From unknown Sun Jun 22 17:14:11 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#47584 <47584@debbugs.gnu.org> To: bug#47584 <47584@debbugs.gnu.org> Subject: Status: Race condition in =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99:?= possible privilege escalation. Reply-To: bug#47584 <47584@debbugs.gnu.org> Date: Mon, 23 Jun 2025 00:14:11 +0000 retitle 47584 Race condition in =E2=80=98copy-account-skeletons=E2=80=99: p= ossible privilege escalation. reassign 47584 guix submitter 47584 Maxime Devos severity 47584 important tag 47584 security patch thanks From debbugs-submit-bounces@debbugs.gnu.org Sat Apr 03 12:09:42 2021 Received: (at submit) by debbugs.gnu.org; 3 Apr 2021 16:09:43 +0000 Received: from localhost ([127.0.0.1]:34340 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSiqE-0002Cl-Ga for submit@debbugs.gnu.org; Sat, 03 Apr 2021 12:09:42 -0400 Received: from lists.gnu.org ([209.51.188.17]:38296) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSiqC-0002Cc-0z for submit@debbugs.gnu.org; Sat, 03 Apr 2021 12:09:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38384) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSiq8-0006Gb-1b for bug-guix@gnu.org; Sat, 03 Apr 2021 12:09:38 -0400 Received: from andre.telenet-ops.be ([2a02:1800:120:4::f00:15]:55356) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lSiq2-0005Pv-0v for bug-guix@gnu.org; Sat, 03 Apr 2021 12:09:35 -0400 Received: from butterfly.local ([213.132.158.53]) by andre.telenet-ops.be with bizsmtp id oG9N2400A19Qjf101G9Ppo; Sat, 03 Apr 2021 18:09:23 +0200 Message-ID: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> Subject: Race condition in =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99=3A?= possible privilege escalation. From: Maxime Devos To: bug-guix@gnu.org Date: Sat, 03 Apr 2021 18:09:16 +0200 Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-dbxZ7pU2+iz3DVCXnVex" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1617466163; bh=Wc2nYGPfvJRxWlFIhxd7xBBDHNTSegovXy8fTwBZQKU=; h=Subject:From:To:Date; b=sl6ikeK39CFtUYOQts38qeioSJL/9Io2+VA5tiCnoysDw9KPeO+2voA4OhvNEg03I Gho4iIX+K8phwgMYaKyJXgX9Xz3DnoFJ8fdXOQDZPNaVO2Bo1lFQkOBcKq4eiI0ik4 mM9pcjjJR8l0ZnMY0mEaOw8iBvF0XsBIYbQkKwmEkWE+FvlRpaZCM56DudDA+EO5tY rTxsxVp3LITeE/yzbYH/MKI0QAk+SJK6rNWVKoctg6LBM32Z6KBHJXrzNt993QqPL7 akdIuYmC0LBDoz5GG5HnWEoZxLmhuKnrTeG9JE9WlEnW0KP+YqRsav4Bi0DwA0ax7k