.0.1]:46461 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKmkJ-0005dt-Cb for submit@debbugs.gnu.org; Wed, 16 Oct 2019 13:05:59 -0400 Received: from eggs.gnu.org ([209.51.188.92]:60838) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKmkH-0005de-Tl for 37744@debbugs.gnu.org; Wed, 16 Oct 2019 13:05:58 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:46924) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iKmk9-0002RE-Ot; Wed, 16 Oct 2019 13:05:49 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=58362 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iKmk6-0004YM-Hl; Wed, 16 Oct 2019 13:05:47 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> <20191016142221.qys2y2cb4spmwscq@pelzflorian.localdomain> <87ftjsoh40.fsf@nckx> <20191016151922.5fanqbt6kiv4offx@pelzflorian.localdomain> <87eezcogtf.fsf@nckx> Date: Wed, 16 Oct 2019 19:05:44 +0200 In-Reply-To: <87eezcogtf.fsf@nckx> (Tobias Geerinckx-Rice's message of "Wed, 16 Oct 2019 17:23:08 +0200") Message-ID: <87ftjsk4d3.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi! Thanks for your feedback Tobias, Florian, and Julien! Taking that into account, I propose this (I=E2=80=99ve also changed the tit= le to make it hopefully clearer): --8<---------------cut here---------------start------------->8--- (entry (commit "FIXME") (title (en "Insecure @file{/var/guix/profiles/per-user} permissions= ")) (body (en "The default user profile, @file{~/.guix-profile}, points to @file{/var/guix/profiles/per-user/$USER}. Until now, @file{/var/guix/profiles/per-user} was world-writable, allowing the @command{guix} command to create the @code{$USER} sub-directory. On a multi-user system, this allowed a malicious user to create and populate that @code{$USER} sub-directory for another user that had not yet logged in. Since @code{/var/@dots{}/$USER} is in @code{$PATH}, the target user could e= nd up running attacker-provided code. See @uref{https://issues.guix.gnu.org/issue/37744} for more information. This is now fixed by letting @command{guix-daemon} create these directories= on behalf of users and removing the world-writable permissions on @code{per-user}. On multi-user systems, we recommend updating the daemon n= ow. To do that, run @code{sudo guix pull} if you're on a foreign distro, or run @code{guix pull && sudo guix system reconfigure @dots{}} on Guix System. In both cases, make sure to restart the service afterwards, with @code{herd} or @code{systemctl}."))) --8<---------------cut here---------------end--------------->8--- If this is fine with you, I hereby request translation of this entry. :-) I=E2=80=99ll commit the change within a few hours if there are no objection= s. Ludo=E2=80=99. From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 16 Oct 2019 19:51:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 37744@debbugs.gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.15712554374974 (code B ref 37744); Wed, 16 Oct 2019 19:51:02 +0000 Received: (at 37744) by debbugs.gnu.org; 16 Oct 2019 19:50:37 +0000 Received: from localhost ([127.0.0.1]:46585 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKpJc-0001I9-Kw for submit@debbugs.gnu.org; Wed, 16 Oct 2019 15:50:36 -0400 Received: from tobias.gr ([80.241.217.52]:55530) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKpJS-0001Hs-WA for 37744@debbugs.gnu.org; Wed, 16 Oct 2019 15:50:34 -0400 Received: by tobias.gr (OpenSMTPD) with ESMTP id 05cd1a08; Wed, 16 Oct 2019 19:50:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=tobias.gr; h=from:to:cc :subject:references:in-reply-to:date:message-id:mime-version :content-type; s=2018; i=me@tobias.gr; bh=alOThht3+5/WXsw2uzEGkY TcOkiloduOzS6sHFLTyRA=; b=At7LabiI/dTAsNr/13EqlQPWlmHwy410wUiQag RR5krRxjtWwgivgzfvoegygNIfKbffy65rOIsh1xj7FXzW+rorsbmKEJzUXFVpJa FFeDKyOaTs5EVMTK/AEAvsCJ3gumPc1sESGDqmJHkRpcXSLgKj8IF+0DbSkbDfw3 ySujF7effmYUcxhhCRH2Mo55lmznfQ4+L/Kpk6Yuc8fGJxdlhAz/uEFttfa/Fjj0 3E59Z23Sr8q7vo395mTZ6zRvzruieGnCctWdCUu1ezk9NamZm+kD80V+Oav2MdWh 2qD0c2+AuSBZHMrIZfH/P4rXYInHVclDLar7evRdeMM2Ftnw== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 651ff84f (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Wed, 16 Oct 2019 19:50:24 +0000 (UTC) From: Tobias Geerinckx-Rice References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> <20191016142221.qys2y2cb4spmwscq@pelzflorian.localdomain> <87ftjsoh40.fsf@nckx> <20191016151922.5fanqbt6kiv4offx@pelzflorian.localdomain> <87eezcogtf.fsf@nckx> <87ftjsk4d3.fsf@gnu.org> In-reply-to: <87ftjsk4d3.fsf@gnu.org> Date: Wed, 16 Oct 2019 21:50:22 +0200 Message-ID: <87d0ewo4g1.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Ludo', Ludovic Court=C3=A8s =E5=86=99=E9=81=93=EF=BC=9A > Taking that into account, I propose this (I=E2=80=99ve also changed the=20 > title to > make it hopefully clearer): Here's my NL translation: (nl "Onveilige=20 @file{/var/guix/profiles/per-user}-rechten")) (nl "Het standaard gebruikersprofiel,=20 @file{~/.guix-profile}, verwijst naar @file{/var/guix/profiles/per-user/$USER}. Tot op heden kon=20 om het evenwie in @file{/var/guix/profiles/per-user} schrijven, wat het=20 @command{guix}-commando toestond de @code{$USER} submap aan te maken. Op systemen met meerdere gebuikers kon hierdoor een kwaadaardige=20 gebruiker een @code{$USER} submap met inhoud aanmaken voor een andere gebruiker=20 die nog niet was ingelogd. Omdat @code{/var/@dots{}/$USER} zich in=20 @code{$PATH} bevindt, kon het doelwit zo code uitvoeren die door de aanvaller zelf werd=20 aangeleverd. Zie @uref{https://issues.guix.gnu.org/issue/37744} voor meer=20 informatie. Dit probleem is nu verholpen: schrijven door iedereen in=20 @code{per-user} is niet meer toegestaan en @command{guix-daemon} maakt zelf submappen aan=20 namens de gebruiker. Op systemen met meerdere gebruikers raden we aan om @code{guix-daemon} nu bij te werken. Op Guix System kan dit met @code{guix pull && sudo guix system reconfigure @dots{}}, op=20 andere distributies met @code{sudo guix pull}. Herstart vervolgens in beide gevallen @code{guix-daemon} met @code{herd} of @code{systemctl}.") Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl2ndH4ACgkQ2Imw8BjF STwonA//XCCZD5qBwQ52rNYuQy+RMveNpvfyABGciNqtnacohV/JpMhK4soEFkZc PcRTlGbZdQqDMag0y5ZxpDCXboCaHJNr3Uv6t8UhDUY1kv6wOPXePAUlhn85YbEO pbt6LPp0WNnw8CWkPjl1U5HT7fhiQdfV6NDtTTUKJLOVkbUMNYtkidJK9ycykXQk o4mF+xuEVzdwibJ5bLJCSKN+3hIyFPFxOHcbGP96ocFtZeXXFki3ppkJ9Mv9OWxW 4aRl2L+7+aiQpiPytt8/RFjmzAt5uk8Ojf6l0VDMQ+8v2oJTyufp7zFHskKP6MOO I8fqvh1RCMpBM1Ddi0Rlwke4OSFmKcDlMZZtooH4Q9Czqu/pq4/U48RlM+JRryJC JsNMcAITRsRlLirRwzeX4XBOmTHV5OxXxMSEAss2xBgcz57AXDOQ2p7M7SNk072T n8jVU8LvDPk51g+x3+MmnriT24NZ+2OdWyAC63HfjaAdBJqTsFcfZXp7YvNGgde3 rYNJVzjHh62dE2bzmz5riiOZ5PxayMLlLSsqVQL7gkjFr5E0ZqKncdyhnkOiq3G2 LBI618smiGKzeCYbQ4ReRJx7xC59DJbFzu6Uxxe1ItLUhGH43EM33DbTQQu32AeD htiKQDkxv+POKHegOKwKX161mHNHUF/tPEGCCE5P7bHt+CjiDQk= =//rT -----END PGP SIGNATURE----- --=-=-=-- From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 16 Oct 2019 19:56:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 37744@debbugs.gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.15712557175437 (code B ref 37744); Wed, 16 Oct 2019 19:56:01 +0000 Received: (at 37744) by debbugs.gnu.org; 16 Oct 2019 19:55:17 +0000 Received: from localhost ([127.0.0.1]:46598 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKpO9-0001Pd-4p for submit@debbugs.gnu.org; Wed, 16 Oct 2019 15:55:17 -0400 Received: from tobias.gr ([80.241.217.52]:55654) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKpO6-0001PP-Uj for 37744@debbugs.gnu.org; Wed, 16 Oct 2019 15:55:15 -0400 Received: by tobias.gr (OpenSMTPD) with ESMTP id c3b4043e; Wed, 16 Oct 2019 19:55:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=tobias.gr; h=from:to:cc :subject:references:in-reply-to:date:message-id:mime-version :content-type; s=2018; i=me@tobias.gr; bh=p96eo+7uXHsmB+E3zc9TN5 rgH5MrpvN6asHUrZyFdSA=; b=NB/9YPnuxjrxfmYIsbSw8UDZZzYfn8/ARmGDku CZJUy7DqidmN0t7HVfs6rxjfn033IUPv7UmIobnDzm//V0jXcMD2YL2nz3tSqLnp dNa5Y0q/N993DEpjr32pF/gIKi6s2Z/GXUQV2l/ydv9GNct22qbH5YSt0U1821oR hZs/LJaDvb+nrydqoteK1Qny7O6wu82g3uWpqO1kcbkuW9vMw1bGlzYFKrz3GATO YNGBDbQHLANSDvkwPPhbGNDLcKYCYvCMfgBw8ASDA7XH1+yY6J+/HxXHFh1J7UGJ h6gwkh1uPALsA6KeP/R7MkjvHh7wJxoSmiXfXZz+VH88N8IA== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id eecf4957 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Wed, 16 Oct 2019 19:55:13 +0000 (UTC) From: Tobias Geerinckx-Rice References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> <20191016142221.qys2y2cb4spmwscq@pelzflorian.localdomain> <87ftjsoh40.fsf@nckx> <20191016151922.5fanqbt6kiv4offx@pelzflorian.localdomain> <87eezcogtf.fsf@nckx> <87ftjsk4d3.fsf@gnu.org> <87d0ewo4g1.fsf@nckx> In-reply-to: <87d0ewo4g1.fsf@nckx> Date: Wed, 16 Oct 2019 21:55:12 +0200 Message-ID: <87blugo47z.