GNU bug report logs -
#47229
Local privilege escalation via guix-daemon and ‘--keep-failed’
Previous Next
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Thu, 18 Mar 2021 11:18:02 UTC
Severity: serious
Tags: fixed, security
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
On Thu, Mar 18, 2021 at 12:17:15PM +0100, Ludovic Courtès wrote:
> Vulnerability
> ~~~~~~~~~~~~~
>
> The attack consists in having an unprivileged user spawn a build
> process, for instance with ‘guix build’, that makes its build directory
> world-writable. The user then creates a hardlink within the build
> directory to a root-owned file from outside of the build directory, such
> as ‘/etc/shadow’. If the user passed the ‘--keep-failed’ option and the
> build eventually fails, the daemon changes ownership of the whole build
> tree, including the hardlink, to the user. At that point, the user has
> write access to the target file.
This has been assigned CVE-2021-27851.
Soon, it should be available in the CVE database at
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27851>
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 4 years and 125 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.