qi1lNJ3JmNzhA== Received-SPF: pass client-ip=2a02:1800:120:4::f00:15; envelope-from=maximedevos@telenet.be; helo=andre.telenet-ops.be X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.4 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --=-dbxZ7pU2+iz3DVCXnVex Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable A TOCTTOU (time-of-check to time-of-use) vulnerability has been found in the activation code of user accounts, more specifically in the code that copies the account skeletons. * Vulnerability The attack consists of the user being logged in after the account skeletons have been copied to the home directory, but before the owner of the account skeletons have been set. The user then deletes a copied account skeleton (e.g. @file{$HOME/.gdbinit}) and replaces it with a symbolic link to a file not owned by the user, such as @file{/etc/shadow}. The activation code then changes the ownership of the file the symbolic link points to instead of the symbolic link itself. At that point, the user has read-write access to the target file. * Where in the code does this happen? Module: (gnu build activation). Procedures: 'copy-account-skeletons' and 'activate-user-home'. 'copy-account-skeletons' creates the home directory, sets it owner, copies the account skeletons, and chowns the copied skeletons, in that order. The bug is that it dereferences symbolic links. It is called from 'activate-user-home' if the home directory does not already exist. * Fix The fix consist of initially creating the home directory root-owned and onl= y changing the owner of the home directory once all skeletons have been copie= d and their owner has been set. * Extra notes A blog post, a news entry and a fix have been prepared and will be posted and hopefully merged soon. The following tests succeeded: $ make check-system TESTS=3D'switch-to-system upgrade-services install-boot= loader basic' $ make check --=-dbxZ7pU2+iz3DVCXnVex Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYGiTLBccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7sOVAQDo/Y4CM3KbVCPqLFr/YOjdA6T2 tOoO8lB90ciLuXdB+AEAtWcTB6Y5+G8r2Dbp6bl2HnFHILDSNQns1H/c80B67A0= =xuhu -----END PGP SIGNATURE----- --=-dbxZ7pU2+iz3DVCXnVex-- From debbugs-submit-bounces@debbugs.gnu.org Sat Apr 03 12:22:23 2021 Received: (at 47584) by debbugs.gnu.org; 3 Apr 2021 16:22:23 +0000 Received: from localhost ([127.0.0.1]:34357 