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain; format=flowed Let's try that again: --=-=-= Content-Type: text/plain Content-Disposition: inline; filename=N Content-Description: Translation (nl "Onveilige @file{/var/guix/profiles/per-user}-rechten")) (nl "Het standaard gebruikersprofiel, @file{~/.guix-profile}, verwijst naar @file{/var/guix/profiles/per-user/$USER}. Tot op heden kon om het even wie in @file{/var/guix/profiles/per-user} schrijven, wat het @command{guix}-commando toestond de @code{$USER} submap aan te maken. Op systemen met meerdere gebuikers kon hierdoor een kwaadaardige gebruiker een @code{$USER} submap met inhoud aanmaken voor een andere gebruiker die nog niet was ingelogd. Omdat @code{/var/@dots{}/$USER} zich in @code{$PATH} bevindt, kon het doelwit zo code uitvoeren die door de aanvaller zelf werd aangeleverd. Zie @uref{https://issues.guix.gnu.org/issue/37744} voor meer informatie. Dit probleem is nu verholpen: schrijven door iedereen in @code{per-user} is niet meer toegestaan en @command{guix-daemon} maakt zelf submappen aan namens de gebruiker. Op systemen met meerdere gebruikers raden we aan om @code{guix-daemon} nu bij te werken. Op Guix System kan dit met @code{guix pull && sudo guix system reconfigure @dots{}}, op andere distributies met @code{sudo guix pull}. Herstart vervolgens in beide gevallen @code{guix-daemon} met @code{herd} of @code{systemctl}.") --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl2ndaAACgkQ2Imw8BjF STwCew/6AytKwVYnds0lkKGqO2ArULiXafhmJPDr+PlVFiAVFwQNhrto27e3RO03 o+KaMsxbdHln8eaGM1CfP9B63iMXIEJSSTbbO8GRZo9DzzhrE4AZXazHODURJul8 zePP+QvHReIwP4dgmSC8CrFIAWY5VdRyqGPSnxXMKNMNGllW0TEJbmZ+kTl6BLDU YXeukCC2Sau3QsVHUHe+U+exKFDvT99CjS/rGs4BBmbRf6GPoCoTDepONg7OyCX8 ZDx8B83vFaUfZfwcg6bSy+iTzawbgERUaxCuK6KABHceWZcy3RQDUOR4cBz6lYZb K4L1nxxZCIx16cvit5NTSaCgdT3zwfu6f5gITiJDdorvWAy8xfQSuUwojNGQmyvq RWaux09oKQS+jSyuAN7cIqFKrEKkmC5rUsUpb7rpNdZCPvLiS9uli1zv3+LvK2KT Rv8psze9mdiAfHnlHEtlnR11Gg7b8+R1sUad62V/erjuDtRzavLf2IFmUmvxk0jQ CS8BJRRZs8BuuvobNCdkz295uJd7MWcoIwqjVn/N7yE6QC6hzOL4Ys6eP++6IjHa 4dU8WEj4g3oT8xUWd3ePtdtHxjTiBpAk8iM7+30WpKjlMTgWvceId1phfUxlQauQ xfwRAf5DKosIP+QIcyYstk0KWanNYz6YkcSiMFK6Hm1ucMeLBkY= =1dY2 -----END PGP SIGNATURE----- --==-=-=-- From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Julien Lepiller Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 16 Oct 2019 19:59:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 37744@debbugs.gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.15712559335771 (code B ref 37744); Wed, 16 Oct 2019 19:59:02 +0000 Received: (at 37744) by debbugs.gnu.org; 16 Oct 2019 19:58:53 +0000 Received: from localhost ([127.0.0.1]:46606 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKpRd-0001V1-10 for submit@debbugs.gnu.org; Wed, 16 Oct 2019 15:58:53 -0400 Received: from lepiller.eu ([89.234.186.109]:41580) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKpRW-0001Uh-KX for 37744@debbugs.gnu.org; Wed, 16 Oct 2019 15:58:48 -0400 Received: from lepiller.eu (localhost [127.0.0.1]) by lepiller.eu (OpenSMTPD) with ESMTP id 08337429; Wed, 16 Oct 2019 19:58:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=lepiller.eu; h=date:from :to:cc:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; s=dkim; bh=yS8O6vGjnqYa cY8NoQyPLydjLC8=; b=Eae28kSM7xTAlWFqCI1N+7eslgBPPXbgL5k0AgrZm+2I aTHD1NRUAWtE0f4orJCTslOR6BaAililU3bX24KPi+gAV2DJ+GCN/4n33xL172ID vk6WeHGc16K4LWMxektUAApfglXUU7ftAzaJ1Ikw8SryAk1ZAU60IYiZY54hE57z EcSOZZHUtY1ZH6dDl6iGbWhNvASU7IOmXjeRhy882U+Hh28Hx2lg3HHL8UUqYpts ghCbqqc4ay/zdjKQWxmzwwf5EZxbRGN4vLlGZXk60M0LnslgLMgxu1gchX4CW7OQ drMge0KcdXX3COLs8cahKoFXY53PgTp+qGFIbyDnlw== Received: by lepiller.eu (OpenSMTPD) with ESMTPSA id c6cf8ef8 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Wed, 16 Oct 2019 19:58:44 +0000 (UTC) Date: Wed, 16 Oct 2019 21:58:39 +0200 From: Julien Lepiller Message-ID: <20191016215839.73c32b64@sybil.lepiller.eu> In-Reply-To: <87ftjsk4d3.fsf@gnu.org> References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> <20191016142221.qys2y2cb4spmwscq@pelzflorian.localdomain> <87ftjsoh40.fsf@nckx> <20191016151922.5fanqbt6kiv4offx@pelzflorian.localdomain> <87eezcogtf.fsf@nckx> <87ftjsk4d3.fsf@gnu.org> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-unknown-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Le Wed, 16 Oct 2019 19:05:44 +0200, Ludovic Court=C3=A8s a =C3=A9crit : > Hi! >=20 > Thanks for your feedback Tobias, Florian, and Julien! >=20 > Taking that into account, I propose this (I=E2=80=99ve also changed the t= itle > to make it hopefully clearer): >=20 > --8<---------------cut here---------------start------------->8--- > (entry (commit "FIXME") > (title (en "Insecure @file{/var/guix/profiles/per-user} > permissions")) (body > (en "The default user profile, @file{~/.guix-profile}, > points to @file{/var/guix/profiles/per-user/$USER}. Until now, > @file{/var/guix/profiles/per-user} was world-writable, allowing the > @command{guix} command to create the @code{$USER} sub-directory. >=20 > On a multi-user system, this allowed a malicious user to create and > populate that @code{$USER} sub-directory for another user that had > not yet logged in. Since @code{/var/@dots{}/$USER} is in > @code{$PATH}, the target user could end up running attacker-provided > code. See @uref{https://issues.guix.gnu.org/issue/37744} for more > information. >=20 > This is now fixed by letting @command{guix-daemon} create these > directories on behalf of users and removing the world-writable > permissions on @code{per-user}. On multi-user systems, we recommend > updating the daemon now. To do that, run @code{sudo guix pull} if > you're on a foreign distro, or run @code{guix pull && sudo guix > system reconfigure @dots{}} on Guix System. In both cases, make sure > to restart the service afterwards, with @code{herd} or > @code{systemctl}."))) --8<---------------cut > here---------------end--------------->8--- pour le fran=C3=A7ais (n'h=C3=A9site pas =C3=A0 reprendre le texte si tu tr= ouves =C3=A0 redire :)) : titre : Permissions laxistes pour @file{/var/guix/profiles/per-user} corps : Le profil utilisateur par d=C3=A9faut, @file{~/.guix-profile}, pointe vers @file{/var/guix/profiles/per-user/$USER}. Jusqu'=C3=A0 maintenant, @file{/var/guix/profiles/per-user} =C3=A9tait disponible en =C3=A9criture pour tout le monde, ce qui permettait =C3=A0 la commande @command{guix} de cr=C3=A9=C3=A9r le sous-r=C3=A9pertoire @code{$USER}. Sur un syst=C3=A8me multi-utilisateur, cela permet =C3=A0 un utilisateur malveillant de cr=C3=A9er et de remplir le sous-r=C3=A9pertoire @code{USER}= pour n'importe quel utilisateur qui ne s'est jamais connect=C3=A9. Comme @code{/var/@dots{}/$USER} fait partie de @code{$PATH}, l'utilisateur cibl=C3=A9 pouvait ex=C3=A9cuter des