GNU bug report logs - #37744
Insecure permissions on /var/guix/profiles/per-user (CVE-2019-18192)

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Mon, 14 Oct 2019 07:48:02 UTC

Severity: important

Tags: security

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 37744 <at> debbugs.gnu.org, guix-security <at> gnu.org
Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)
Date: Wed, 16 Oct 2019 16:12:50 +0200

[Message part 1 (text/plain, inline)]
Ludo',

That was swift, thanks!

IANAC++.

Ludovic Courtès 写道:
> diff --git a/nix/libstore/local-store.cc 
> b/nix/libstore/local-store.cc
> index 3b08492c64..3793382361 100644
> --- a/nix/libstore/local-store.cc
> +++ b/nix/libstore/local-store.cc
> @@ -88,8 +88,9 @@ LocalStore::LocalStore(bool reserveSpace)
>  
>          Path perUserDir = profilesDir + "/per-user";
>          createDirs(perUserDir);
> -        if (chmod(perUserDir.c_str(), 01777) == -1)
> -            throw SysError(format("could not set permissions on 
> '%1%' to 1777") % perUserDir);
> +        if (chmod(perUserDir.c_str(), 0755) == -1)
> +            throw SysError(format("could not set permissions on 
> '%1%' to 755")
> +                           % perUserDir);
>  
>          mode_t perm = 01775;

This is inside

 if (getuid() == 0 && settings.buildUsersGroup != "") {
   …
 }

It's not clear to me why the second condition here is relevant, 
but I don't have the big picture.  Nor do I suspect I want it.

Kind regards,

T G-R

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 5 years and 300 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.