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSj2V-0002YE-FG for submit@debbugs.gnu.org; Sat, 03 Apr 2021 12:22:23 -0400 Received: from xavier.telenet-ops.be ([195.130.132.52]:35302) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSj2S-0002Y5-SP for 47584@debbugs.gnu.org; Sat, 03 Apr 2021 12:22:22 -0400 Received: from butterfly.local ([213.132.158.53]) by xavier.telenet-ops.be with bizsmtp id oGNH2400G19Qjf101GNJqU; Sat, 03 Apr 2021 18:22:19 +0200 Message-ID: <63fbd9e37cc3582daf265277e64f0a99b20e05ec.camel@telenet.be> Subject: Re: bug#47584: Race condition in =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99=3A?= possible privilege escalation. From: Maxime Devos To: 47584@debbugs.gnu.org Date: Sat, 03 Apr 2021 18:22:12 +0200 In-Reply-To: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-Bho1bA0qEbYvquJzBgGY" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1617466939; bh=zhx1tZKiGadd+nSuCaSDZq+6ra1QLf4mlaIo65WcCEY=; h=Subject:From:To:Date:In-Reply-To:References; b=UQdMOaVCGjmAXbHUw3Evij5B6lPPh8R4Fz1cuT6RJ/jDgcBf8BO0g3ziBflV1Aqgb MopDGPvxaHAn4wiLy4HeGi/oTfNPvhz6UokU+6p+l9jaNFIoQ1i4cOT/GI+lNZOVof hItfsBRZdbIGXaidPjySyMR9STF7iF4jIlHrqkTZW5/9zBKG6a1gKc8fXfBMVl7iAo IpufXEFdhAEnganBjh9yXI5yQGp3x1qh02bfa2zF9fIigu8OKVygtNz/nPv7gWhPMw 2fKCX5nUCJoyE6qV6ZPomaY+TVRmherho1SmdcWdfntlJYSYpe5oFxEx7Li51q2Gc/ RFfCWrinS5zWw== X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-Bho1bA0qEbYvquJzBgGY Content-Type: multipart/mixed; boundary="=-lwc/tHwdLaQ9m82S74Ju" --=-lwc/tHwdLaQ9m82S74Ju Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Patch is attached. The committer will need to change the commit id appropriately. --=-lwc/tHwdLaQ9m82S74Ju Content-Disposition: attachment; filename*0=0001-activation-Do-not-dereference-symlinks-in-home-direc.pat; filename*1=ch Content-Type: text/x-patch; name="0001-activation-Do-not-dereference-symlinks-in-home-direc.patch"; charset="UTF-8" Content-Transfer-Encoding: base64 RnJvbSA5NjcyYmQzN2JmNTBkYjFlMDk4OWQwYjg0MDM1YzQ3ODg0MjJiZDMxIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBNYXhpbWUgRGV2b3MgPG1heGltZWRldm9zQHRlbGVuZXQuYmU+ CkRhdGU6IFR1ZSwgMzAgTWFyIDIwMjEgMjI6MzY6MTQgKzAyMDAKU3ViamVjdDogW1BBVENIIDEv Ml0gYWN0aXZhdGlvbjogRG8gbm90IGRlcmVmZXJlbmNlIHN5bWxpbmtzIGluIGhvbWUgZGlyZWN0 b3J5CiBjcmVhdGlvbi4KTUlNRS1WZXJzaW9uOiAxLjAKQ29udGVudC1UeXBlOiB0ZXh0L3BsYWlu