GNU bug report logs - #37744
Insecure permissions on /var/guix/profiles/per-user (CVE-2019-18192)

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Mon, 14 Oct 2019 07:48:02 UTC

Severity: important

Tags: security

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #24 received at 37744 <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 37744 <at> debbugs.gnu.org, guix-security <at> gnu.org
Subject: Re: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for
 Nix)
Date: Tue, 15 Oct 2019 16:31:40 +0200

[Message part 1 (text/plain, inline)]
Ludo',

Thanks for your answer.

Ludovic Courtès 写道:
>> I need more cluebat please: say I'm an attacker and connect to 
>> your
>> daemon (over TCP, why not), asking it to create an empty
>> ‘per-user/ludo’.
>
> You wouldn’t be able to do that because over TCP because the 
> daemon
> can’t tell what user you are.

No, I ask it nicely: ‘hullo daemon, I'm, er, "ludo"’.

Of course the remote daemon doesn't trust me beyond pre-creating 
an empty per-user directory owned by the local "ludo" user only if 
such a user exists.  It doesn't even report succes or failure to 
avoid leaking valid user names.

You already trust the network not to DoS you with webkitgtks, how 
does this new step decrease security?

Sure, it bumps the protocol version; I'm aware of that.

> It’s meant for cluster setups where you have one
> head node that clients connect to from remote nodes.

And likely some kind of centralised user management so it's not 
unreasonable to handle this differently/manually.

Kind regards,

T G-R

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 5 years and 300 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.