programmes fournis par l'attaquant. V= oir @uref{https://issues.guix.gnu.org/issue/37744} pour plus de d=C3=A9tails. Cela est maintenant corrig=C3=A9 en laissant =C3=A0 @command{guix-daemon} l= e soin de cr=C3=A9er ces r=C3=A9pertoire pour le compte des utilisateurs et en supprimant les permissions en =C3=A9criture pour tout le monde sur @code{per-user}. Nous te recommandons de mettre =C3=A0 jour le d=C3=A9mon imm=C3=A9diatement. Pour cela, lance @code{sudo guix pull} si tu es sur une distro externe ou @code{guix pull && sudo guix system reconfigure @dots{}} sur le syst=C3=A8me Guix. Dans tous les cas, assure-toi ensuite de red=C3=A9marrer le service avec @code{herd} ou @code{systemctl}. >=20 > If this is fine with you, I hereby request translation of this entry. > :-) >=20 > I=E2=80=99ll commit the change within a few hours if there are no objecti= ons. >=20 > Ludo=E2=80=99. >=20 >=20 >=20 From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 16 Oct 2019 20:02:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Tobias Geerinckx-Rice Cc: 37744@debbugs.gnu.org, guix-security@gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.15712561086136 (code B ref 37744); Wed, 16 Oct 2019 20:02:02 +0000 Received: (at 37744) by debbugs.gnu.org; 16 Oct 2019 20:01:48 +0000 Received: from localhost ([127.0.0.1]:46613 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKpUR-0001au-Um for submit@debbugs.gnu.org; Wed, 16 Oct 2019 16:01:48 -0400 Received: from eggs.gnu.org ([209.51.188.92]:56776) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKpUQ-0001ai-LI for 37744@debbugs.gnu.org; Wed, 16 Oct 2019 16:01:46 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:49977) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iKpUL-000787-GK; Wed, 16 Oct 2019 16:01:41 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=58948 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iKpUJ-00016R-Pd; Wed, 16 Oct 2019 16:01:41 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <87imoook2l.fsf@nckx> Date: Wed, 16 Oct 2019 22:01:37 +0200 In-Reply-To: <87imoook2l.fsf@nckx> (Tobias Geerinckx-Rice's message of "Wed, 16 Oct 2019 16:12:50 +0200") Message-ID: <87a7a0jw7y.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Tobias Geerinckx-Rice skribis: > Ludovic Court=C3=A8s =E5=86=99=E9=81=93=EF=BC=9A >> diff --git a/nix/libstore/local-store.cc >> b/nix/libstore/local-store.cc >> index 3b08492c64..3793382361 100644 >> --- a/nix/libstore/local-store.cc >> +++ b/nix/libstore/local-store.cc >> @@ -88,8 +88,9 @@ LocalStore::LocalStore(bool reserveSpace) >> Path perUserDir =3D profilesDir + "/per-user"; >> createDirs(perUserDir); >> - if (chmod(perUserDir.c_str(), 01777) =3D=3D -1) >> - throw SysError(format("could not set permissions on >> '%1%' to 1777") % perUserDir); >> + if (chmod(perUserDir.c_str(), 0755) =3D=3D -1) >> + throw SysError(format("could not set permissions on >> '%1%' to 755") >> + % perUserDir); >> mode_t perm =3D 01775; > > This is inside > > if (getuid() =3D=3D 0 && settings.buildUsersGroup !=3D "") { > =E2=80=A6 > } > > It's not clear to me why the second condition here is relevant, but I > don't have the big picture. Nor do I suspect I want it. Yeah =E2=80=98settings.buildUsersGroup !=3D ""=E2=80=99 probably doesn=E2= =80=99t make all that much sense here but it was already there and we strongly discourage against root without =E2=80=98--build-users-group=E2=80=99 anyway. Thanks for having lynx eyes! :-) Ludo=E2=80=99. From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 16 Oct 2019 20:29:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 37744@debbugs.gnu.org Cc: guix-security@gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.15712577098646 (code B ref 37744); Wed, 16 Oct 2019 20:29:02 +0000 Received: (at 37744) by debbugs.gnu.org; 16 Oct 2019 20:28:29 +0000 Received: from localhost ([127.0.0.1]:46648 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKpuG-0002FO-Nj for submit@debbugs.gnu.org; Wed, 16 Oct 2019 16:28:28 -0400 Received: from eggs.gnu.org ([209.51.188.92]:60051) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKpuE-0002F9-VM for 37744@debbugs.gnu.org; Wed, 16 Oct 2019 16:28:27 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:50509) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iKpu9-0002Dj-Qf; Wed, 16 Oct 2019 16:28:21 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=59140 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iKpu8-0007IG-DW; Wed, 16 Oct 2019 16:28:21 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> Date: Wed, 16 Oct 2019 22:28:17 +0200 In-Reply-To: <878spksty3.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Wed, 16 Oct 2019 15:25:56 +0200") Message-ID: <875zkojuzi.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Ludovic Court=C3=A8s skribis: > In addition to the news entry that =E2=80=98guix pull=E2=80=99 will displ= ay, we may want > to publicize the issue. In particular, should we: > > 1. Apply for a new CVE? I went ahead and asked for a CVE ID via . Ludo=E2=80=99. From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 16 Oct 2019 21:39:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Julien Lepiller Cc: 37744@debbugs.gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.157126189815453 (code B ref 37744); Wed, 16 Oct 2019 21:39:02 +0000 Received: (at 37744) by debbugs.gnu.org; 16 Oct 2019 21:38:18 +0000 Received: from localhost ([127.0.0.1]:46687 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKqzp-00041A-Sm for submit@debbugs.gnu.org; Wed, 16 Oct 2019 17:38:18 -0400 Received: from eggs.gnu.org ([209.51.188.92]:40161) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKqzn-00040t-J3 for 37744@debbugs.gnu.org; Wed, 16 Oct 2019 17:38:16 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:51500) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iKqzh-0004M2-QY; Wed, 16 Oct 2019 17:38:09 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=59854 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iKqzh-0007iB-EK; Wed, 16 Oct 2019 17:38:09 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> <20191016142221.qys2y2cb4spmwscq@pelzflorian.localdomain> <87ftjsoh40.fsf@nckx> <20191016151922.5fanqbt6kiv4offx@pelzflorian.localdomain> <87eezcogtf.fsf@nckx> <87ftjsk4d3.fsf@gnu.org> <20191016215839.73c32b64@sybil.lepiller.eu> Date: Wed, 16 Oct 2019 23:38:07 +0200 In-Reply-To: <20191016215839.73c32b64@sybil.lepiller.eu> (Julien Lepiller's message of "Wed, 16 Oct 2019 21:58:39 +0200") Message-ID: <871rvcid6o.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Julien Lepiller skribis: > pour le fran=C3=A7ais (n'h=C3=A9site pas =C3=A0 reprendre le texte si tu = trouves =C3=A0 > redire :)) : Pushed on your behalf, merci=C2=A0! :-) Ludo'. From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 16 Oct 2019 21:40:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: "pelzflorian \(Florian Pelz\)" Cc: 37744@debbugs.gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.157126198615591 (code B ref 37744); Wed, 16 Oct 2019 21:40:01 +0000 Received: (at 37744) by debbugs.gnu.org; 16 Oct 2019 21:39:46 +0000 Received: from localhost ([127.0.0.1]:46691 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKr1G-00043P-9G for submit@debbugs.gnu.org; Wed, 16 Oct 2019 17:39:46 -0400 Received: from eggs.gnu.org ([209.51.188.92]:40343) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKr1E-00043A-BC for 37744@debbugs.gnu.org; Wed, 16 Oct 2019 17:39:44 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:51526) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iKr19-00052R-3Y; Wed, 16 Oct 2019 17:39:39 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=59856 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iKr18-0007me-Md; Wed, 16 Oct 2019 17:39:38 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> <20191016142221.qys2y2cb4spmwscq@pelzflorian.localdomain> <20191016153756.xlnhk6axmg6tx35b@pelzflorian.localdomain> Date: Wed, 16 Oct 2019 23:39:37 +0200 In-Reply-To: <20191016153756.xlnhk6axmg6tx35b@pelzflorian.localdomain> (pelzflorian@pelzflorian.de's message of "Wed, 16 Oct 2019 17:37:56 +0200") Message-ID: <87wod4gyjq.