GNU bug report logs - #37744
Insecure permissions on /var/guix/profiles/per-user (CVE-2019-18192)

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Mon, 14 Oct 2019 07:48:02 UTC

Severity: important

Tags: security

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Julien Lepiller <julien <at> lepiller.eu>
To: 37744 <at> debbugs.gnu.org, ludo <at> gnu.org, me <at> tobias.gr
Cc: guix-security <at> gnu.org
Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)
Date: Wed, 16 Oct 2019 18:28:08 +0200

Le 16 octobre 2019 12:22:33 GMT+02:00, "Ludovic Courtès" <ludo <at> gnu.org> a écrit :
>Hello!
>
>Here’s a patch that fixes the issue, partly based on what the Nix folks
>did.
>
>For the client-connecting-over-TCP case, I added special handling:
>‘set-build-options’ now passes a “user-name” property, potentially
>allowing to create ‘per-user/$USER’ at that point (like you suggested,
>Tobias.)
>
>In a cluster setup, it means that the machine that runs ‘guix-daemon’
>must see the same users as the machines where its clients run, but
>that’s basically already what we expect:
><https://hpc.guix.info/blog/2017/11/installing-guix-on-a-cluster/>.
>
>There’s one case that won’t be correctly handled: in a cluster setup,
>an
>old client talking to a new daemon won’t provide info to create
>‘per-user/$USER’, and thus ‘guix package’ & co. won’t be able to create
>the user’s profile it it doesn’t already exist.  I think that’s hard to
>avoid though.
>
>Thoughts?
>
>Thanks,
>Ludo’.

We could advise people to restart the service too, with e.g. systemctl restart guix-daemon
This bug report was last modified 5 years and 300 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.