GNU bug report logs - #47229
Local privilege escalation via guix-daemon and ‘--keep-failed’

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Thu, 18 Mar 2021 11:18:02 UTC

Severity: serious

Tags: fixed, security

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #12 received at 47229 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: 47229 <at> debbugs.gnu.org
Cc: Leo Famulari <leo <at> famulari.name>
Subject: Re: bug#47229: Local privilege escalation via guix-daemon and
 ‘--keep-failed’
Date: Thu, 18 Mar 2021 12:45:36 +0100

Ludovic Courtès <ludo <at> gnu.org> skribis:

> The fix (patch attached) consists in adding a root-owned “wrapper”
> directory in which the build directory itself is located.

The fix has now been pushed:

  https://git.savannah.gnu.org/cgit/guix.git/commit/?id=ec7fb669945bfb47c5e1fdf7de3a5d07f7002ccf

Followed by an update of the ‘guix’ package to make the fix available:

  https://git.savannah.gnu.org/cgit/guix.git/commit/?id=94f03125463ee0dba2f7916fcd43fd19d4b6c892

We recommend upgrading the daemon (using commit 94f03125 or later).
On Guix System, you achieve that by running something along these lines:

  guix pull
  sudo guix system reconfigure /run/current-system/configuration.scm
  sudo herd restart guix-daemon

On other distros, assuming services are managed by systemd:

  sudo --login guix pull
  sudo systemctl restart guix-daemon.service

(See <https://guix.gnu.org/manual/en/html_node/Upgrading-Guix.html>.)

Ludo’.
This bug report was last modified 4 years and 125 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.