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi Florian, "pelzflorian (Florian Pelz)" skribis: >>>From 14d4d176bae1e67c627a169c881720f3f9fb3904 Mon Sep 17 00:00:00 2001 > From: Florian Pelz > Date: Wed, 16 Oct 2019 16:37:27 +0200 > Subject: [PATCH] nls: Update 'de' translation of news entries. > > * etc/news.scm: Add new 'de' translation. I committed this with minor changes (removed =E2=80=9Csudo=E2=80=9D, etc.),= but the translation corresponds to the first version of the entry. Please feel free to commit changes directly to update it! Thanks, Ludo=E2=80=99. From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 16 Oct 2019 21:41:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Tobias Geerinckx-Rice Cc: 37744@debbugs.gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.157126203515711 (code B ref 37744); Wed, 16 Oct 2019 21:41:03 +0000 Received: (at 37744) by debbugs.gnu.org; 16 Oct 2019 21:40:35 +0000 Received: from localhost ([127.0.0.1]:46698 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKr22-00045K-N4 for submit@debbugs.gnu.org; Wed, 16 Oct 2019 17:40:35 -0400 Received: from eggs.gnu.org ([209.51.188.92]:40394) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKr1w-00044x-41 for 37744@debbugs.gnu.org; Wed, 16 Oct 2019 17:40:32 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:51556) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iKr1o-0005Bd-BJ; Wed, 16 Oct 2019 17:40:20 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=59858 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iKr1c-0007ox-Lh; Wed, 16 Oct 2019 17:40:10 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> <20191016142221.qys2y2cb4spmwscq@pelzflorian.localdomain> <87ftjsoh40.fsf@nckx> <20191016151922.5fanqbt6kiv4offx@pelzflorian.localdomain> <87eezcogtf.fsf@nckx> <87ftjsk4d3.fsf@gnu.org> <87d0ewo4g1.fsf@nckx> <87blugo47z.fsf@nckx> Date: Wed, 16 Oct 2019 23:40:07 +0200 In-Reply-To: <87blugo47z.fsf@nckx> (Tobias Geerinckx-Rice's message of "Wed, 16 Oct 2019 21:55:12 +0200") Message-ID: <87sgnsgyiw.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Tobias Geerinckx-Rice skribis: > Let's try that again: Committed on your behalf, thanks! :-) From unknown Wed Sep 10 10:35:36 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Subject: bug#37744: closed (Re: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)) Message-ID: References: <87o8yggyga.fsf@gnu.org> <87o8yjsr8o.fsf@gnu.org> X-Gnu-PR-Message: they-closed 37744 X-Gnu-PR-Package: guix X-Gnu-PR-Keywords: security Reply-To: 37744@debbugs.gnu.org Date: Wed, 16 Oct 2019 21:42:04 +0000 Content-Type: multipart/mixed; boundary="----------=_1571262124-15889-1" This is a multi-part message in MIME format... ------------=_1571262124-15889-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 37744@debbugs.gnu.org. --=20 37744: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D37744 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1571262124-15889-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 37744-done) by debbugs.gnu.org; 16 Oct 2019 21:41:49 +0000 Received: from localhost ([127.0.0.1]:46704 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKr3F-00047r-7f for submit@debbugs.gnu.org; Wed, 16 Oct 2019 17:41:49 -0400 Received: from eggs.gnu.org ([209.51.188.92]:40532) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKr3D-00047d-VL for 37744-done@debbugs.gnu.org; Wed, 16 Oct 2019 17:41:48 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:51569) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iKr38-0005ad-Qb; Wed, 16 Oct 2019 17:41:42 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=59864 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iKr38-0007xH-Dj; Wed, 16 Oct 2019 17:41:42 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Tobias Geerinckx-Rice Subject: Re: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> <20191016142221.qys2y2cb4spmwscq@pelzflorian.localdomain> <87ftjsoh40.fsf@nckx> <20191016151922.5fanqbt6kiv4offx@pelzflorian.localdomain> <87eezcogtf.fsf@nckx> <87ftjsk4d3.fsf@gnu.org> <87d0ewo4g1.fsf@nckx> <87blugo47z.fsf@nckx> Date: Wed, 16 Oct 2019 23:41:41 +0200 In-Reply-To: <87blugo47z.fsf@nckx> (Tobias Geerinckx-Rice's message of "Wed, 16 Oct 2019 21:55:12 +0200") Message-ID: <87o8yggyga.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 37744-done Cc: 37744-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) I pushed the fix as 81c580c8664bfeeb767e2c47ea343004e88223c7, followed by an updated of the =E2=80=98guix=E2=80=99 package in e63b31443b29b7793e73ab04798220edc6e564fc. Thanks everyone! Ludo=E2=80=99. ------------=_1571262124-15889-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 14 Oct 2019 07:47:47 +0000 Received: from localhost ([127.0.0.1]:38004 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iJv51-000107-8J for submit@debbugs.gnu.org; Mon, 14 Oct 2019 03:47:47 -0400 Received: from lists.gnu.org ([209.51.188.17]:55225) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iJv4z-0000z4-JT for submit@debbugs.gnu.org; Mon, 14 Oct 2019 03:47:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48403) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iJv4y-0008BU-9M for bug-guix@gnu.org; Mon, 14 Oct 2019 03:47:45 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:470:142:3::e]:48240) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iJv4y-0007Yu-5L for bug-guix@gnu.org; Mon, 14 Oct 2019 03:47:44 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=36064 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iJv4s-0008El-Qq for bug-guix@gnu.org; Mon, 14 Oct 2019 03:47:43 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: bug-guix@gnu.org Subject: Per-user profile directory hijack (CVE-2019-17365 for Nix) X-Debbugs-Cc: guix-security@gnu.org, GNU Guix maintainers X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 23 =?utf-8?Q?Vend=C3=A9miaire?= an 228 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 14 Oct 2019 09:47:35 +0200 Message-ID: <87o8yjsr8o.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello Guix, That the per-user profile directory is world-writable allows an attacker to hijack code run by other users, as has been reported in the context of Nix: https://www.openwall.com/lists/oss-security/2019/10/09/4 I believe it applies to Guix as well. Nix people are tracking it here: https://github.com/NixOS/nix/pull/3134 https://github.com/NixOS/nix/issues/509 Looks like we=E2=80=99ll need to do something similar to: . Thoughts? Thanks, Ludo=E2=80=99. ------------=_1571262124-15889-1-- From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: "pelzflorian (Florian Pelz)" Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 17 Oct 2019 02:59:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 37744@debbugs.gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.157128110429313 (code B ref 37744); Thu, 17 Oct 2019 02:59:02 +0000 Received: (at 37744) by debbugs.gnu.org; 17 Oct 2019 02:58:24 +0000 Received: from localhost ([127.0.0.1]:46881 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKvzc-0007cj-G6 for submit@debbugs.gnu.org; Wed, 16 Oct 2019 22:58:24 -0400 Received: from pelzflorian.de ([5.45.111.108]:39394 helo=mail.pelzflorian.de) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKvzZ-0007cX-PE for 37744@debbugs.gnu.org; Wed, 16 Oct 2019 22:58:22 -0400 Received: from pelzflorian.localdomain (unknown [5.45.111.108]) by mail.pelzflorian.de (Postfix) with ESMTPSA id 5DD7C3604DA; Thu, 17 Oct 2019 04:58:20 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=pelzflorian.de; s=mail; t=1571281100; bh=SzxKnt2p0880sWE+1+zxPTvO8NsSN3rx72v/Xxkt4ao=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=CUjob5EBHZNFgiNnzidmYNzIQkqL3Gh14g0/T5An2eSni01NUqig6p1oP7VxPxPlb 9zpc5FE16gSlxVWo1wsxHe1R1i/N1bswlCW0TRrHgVdPfNVc6CgtCat6XTCJUKD9py ZQFlRUHevIF9VM6Xb0bJxG+fWmW0CE+ZapJt2T2c= Date: Thu, 17 Oct 2019 04:58:20 +0200 From: "pelzflorian (Florian Pelz)" Message-ID: <20191017025819.ptdeqtscgphvqyw7@pelzflorian.localdomain> References: <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> <20191016142221.qys2y2cb4spmwscq@pelzflorian.localdomain> <20191016153756.xlnhk6axmg6tx35b@pelzflorian.localdomain> <87wod4gyjq.