OyBjaGFyc2V0PVVURi04CkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDhiaXQKCkZpeGVzIDxo dHRwczovL2J1Z3MuZ251Lm9yZy80NzU4ND4uCgoqIGdudS9idWlsZC9hY3RpdmF0aW9uLnNjbQog IChjb3B5LWFjY291bnQtc2tlbGV0b25zKTogRG8gbm90IGNob3duIHRoZSBob21lIGRpcmVjdG9y eTsgbGVhdmUgdGhpcwogIHRvICdhY3RpdmF0ZS11c2VyLWhvbWUnLgogIChhY3RpdmF0ZS11c2Vy LWhvbWUpOiBPbmx5IGNob3duIHRoZSBob21lIGRpcmVjdG9yeSBhZnRlciB0aGUgYWNjb3VudAog IHNrZWxldG9ucyBoYXZlIGJlZW4gY29waWVkLgoKQ28tYXV0aG9yZWQtYnk6IEx1ZG92aWMgQ291 cnTDqHMgPGx1ZG9AZ251Lm9yZz4uCi0tLQogZ251L2J1aWxkL2FjdGl2YXRpb24uc2NtIHwgMTIg KysrKysrKystLS0tCiAxIGZpbGUgY2hhbmdlZCwgOCBpbnNlcnRpb25zKCspLCA0IGRlbGV0aW9u cygtKQoKZGlmZiAtLWdpdCBhL2dudS9idWlsZC9hY3RpdmF0aW9uLnNjbSBiL2dudS9idWlsZC9h Y3RpdmF0aW9uLnNjbQppbmRleCA2Y2I2Zjg4MTliLi40M2Q5NzNkM2RhIDEwMDY0NAotLS0gYS9n bnUvYnVpbGQvYWN0aXZhdGlvbi5zY20KKysrIGIvZ251L2J1aWxkL2FjdGl2YXRpb24uc2NtCkBA IC0xMDcsNyArMTA3LDggQEAgV2FybmluZzogdGhpcyBpcyBjdXJyZW50bHkgc3VzcGVjdCB0byBh IFRPQ1RUT1UgcmFjZSEiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoZGlyZWN0 b3J5ICVza2VsZXRvbi1kaXJlY3RvcnkpCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICB1aWQgZ2lkKQogICAiQ29weSB0aGUgYWNjb3VudCBza2VsZXRvbnMgZnJvbSBESVJFQ1RPUlkg dG8gSE9NRS4gIFdoZW4gVUlEIGlzIGFuIGludGVnZXIsCi1tYWtlIGl0IHRoZSBvd25lciBvZiBh bGwgdGhlIGZpbGVzIGNyZWF0ZWQ7IGxpa2V3aXNlIGZvciBHSUQuIgorbWFrZSBpdCB0aGUgb3du ZXIgb2YgYWxsIHRoZSBmaWxlcyBjcmVhdGVkIGV4Y2VwdCB0aGUgaG9tZSBkaXJlY3Rvcnk7IGxp a2V3aXNlCitmb3IgR0lELiIKICAgKGRlZmluZSAoc2V0LW93bmVyIGZpbGUpCiAgICAgKHdoZW4g KG9yIHVpZCBnaWQpCiAgICAgICAoY2hvd24gZmlsZSAob3IgdWlkIC0xKSAob3IgZ2lkIC0xKSkp KQpAQCAtMTE1LDcgKzExNiw2IEBAIG1ha2UgaXQgdGhlIG93bmVyIG9mIGFsbCB0aGUgZmlsZXMg Y3JlYXRlZDsgbGlrZXdpc2UgZm9yIEdJRC4iCiAgIChsZXQgKChmaWxlcyAoc2NhbmRpciBkaXJl Y3RvcnkgKG5lZ2F0ZSBkb3Qtb3ItZG90LWRvdD8pCiAgICAgICAgICAgICAgICAgICAgICAgICBz dHJpbmc8PykpKQogICAgIChta2Rpci1wIGhvbWUpCi0gICAgKHNldC1vd25lciBob21lKQogICAg IChmb3ItZWFjaCAobGFtYmRhIChmaWxlKQogICAgICAgICAgICAgICAgIChsZXQgKCh0YXJnZXQg KHN0cmluZy1hcHBlbmQgaG9tZSAiLyIgZmlsZSkpKQogICAgICAgICAgICAgICAgICAgKGNvcHkt cmVjdXJzaXZlbHkgKHN0cmluZy1hcHBlbmQgZGlyZWN0b3J5ICIvIiBmaWxlKQpAQCAtMjE1LDEw ICsyMTUsMTQgQEAgdGhleSBhbHJlYWR5IGV4aXN0LiIKICAgICAgICAgICAgICAgICAgKHVpZCAo cGFzc3dkOnVpZCBwdykpCiAgICAgICAgICAgICAgICAgIChnaWQgKHBhc3N3ZDpnaWQgcHcpKSkK ICAgICAgICAgICAgIChta2Rpci1wIGhvbWUpCi0gICAgICAgICAgICAoY2hvd24gaG9tZSB1aWQg Z2lkKQogICAgICAgICAgICAgKGNobW9kIGhvbWUgI283MDApCiAgICAgICAgICAgICAoY29weS1h Y2NvdW50LXNrZWxldG9ucyBob21lCi0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAjOnVpZCB1aWQgIzpnaWQgZ2lkKSkpKSkpCisgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAjOnVpZCB1aWQgIzpnaWQgZ2lkKQorICAgICAgICAgICAgOzsgSXQgaXMgaW1wb3J0 YW50ICdjaG93bicgaXMgY2FsbGVkIGFmdGVyICdjb3B5LWFjY291bnQtc2tlbGV0b25zJworICAg ICAgICAgICAgOzsgT3RoZXJ3aXNlLCBhIG1hbGljaW91cyB1c2VyIHdpdGggZ29vZCB0aW1pbmcg Y291bGQKKyAgICAgICAgICAgIDs7IGNyZWF0ZSBhIHN5bWxpbmsgaW4gSE9NRSB0aGF0IHdvdWxk IGJlIGRlcmVmZXJlbmNlZCBieQorICAgICAgICAgICAgOzsgJ2NvcHktYWNjb3VudC1za2VsZXRv bnMnLgorICAgICAgICAgICAgKGNob3duIGhvbWUgdWlkIGdpZCkpKSkpKQogCiAgIChmb3ItZWFj aCBlbnN1cmUtdXNlci1ob21lIHVzZXJzKSkKIAotLSAKMi4zMS4xCgo= --=-lwc/tHwdLaQ9m82S74Ju Content-Disposition: attachment; filename*0=0002-news-Add-entry-for-user-account-activation-vulnerabi.pat; filename*1=ch Content-Type: text/x-patch; name="0002-news-Add-entry-for-user-account-activation-vulnerabi.patch"; charset="UTF-8" Content-Transfer-Encoding: base64 RnJvbSBkMDcxZWUzYWZmNWJlMWE2ZDc4NzZkNzQxMWU3MGY3MjgzZGNlMWZiIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBNYXhpbWUgRGV2b3MgPG1heGltZWRldm9zQHRlbGVuZXQuYmU+ CkRhdGU6IFNhdCwgMyBBcHIgMjAyMSAxMjoxOToxMCArMDIwMApTdWJqZWN0OiBbUEFUQ0ggMi8y XSBuZXdzOiBBZGQgZW50cnkgZm9yIHVzZXIgYWNjb3VudCBhY3RpdmF0aW9uCiB2dWxuZXJhYmls aXR5LgoKVE9ETyBmb3IgZ3VpeCBjb21taXR0ZXI6IGNvcnJlY3QgdGhlIGNvbW1pdCBpZCBhcHBy b3ByaWF0ZWx5LgoKKiBldGMvbmV3cy5zY206IEFkZCBlbnRyeS4KLS0tCiBldGMvbmV3cy5zY20g fCAxNyArKysrKysrKysrKysrKysrKwogMSBmaWxlIGNoYW5nZWQsIDE3IGluc2VydGlvbnMoKykK CmRpZmYgLS1naXQgYS9ldGMvbmV3cy5zY20gYi9ldGMvbmV3cy5zY20KaW5kZXggZGVlZGM2OWY2 ZS4uMGNjOWMxODNhMCAxMDA2NDQKLS0tIGEvZXRjL25ld3Muc2NtCisrKyBiL2V0Yy9uZXdzLnNj bQpAQCAtMTIsNiArMTIsNyBAQAogOzsgQ29weXJpZ2h0IMKpIDIwMjAsIDIwMjEgTWF4aW0gQ291 cm5veWVyIDxtYXhpbS5jb3Vybm95ZXJAZ21haWwuY29tPgogOzsgQ29weXJpZ2h0IMKpIDIwMjEg TGVvIEZhbXVsYXJpIDxsZW9AZmFtdWxhcmkubmFtZT4KIDs7IENvcHlyaWdodCDCqSAyMDIxIFpo dSBaaWhhbyA8YWxsX2J1dF9sYXN0QDE2My5jb20+Cis7OyBDb3B5cmlnaHQgwqkgMjAyMSBNYXhp bWUgRGV2b3MgPG1heGltZWRldm9zQHRlbGVuZXQuYmU+CiA7OwogOzsgQ29weWluZyBhbmQgZGlz dHJpYnV0aW9uIG9mIHRoaXMgZmlsZSwgd2l0aCBvciB3aXRob3V0IG1vZGlmaWNhdGlvbiwgYXJl CiA7OyBwZXJtaXR0ZWQgaW4gYW55IG1lZGl1bSB3aXRob3V0IHJveWFsdHkgcHJvdmlkZWQgdGhl IGNvcHlyaWdodCBub3RpY2UgYW5kCkBAIC0yMCw2ICsyMSwyMiBAQAogKGNoYW5uZWwtbmV3cwog ICh2ZXJzaW9uIDApCiAKKyA7OyBYWFggdG8gZ3VpeCBjb21taXR0ZXJzOiB0aGlzIGNvbW1pdCBs