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87wod4gyjq.fsf@gnu.org> User-Agent: NeoMutt/20180716 X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) On Wed, Oct 16, 2019 at 11:39:37PM +0200, Ludovic Courtès wrote: > I committed this with minor changes (removed “sudo”, etc.), but the > translation corresponds to the first version of the entry. Please feel > free to commit changes directly to update it! > Oh no, it seems my message did not get through. I should not have sent it off-list, how stupid of me. ----- Forwarded message from "pelzflorian (Florian Pelz)" ----- Date: Wed, 16 Oct 2019 21:00:57 +0200 From: "pelzflorian (Florian Pelz)" To: Ludovic Courtès Subject: Re: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) User-Agent: NeoMutt/20180716 (Off-list.) On Wed, Oct 16, 2019 at 07:05:44PM +0200, Ludovic Courtès wrote: > If this is fine with you, I hereby request translation of this entry. > :-) (title […] (de "Sicherheitslücke in @file{/var/guix/profiles/per-user}-Berechtigungen") (body[…] (de "Das voreingestellte Benutzerprofil, @file{~/.guix-profile}, verweist auf @file{/var/guix/profiles/per-user/$USER}. Bisher hatte jeder Benutzer Schreibzugriff auf @file{/var/guix/profiles/per-user}, wodurch der @command{guix}-Befehl berechtigt war, das Unterverzeichnis @code{$USER} anzulegen. Wenn mehrere Benutzer dasselbe System benutzen, kann ein böswilliger Benutzer so das Unterverzeichnis @code{$USER} und Dateien darin für einen anderen Benutzer anlegen, wenn sich dieser noch nie angemeldet hat. Weil @code{/var/…/$USER} auch in @code{$PATH} aufgeführt ist, kann der betroffene Nutzer dazu gebracht werden, vom Angreifer vorgegebenen Code auszuführen. Siehe @uref{https://issues.guix.gnu.org/issue/37744} für weitere Informationen. Der Fehler wurde nun behoben, indem @command{guix-daemon} diese Verzeichnisse jetzt selbst anlegt statt das dem jeweiligen Benutzerkonto zu überlassen. Der Schreibzugriff auf @code{per-user} wird den Benutzern entzogen. Für Systeme mit mehreren Benutzern empfehlen wir, den Daemon jetzt zu aktualisieren. Auf einer Fremddistribution führen Sie dazu @code{sudo guix pull} aus; auf einem Guix-System führen Sie @code{guix pull && sudo guix system reconfigure …} aus. Achten Sie in beiden Fällen darauf, den Dienst mit @code{herd} oder @code{systemctl} neuzustarten.") Thank you for your important work! :) Regards, Florian ----- End forwarded message ----- Regards, Florian From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: "pelzflorian (Florian Pelz)" Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 17 Oct 2019 03:02:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 37744@debbugs.gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.15712813203784 (code B ref 37744); Thu, 17 Oct 2019 03:02:02 +0000 Received: (at 37744) by debbugs.gnu.org; 17 Oct 2019 03:02:00 +0000 Received: from localhost ([127.0.0.1]:46889 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKw35-0000yj-Ed for submit@debbugs.gnu.org; Wed, 16 Oct 2019 23:01:59 -0400 Received: from pelzflorian.de ([5.45.111.108]:39404 helo=mail.pelzflorian.de) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iKw34-0000xX-G0 for 37744@debbugs.gnu.org; Wed, 16 Oct 2019 23:01:58 -0400 Received: from pelzflorian.localdomain (unknown [5.45.111.108]) by mail.pelzflorian.de (Postfix) with ESMTPSA id C2FAE3604DA; Thu, 17 Oct 2019 05:01:57 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=pelzflorian.de; s=mail; t=1571281317; bh=BUCvsCbpDZhf9xd/1xKWwHYCT+Xy+OHNw+4P6Sucnsc=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=0bPvuMuC4s6ZelbVSYWZqfwl1CNde6yKzbK3BRSZzG5mf+YHn72lNEgp6vuGanVpw vPllFpHGB6M0oTkc48RF9aMDjKtFEBXkuf8qQ1rZYB5UeD3KoRcyHof1lY4JMl5SGW B+lX4SNHk579tQobxa7LWoUaI/EvGwXcMqRR7J9k= Date: Thu, 17 Oct 2019 05:01:57 +0200 From: "pelzflorian (Florian Pelz)" Message-ID: <20191017030157.rriyxhdkhhjvalyd@pelzflorian.localdomain> References: <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> <20191016142221.qys2y2cb4spmwscq@pelzflorian.localdomain> <20191016153756.xlnhk6axmg6tx35b@pelzflorian.localdomain> <87wod4gyjq.fsf@gnu.org> <20191017025819.ptdeqtscgphvqyw7@pelzflorian.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20191017025819.ptdeqtscgphvqyw7@pelzflorian.localdomain> User-Agent: NeoMutt/20180716 X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) On Thu, Oct 17, 2019 at 04:58:19AM +0200, pelzflorian (Florian Pelz) wrote: > On Wed, Oct 16, 2019 at 11:39:37PM +0200, Ludovic Courtès wrote: > > I committed this with minor changes (removed “sudo”, etc.), but the > > translation corresponds to the first version of the entry. Please feel > > free to commit changes directly to update it! > > > > Oh no, it seems my message did not get through. I should not have > sent it off-list, how stupid of me. > Will commit now. From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 17 Oct 2019 16:20:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 37744@debbugs.gnu.org Cc: guix-security@gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.15713291444090 (code B ref 37744); Thu, 17 Oct 2019 16:20:02 +0000 Received: (at 37744) by debbugs.gnu.org; 17 Oct 2019 16:19:04 +0000 Received: from localhost ([127.0.0.1]:48803 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iL8UN-00013Q-Va for submit@debbugs.gnu.org; Thu, 17 Oct 2019 12:19:04 -0400 Received: from eggs.gnu.org ([209.51.188.92]:56501) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iL8UM-00013E-9S for 37744@debbugs.gnu.org; Thu, 17 Oct 2019 12:18:58 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:40923) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iL8UF-0003k4-1G; Thu, 17 Oct 2019 12:18:51 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=44746 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iL8UE-0003GE-JH; Thu, 17 Oct 2019 12:18:50 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> Date: Thu, 17 Oct 2019 18:18:49 +0200 In-Reply-To: <878spksty3.fsf@gnu.org> ("Ludovic \=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\= \=\?utf-8\?Q\?s\?\= message of "Wed, 16 Oct 2019 15:25:56 +0200") Message-ID: <87blufny52.