aWtlbHkgbmVlZHMgdG8gYmUgY2hhbmdlZC4KKyAoZW50cnkgKGNvbW1pdCAiOTY3MmJkMzdiZjUw ZGIxZTA5ODlkMGI4NDAzNWM0Nzg4NDIyYmQzMSIpCisgICAgICAgICh0aXRsZQorICAgICAgICAg KGVuICJSaXNrIG9mIGxvY2FsIHByaXZpbGVnZSBlc2NhbGF0aW9uIGJ5IGNyZWF0aW9uIG9mIG5l dyB1c2VyIGFjY291bnRzIikpCisgICAgICAgIChib2R5CisgICAgICAgICAoZW4gIkEgc2VjdXJp dHkgdnVsbmVyYWJpbGl0eSB0aGF0IGNhbiBsZWFkIHRvIGxvY2FsIHByaXZpbGVnZQorZXNjYWxh dGlvbiBoYXMgYmVlbiBmb3VuZCBpbiB0aGUgYWN0aXZhdGlvbiBjb2RlIG9mIHVzZXIgYWNjb3Vu dHMuICBUaGUKK3N5c3RlbSBpcyBvbmx5IHZ1bG5lcmFibGUgZHVyaW5nIHRoZSBhY3RpdmF0aW9u IG9mIHVzZXIgYWNjb3VudHMgKGluY2x1ZGluZworc3lzdGVtIGFjY291bnRzKSB0aGF0IGRvIG5v dCBhbHJlYWR5IGV4aXN0LgorCitUaGUgYXR0YWNrIGNvbnNpc3RzIG9mIHRoZSB1c2VyIGxvZ2dp bmcgaW4gYWZ0ZXIgdGhlIHVzZXIncyBob21lIGRpcmVjdG9yeQoraGFzIGJlZW4gY3JlYXRlZCwg YnV0IGJlZm9yZSB0aGUgYWN0aXZhdGlvbiBvZiB0aGUgdXNlciBoYXMgYmVlbiBjb21wbGV0ZWQs CitieSBjcmVhdGluZyBhbiBhcHByb3ByaWF0ZWx5IG5hbWVkIHN5bWJvbGljIGxpbmsgaW4gdGhl IGhvbWUgZGlyZWN0b3J5Citwb2ludGluZyB0byBhIHNlbnNpdGl2ZSBmaWxlLCBzdWNoIGFzIEBm aWxley9ldGMvc2hhZG93fS4KKworU2VlIEB1cmVme2h0dHBzOi8vaXNzdWVzLmd1aXguZ251Lm9y Zy80NzU4NH0gZm9yIG1vcmUgaW5mb3JtYXRpb24gb24gdGhpcyBidWcuIikpKQogIChlbnRyeSAo Y29tbWl0ICI5YWRlMmI3MjBhZjkxYWNlY2Y3NjI3OGI0ZDliOTlhY2U0MDY3ODFlIikKICAgICAg ICAgKHRpdGxlCiAgICAgICAgICAoZW4gIlVwZGF0ZSBvbiBwcmV2aW91cyBAY29tbWFuZHtndWl4 LWRhZW1vbn0gbG9jYWwgcHJpdmlsZWdlIGVzY2FsYXRpb24iKQotLSAKMi4zMS4xCgo= --=-lwc/tHwdLaQ9m82S74Ju-- --=-Bho1bA0qEbYvquJzBgGY Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYGiWNBccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7q/qAQDT5qc+LRzX3U7kyva91ZSwtcAb QiyWn0hoKcCM7ADQLwEAttCr+4GQJnhmgUGMN3dBqaJLg6XXwxcOGFg03XJxhAU= =Y7kQ -----END PGP SIGNATURE----- --=-Bho1bA0qEbYvquJzBgGY-- From debbugs-submit-bounces@debbugs.gnu.org Sat Apr 03 12:27:05 2021 Received: (at 47584) by debbugs.gnu.org; 3 Apr 2021 16:27:05 +0000 Received: from localhost ([127.0.0.1]:34362 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSj6y-0002fF-88 for submit@debbugs.gnu.org; Sat, 03 Apr 2021 12:27:05 -0400 Received: from andre.telenet-ops.be ([195.130.132.53]:47534) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSj6v-0002f5-Ea for 47584@debbugs.gnu.org; Sat, 03 Apr 2021 12:26:59 -0400 Received: from butterfly.local ([213.132.158.53]) by andre.telenet-ops.be with bizsmtp id oGSu2400L19Qjf101GSvHJ; Sat, 03 Apr 2021 18:26:56 +0200 Message-ID: <9c0c5f5906e45e83ecae84ae8858ddaf4ea78569.camel@telenet.be> Subject: Re: bug#47584: Race condition in =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99=3A?