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi! Ludovic Court=C3=A8s skribis: > In addition to the news entry that =E2=80=98guix pull=E2=80=99 will displ= ay, we may want > to publicize the issue. In particular, should we: > > 1. Apply for a new CVE? > > 2. Post an article on the blog to explain in detail what happened? > That should probably include an analysis like that at > , given > that Guix does things not entirely like Nix here. > > 3. Email that analysis to oss-security? > > 4. Push a new release? > > I=E2=80=99m tempted to think that we should do 1 to 3, as quickly as we c= an. > Help welcome, in particular on #2! Attached is a draft based on =E2=80=98etc/news.scm=E2=80=99. Let me know what you think! Ludo=E2=80=99. --=-=-= Content-Type: text/plain; charset=utf-8 Content-Disposition: inline; filename=insecure-permissions.md Content-Transfer-Encoding: quoted-printable title: Insecure permissions on profile directory=20 date: 2019-10-05 14:30 author: Ludovic Court=C3=A8s tags: Security --- We have become aware of a security issue for Guix on multi-user systems [that we have just fixed](https://issues.guix.gnu.org/issue/37744). Anyone running Guix on a multi-user system is encouraged to upgrade `guix-daemon`=E2=80=94see below for instructions. # Context The default user profile, `~/.guix-profile`, points to `/var/guix/profiles/per-user/$USER`. Until now, `/var/guix/profiles/per-user` was world-writable, allowing the `guix` command to create the `$USER` sub-directory. On a multi-user system, this allowed a malicious user to create and populate that `$USER` sub-directory for another user that had not yet logged in. Since `/var/=E2=80=A6/$USER` is in `$PATH`, the target user cou= ld end up running attacker-provided code. See https://issues.guix.gnu.org/issue/37744 for more information. This issue was initially [reported by Michael Orlitzky for Nix](https://www.openwall.com/lists/oss-security/2019/10/09/4) ([CVE-2019-17365](https://nvd.nist.gov/vuln/detail?vulnId=3DCVE-2019-17365)= ). # Fix The [fix](https://issues.guix.gnu.org/issue/37744) consists in letting `guix-daemon` create these directories on behalf of users and removing the world-writable permissions on `per-user`. For [cluster setups](https://hpc.guix.info/blog/2017/11/installing-guix-on-a-cluster/) where clients connect to the daemon over TCP ([thanks to the `--listen` option of `guix-daemon`](https://guix.gnu.org/manual/en/html_node/Invoking-guix_002dd= aemon.html)), the fix _requires_ `guix-daemon` to be able to resolve user names so that it can create `/var/=E2=80=A6/per-user/$USER` with the right ownership. Note also that the `guix` command prior to this fix would not communicate the user name it=E2=80=99s running under to the daemon, thereby preventing it from creating that directory on its behalf. # Upgrading On multi-user systems, we recommend upgrading the daemon now. To upgrade the daemon on a =E2=80=9Cforeign distro=E2=80=9D, run something = along these lines: ``` sudo guix pull sudo systemctl restart guix-daemon.service ``` On Guix System, run: ``` guix pull sudo guix system reconfigure /etc/config.scm sudo herd restart guix-daemon ``` Once you=E2=80=99ve run `guix build hello` or any other `guix` command, you should see that `/var/guix/profiles/per-user` is no longer world-writable: ``` $ ls -ld /var/guix/profiles/per-user drwxr-xr-x 5 root root 4096 Jun 23 2017 /var/guix/profiles/per-user ``` Please report any issues you may have to [`guix-devel@gnu.org`](https://guix.gnu.org/contact/). See the [security web page](https://guix.gnu.org/security/) for information on how to report security issues. #### About GNU Guix [GNU=C2=A0Guix](https://www.gnu.org/software/guix) is a transactional packa= ge manager and an advanced distribution of the GNU system that [respects user freedom](https://www.gnu.org/distros/free-system-distribution-guidelines.ht= ml). Guix can be used on top of any system running the kernel Linux, or it can be used as a standalone operating system distribution for i686, x86_64, ARMv7, and AArch64 machines. In addition to standard package management features, Guix supports transactional upgrades and roll-backs, unprivileged package management, per-user profiles, and garbage collection. When used as a standalone GNU/Linux distribution, Guix offers a declarative, stateless approach to operating system configuration management. Guix is highly customizable and hackable through [Guile](https://www.gnu.org/software/guile) programming interfaces and extensions to the [Scheme](http://schemers.org) language. --=-=-=-- From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 17 Oct 2019 19:02:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 37744@debbugs.gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.157133891119969 (code B ref 37744); Thu, 17 Oct 2019 19:02:02 +0000 Received: (at 37744) by debbugs.gnu.org; 17 Oct 2019 19:01:51 +0000 Received: from localhost ([127.0.0.1]:48934 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iLB1x-0005Bz-Lq for submit@debbugs.gnu.org; Thu, 17 Oct 2019 15:01:51 -0400 Received: from tobias.gr ([80.241.217.52]:35906) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iLB1t-0005Bn-7g for 37744@debbugs.gnu.org; Thu, 17 Oct 2019 15:01:48 -0400 Received: by tobias.gr (OpenSMTPD) with ESMTP id d75a2d9e for <37744@debbugs.gnu.org>; Thu, 17 Oct 2019 19:01:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=tobias.gr; h=from:to :subject:references:in-reply-to:date:message-id:mime-version :content-type; s=2018; i=me@tobias.gr; bh=huvktuq2FtqLnMB7ZXq+Yv +RG5605Ff6BU/1Dtbz4EA=; b=blwXPP+kLjXdYRDVr/19Jq9XBH4lbagFMwhbK0 7+AeIv3KqPJ0HzKUe3oHLlrnsfdPrHsGi6lxZt0Bt1wYe/kTwHHo5cWrP42PVmAS FcD9YGyChAW4Q8bYw2safR8dIqoMfaMCB9MO7WT9/kftSW9qbmNVw4epHLxcZ8m4 VAOKcujsO3dYff4kIqj5OxfXZFLCF52mLK9LcYhYCAg0LcR7Tj9nrowrPCLF+ek5 9ApoRxFn5yLpL3Sb6Kpn2v5HGQEXOGeTHNuvAka+lQ3F0eyBCvg7TDlqLcSbJQrE knUsxff+DcFQT9uz4CTVa68pfL5pYIRd329fbWn1uspGsA3A== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 44aea9c6 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for <37744@debbugs.gnu.org>; Thu, 17 Oct 2019 19:01:41 +0000 (UTC) From: Tobias Geerinckx-Rice References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> <87blufny52.fsf@gnu.org> In-reply-to: <87blufny52.fsf@gnu.org> Date: Thu, 17 Oct 2019 21:01:39 +0200 Message-ID: <878spjnqlo.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Ludo', Ludovic Court=C3=A8s =E5=86=99=E9=81=93=EF=BC=9A > See https://issues.guix.gnu.org/issue/37744 Will this be automatically linkified? > This issue was initially [reported by Michael Orlitzky for > Nix](https://www.openwall.com/lists/oss-security/2019/10/09/4) > ([CVE-2019-17365](https://nvd.nist.gov/vuln/detail?vulnId=3DCVE-2019-1736= 5)). > > # Fix > > The [fix](https://issues.guix.gnu.org/issue/37744) consists in=20 > letting From=20the Oxford Dictionaries: 1 (consist of) be composed or made up of (consist in) have as an essential feature TIL. > # Upgrading > > On multi-user systems, we recommend upgrading the daemon now. > > To upgrade the daemon on a =E2=80=9Cforeign distro=E2=80=9D, run somethin= g along=20 > these Imperialist nitpick: why list the foreigners first? :-) Anti-imperialist nitpick: reversing the two allows using =E2=80=98other=20 distributions=E2=80=99 instead of =E2=80=98foreign=E2=80=99 which always so= unds a bit=20 dismissive to my ears. End nitpick. Thank you for taking care of this from start to finish, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl2oupMACgkQ2Imw8BjF STwaxhAAjusdMbOJkvFyVQRbL9WRxA17CLUOQ0zuvtTqhnv4kB7Osfw75HD2qDa4 ViAGCUAma4Z6D+i585YFKB98dI8Zx22wgJnLDb+ZT29mDsxRzEKOESx3aPHidUY7 Lq2aV26cDPbWMDdSkKs8/bgHSv3q1TnNmYSYfx82OPwglNqP9c1BXMQavHOvod1M haS7/PJJqBn284m/RI46p4KvqvxWWQMqs5gPSOedYTE1pZ73xqSMmP+daxrT4Oy+ 8mdQvZyvk020ANdu5o/6cKLpqyCei08CriXOKm4IaZeIvYtpVmQ/mzfqNUetEvZD SAtEhLFkMMO7dqsWI2AZPj7ficQfiy9MpX8e2SiIiaAJoOdHs4Jo2BgEnCUhufMY CIAL9mNtCSjMUjBvWWwb2aaTrg9EargEeXcNjKevgJhm0c3kQ8cNgLlEjmukkZPk 07GQxuvqNO9aSNUY2Ulro08zU1+vzFDtTAGk6t+AgiYXYUQc0jV3BLq8n0Eln7Xw U4X7tdHQ8VRPIkZ7qnutM5UxOSqizU80KPAzzldaFJjA9wsWpZPFrx7bmuEzepuc znR4hRXX9cFcoouVrucVT0FsVWmCFLUfT9U4fbAg6E2a1xBPiyobUMFU7hA9Yc+x Z+Us7hX/7hWRIrSn3gT/xnu+EyISHrlnwsUOKrawLZgUWg2C6Nk= =XkaC -----END PGP SIGNATURE----- --=-=-=-- From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 17 Oct 2019 20:27:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Tobias Geerinckx-Rice Cc: 37744@debbugs.gnu.org Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.157134397028448 (code B ref 37744); Thu, 17 Oct 2019 20:27:02 +0000 Received: (at 37744) by debbugs.gnu.org; 17 Oct 2019 20:26:10 +0000 Received: from localhost ([127.0.0.1]:49003 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iLCLa-0007Ol-BV for submit@debbugs.gnu.org; Thu, 17 Oct 2019 16:26:10 -0400 Received: from eggs.gnu.org ([209.51.188.92]:41995) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iLCLX-0007OT-CQ for 37744@debbugs.gnu.org; Thu, 17 Oct 2019 16:26:09 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:46839) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iLCLR-0004DB-I1; Thu, 17 Oct 2019 16:26:01 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=58908 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iLCLQ-0004Ia-E7; Thu, 17 Oct 2019 16:26:01 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87o8yjsr8o.fsf@gnu.org> <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> <87blufny52.fsf@gnu.org> <878spjnqlo.fsf@nckx> Date: Thu, 17 Oct 2019 22:25:58 +0200 In-Reply-To: <878spjnqlo.fsf@nckx> (Tobias Geerinckx-Rice's message of "Thu, 17 Oct 2019 21:01:39 +0200") Message-ID: <87k193ktk9.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hallo! Tobias Geerinckx-Rice skribis: > Ludovic Court=C3=A8s =E5=86=99=E9=81=93=EF=BC=9A >> See https://issues.guix.gnu.org/issue/37744 > > Will this be automatically linkified? Yes, I think so. >> # Upgrading >> >> On multi-user systems, we recommend upgrading the daemon now. >> >> To upgrade the daemon on a =E2=80=9Cforeign distro=E2=80=9D, run somethi= ng along >> these > > Imperialist nitpick: why list the foreigners first? :-) > > Anti-imperialist nitpick: reversing the two allows using =E2=80=98other > distributions=E2=80=99 instead of =E2=80=98foreign=E2=80=99 which always = sounds a bit > dismissive to my ears. > > End nitpick. That makes sense to me; I=E2=80=99m not satisfied with =E2=80=9Cforeign=E2= =80=9D either (I think the inspiration came from FFIs, but still). Maybe =E2=80=9Cfellow distros= =E2=80=9D? :-) I=E2=80=99ve received the CVE ID (CVE-2019-18192) just now so I=E2=80=99ve = added it to the article and pushed it. It should show up on line shortly. Thank you for your feedback! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Thu Oct 17 16:26:29 2019 Received: (at control) by debbugs.gnu.org; 17 Oct 2019 20:26:29 +0000 Received: from localhost ([127.0.0.1]:49006 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iLCLs-0007PL-Ma for submit@debbugs.gnu.org; Thu, 17 Oct 2019 16:26:28 -0400 Received: from eggs.gnu.org ([209.51.188.92]:42039) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iLCLr-0007P7-EI for control@debbugs.gnu.org; Thu, 17 Oct 2019 16:26:27 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:46845) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iLCLm-0004MZ-Ax for control@debbugs.gnu.org; Thu, 17 Oct 2019 16:26:22 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=58912 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iLCLk-0004Zm-Q3 for control@debbugs.gnu.org; Thu, 17 Oct 2019 16:26:21 -0400 Date: Thu, 17 Oct 2019 22:26:19 +0200 Message-Id: <87imonktjo.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #37744 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) retitle 37744 Insecure permissions on /var/guix/profiles/per-user (CVE-2019-18192) quit From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Bengt Richter Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 18 Oct 2019 02:22:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 37744@debbugs.gnu.org, Tobias Geerinckx-Rice Reply-To: Bengt Richter Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.15713653035147 (code B ref 37744); Fri, 18 Oct 2019 02:22:03 +0000 Received: (at 37744) by debbugs.gnu.org; 18 Oct 2019 02:21:43 +0000 Received: from localhost ([127.0.0.1]:49084 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iLHtf-0001Kx-6Y for submit@debbugs.gnu.org; Thu, 17 Oct 2019 22:21:43 -0400 Received: from imta-35.everyone.net ([216.200.145.35]:39738 helo=imta-38.everyone.net) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iLHtZ-0001Km-VN for 37744@debbugs.gnu.org; Thu, 17 Oct 2019 22:21:41 -0400 Received: from pps.filterd (m0004961.ppops.net [127.0.0.1]) by imta-38.everyone.net (8.16.0.27/8.16.0.27) with SMTP id x9I2Es9e015246; Thu, 17 Oct 2019 19:21:36 -0700 X-Eon-Originating-Account: HQQaH7xPrdbLTsikNIxHpy2S7ZHo1Og4zAZ1W9JN0BU X-Eon-Dm: m0116293.ppops.net Received: by m0116293.mta.everyone.net (EON-AUTHRELAY2 - 32d0d199) id m0116293.5d97875f.2b6e6e; Thu, 17 Oct 2019 19:21:35 -0700 X-Eon-Sig: AQMHrIJdqSGvG3WSAQIAAAAD,4ddef3cdf42b38a43bfbb160ce21ea59 X-Eip: SVWxI_KHQOpUzQV7I-koheeuZOBEa2IMwfGVHBzDpDg Date: Thu, 17 Oct 2019 19:21:28 -0700 From: Bengt Richter Message-ID: <20191018022128.GA1765@PhantoNv4ArchGx.localdomain> References: <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> <87blufny52.fsf@gnu.org> <878spjnqlo.fsf@nckx> <87k193ktk9.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87k193ktk9.fsf@gnu.org> User-Agent: Mutt/1.12.1 (2019-06-15) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-10-17_07:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1034 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=931 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1910180021 X-Spam-Score: -0.4 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.4 (-) Hi Ludo, Tobias, On +2019-10-17 22:25:58 +0200, Ludovic Courtès wrote: > Hallo! > > Tobias Geerinckx-Rice skribis: > > > Ludovic Courtès 写道: > >> See https://issues.guix.gnu.org/issue/37744 > > > > Will this be automatically linkified? > > Yes, I think so. > > >> # Upgrading > >> > >> On multi-user systems, we recommend upgrading the daemon now. > >> > >> To upgrade the daemon on a “foreign distro”, run something along > >> these > > > > Imperialist nitpick: why list the foreigners first? :-) > > > > Anti-imperialist nitpick: reversing the two allows using ‘other > > distributions’ instead of ‘foreign’ which always sounds a bit > > dismissive to my ears. > > > > End nitpick. > > That makes sense to me; I’m not satisfied with “foreign” either (I think > the inspiration came from FFIs, but still). Maybe “fellow distros”? > :-) Is not the important distinction whether the "foreign distro" can be generated with pure guix libre components using a pure guix tool chain vs not? Maybe define a (guix-auditable? "/") test and then s/foreign/non-guix-auditable/g in docs and discussions? Just a thought :) __ Regards, Bengt Richter From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 18 Oct 2019 14:37:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Bengt Richter Cc: 37744@debbugs.gnu.org, Tobias Geerinckx-Rice Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.157140940332086 (code B ref 37744); Fri, 18 Oct 2019 14:37:01 +0000 Received: (at 37744) by debbugs.gnu.org; 18 Oct 2019 14:36:43 +0000 Received: from localhost ([127.0.0.1]:51367 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iLTMv-0008LQ-Mr for submit@debbugs.gnu.org; Fri, 18 Oct 2019 10:36:43 -0400 Received: from eggs.gnu.org ([209.51.188.92]:53552) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iLTMu-0008L2-4l for 37744@debbugs.gnu.org; Fri, 18 Oct 2019 10:36:40 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:46188) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iLTMn-0004IE-0m; Fri, 18 Oct 2019 10:36:33 -0400 Received: from [2001:660:6102:320:e120:2c8f:8909:cdfe] (port=39628 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iLTMm-0002vR-92; Fri, 18 Oct 2019 10:36:32 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87blujsqq0.fsf@gnu.org> <87y2xno85o.fsf@nckx> <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> <87blufny52.fsf@gnu.org> <878spjnqlo.fsf@nckx> <87k193ktk9.fsf@gnu.org> <20191018022128.GA1765@PhantoNv4ArchGx.localdomain> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 27 =?UTF-8?Q?Vend=C3=A9miaire?= an 228 de la =?UTF-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Fri, 18 Oct 2019 16:36:30 +0200 In-Reply-To: <20191018022128.GA1765@PhantoNv4ArchGx.localdomain> (Bengt Richter's message of "Thu, 17 Oct 2019 19:21:28 -0700") Message-ID: <877e5215ox.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Bengt Richter skribis: > On +2019-10-17 22:25:58 +0200, Ludovic Court=C3=A8s wrote: [...] >> > Imperialist nitpick: why list the foreigners first? :-) >> > >> > Anti-imperialist nitpick: reversing the two allows using =E2=80=98other >> > distributions=E2=80=99 instead of =E2=80=98foreign=E2=80=99 which alwa= ys sounds a bit >> > dismissive to my ears. >> > >> > End nitpick. >>=20 >> That makes sense to me; I=E2=80=99m not satisfied with =E2=80=9Cforeign= =E2=80=9D either (I think >> the inspiration came from FFIs, but still). Maybe =E2=80=9Cfellow distr= os=E2=80=9D? >> :-) > > Is not the important distinction whether the "foreign distro" can be gene= rated > with pure guix libre components using a pure guix tool chain vs not? =E2=80=9CForeign distro=E2=80=9D designates any distro other than Guix Syst= em. From a technical viewpoint, it=E2=80=99s sometimes useful to be able to make that distinction. HTH, Ludo=E2=80=99. From unknown Wed Sep 10 10:35:36 2025 X-Loop: help-debbugs@gnu.org Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix) Resent-From: Bengt Richter Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 19 Oct 2019 01:33:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 37744 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 37744@debbugs.gnu.org, Tobias Geerinckx-Rice Reply-To: Bengt Richter Received: via spool by 37744-submit@debbugs.gnu.org id=B37744.157144875910050 (code B ref 37744); Sat, 19 Oct 2019 01:33:02 +0000 Received: (at 37744) by debbugs.gnu.org; 19 Oct 2019 01:32:39 +0000 Received: from localhost ([127.0.0.1]:51744 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iLdbi-0002c2-J1 for submit@debbugs.gnu.org; Fri, 18 Oct 2019 21:32:38 -0400 Received: from imta-35.everyone.net ([216.200.145.35]:41184 helo=imta-38.everyone.net) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iLdbf-0002br-80 for 37744@debbugs.gnu.org; Fri, 18 Oct 2019 21:32:36 -0400 Received: from pps.filterd (omta001.sj2.proofpoint.com [127.0.0.1]) by imta-38.everyone.net (8.16.0.27/8.16.0.27) with SMTP id x9J1Hlph015985; Fri, 18 Oct 2019 18:32:31 -0700 X-Eon-Originating-Account: OWTG8HJNePY3xlQtzAPv2cNOlsinsbM5_N0o6066KVo X-Eon-Dm: m0117124.ppops.net Received: by m0117124.mta.everyone.net (EON-AUTHRELAY2 - 32d0d199) id m0117124.5da9f94c.15ee0; Fri, 18 Oct 2019 18:32:12 -0700 X-Eon-Sig: AQMHrIJdqmecmpG+LwIAAAAD,4a600884f548be428dd5dae9451f3385 X-Eip: zGyawvE48GQxnEP4X3M-G8B-LLrFacoF8A0Y9A6jzOs Date: Fri, 18 Oct 2019 18:32:01 -0700 From: Bengt Richter Message-ID: <20191018224519.GA81713@PhantoNv4ArchGx.localdomain> References: <87d0eyuqzd.fsf@gnu.org> <87mue2nkrj.fsf@nckx> <8736fttby6.fsf@gnu.org> <87tv89rnva.fsf@gnu.org> <878spksty3.fsf@gnu.org> <87blufny52.fsf@gnu.org> <878spjnqlo.fsf@nckx> <87k193ktk9.fsf@gnu.org> <20191018022128.GA1765@PhantoNv4ArchGx.localdomain> <877e5215ox.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <877e5215ox.fsf@gnu.org> User-Agent: Mutt/1.12.1 (2019-06-15) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-10-18_06:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1034 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1910190006 X-Spam-Score: -0.4 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.4 (-) Hi Ludo, On +2019-10-18 16:36:30 +0200, Ludovic Courtès wrote: > Bengt Richter skribis: > > > On +2019-10-17 22:25:58 +0200, Ludovic Courtès wrote: > > [...] > > >> > Imperialist nitpick: why list the foreigners first? :-) > >> > > >> > Anti-imperialist nitpick: reversing the two allows using ‘other > >> > distributions’ instead of ‘foreign’ which always sounds a bit > >> > dismissive to my ears. > >> > > >> > End nitpick. > >> > >> That makes sense to me; I’m not satisfied with “foreign” either (I think > >> the inspiration came from FFIs, but still). Maybe “fellow distros”? > >> :-) > > > > Is not the important distinction whether the "foreign distro" can be generated > > with pure guix libre components using a pure guix tool chain vs not? > > “Foreign distro” designates any distro other than Guix System. From a > technical viewpoint, it’s sometimes useful to be able to make that > distinction. > > HTH, > Ludo’. I was trying to get to a more exact definition of "that distinction" :) I have read the page at "info guix installation", where "foreign" is explained: --------------------------- Note: We recommend the use of this shell installer script (https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh) to install Guix on top of a running GNU/Linux system, thereafter called a “foreign distro”.(1) The script automates the download, installation, and initial configuration of Guix. It should be run as the root user. When installed on a foreign distro, GNU Guix complements the available tools without interference. Its data lives exclusively in two directories, usually ‘/gnu/store’ and ‘/var/guix’; other files on your system, such as ‘/etc’, are left untouched. [...] (1) This section is concerned with the installation of the package manager, which can be done on top of a running GNU/Linux system. If, instead, you want to install the complete GNU operating system, *note System Installation::. --------------------------- I have also read from "info guix introduction": ----------------- (2) We used to refer to Guix System as “Guix System Distribution” or “GuixSD”. We now consider it makes more sense to group everything under the “Guix” banner since, after all, Guix System is readily available through the ‘guix system’ command, even if you’re using a different distro underneath! ---------------- further along it says: ----------------------- With Guix System, you _declare_ all aspects of the operating system configuration and Guix takes care of instantiating the configuration in a transactional, reproducible, and stateless fashion (*note System Configuration::). Guix System uses the Linux-libre kernel, the Shepherd initialization system (*note (shepherd)Introduction::), the well-known GNU utilities and tool chain, as well as the graphical environment or system services of your choice. ----------------------- That sounds more restricted than "... even if you’re using a different distro underneath!" When you say "Guix System," do/should you really mean _only_ a system specifically running a linux-libre kernel, built with no dependencies outside of GuixSD official sources, and using Shepherd initialization?? E.g., the purism OS has (UIAM) been recognized as free as in RMS's "ryf" but is it compiled entirely using only tools in /gnu/store/... ? Ask them, right? ;-) (BTW, does anyone in the guix community have contact with them? I think they are trying to contribute upstream and do "The Right Thing"(TM)) My point is, if e.g. a bug is caused by something that is different in their kernel image from the one you generate from linux-libre and GuixSD sources, then we will be chasing a bug in their build process, not ours. Sometimes it might be "useful to be able to make that distinction" no? :) (kernel image is just an example, likewise for initrd's or anything that runs that was not derived from official guix/GuixSD sources). BTW, Is it safe to do "guix system reconfigure" naively, "... even if you’re using a different distro underneath!" ?? I am afraid to try it :) -- Regards, Bengt Richter PS. I think it would be useful if there were a LD_IMPURE_REFERENCE_LOG="path/to/logfile.txt" in an easy-to-edit place that, if present, would cause the ld wrapper to append to log what it finds (even if otherwise ignoring impure refs) WDYT?