= possible privilege escalation. From: Maxime Devos To: 47584@debbugs.gnu.org Date: Sat, 03 Apr 2021 18:26:53 +0200 In-Reply-To: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-HMNpXMB6vK27ddQ1Dtzt" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1617467216; bh=+QwQ6+6U53Xh+yszKUWicth9Ir/2UkoekOQ82WoObQQ=; h=Subject:From:To:Date:In-Reply-To:References; b=eGnpz8luI96wTxYfIOYlFrUPHH/imoByxqTi0oS2Wji7JbguVAAJKw/wi/1w6utCq Kmj5CpbM0vCqK2b00C75BKQQwLkH6U7xhIfZMXn6+l5hxT/laE6aKNHZwbfzn9i31y OQ55thJZrcgMoo++DuiCOLqIaq6hv4Bgm3jyWG34iDOGtbC/AgewJ1UGHKcTxkPi93 lDR0DwejiLqFPWkTNAofDt2mDHGMSYlRUi6zlrMymZIq5cNEaG0yDOo42weDFdJbDb wBevdMK26ejlhXlJZbwesioo+vGUBrf5MbbPawJD3aZ+4WHI21vu77+GSZGYwwvJY9 iq0DhLb6UQbYw== X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-HMNpXMB6vK27ddQ1Dtzt Content-Type: multipart/mixed; boundary="=-cTv1bCQGArOkSc+1oSbJ" --=-cTv1bCQGArOkSc+1oSbJ Content-Type: text/plain Content-Transfer-Encoding: quoted-printable A suggested blog post is attached. --=-cTv1bCQGArOkSc+1oSbJ Content-Disposition: attachment; filename*0=0001-website-Add-post-about-vulnerability-in-copy-account.pat; filename*1=ch Content-Transfer-Encoding: base64 Content-Type: text/x-patch; name="0001-website-Add-post-about-vulnerability-in-copy-account.patch"; charset="UTF-8" RnJvbSA3OTM3YjlmMTgwODU1NjllNWQ3Y2I4YTNjNGRjMDhlMTA4OGE5NGE5IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBNYXhpbWUgRGV2b3MgPG1heGltZWRldm9zQHRlbGVuZXQuYmU+ CkRhdGU6IFNhdCwgMyBBcHIgMjAyMSAxODowMjowNSArMDIwMApTdWJqZWN0OiBbUEFUQ0hdID0/ VVRGLTg/cT93ZWJzaXRlOj0yMEFkZD0yMHBvc3Q9MjBhYm91dD0yMHZ1bG5lcmFiaWxpdHk/PQog PT9VVEYtOD9xPz0yMGluPTIwPUUyPTgwPTk4Y29weS1hY2NvdW50LXNrZWxldG9ucz1FMj04MD05 OS4/PQpNSU1FLVZlcnNpb246IDEuMApDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9 VVRGLTgKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogOGJpdAoKKiB3ZWJzaXRlL3Bvc3RzL2hv bWUtc3ltbGluay5tZDogTmV3IHBvc3QuCi0tLQogd2Vic2l0ZS9wb3N0cy9ob21lLXN5bWxpbmsu bWQgfCAxMDMgKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKwogMSBmaWxlIGNoYW5n ZWQsIDEwMyBpbnNlcnRpb25zKCspCiBjcmVhdGUgbW9kZSAxMDA2NDQgd2Vic2l0ZS9wb3N0cy9o b21lLXN5bWxpbmsubWQKCmRpZmYgLS1naXQgYS93ZWJzaXRlL3Bvc3RzL2hvbWUtc3ltbGluay5t ZCBiL3dlYnNpdGUvcG9zdHMvaG9tZS1zeW1saW5rLm1kCm5ldyBmaWxlIG1vZGUgMTAwNjQ0Cmlu ZGV4IDAwMDAwMDAuLjkyODk4NzAKLS0tIC9kZXYvbnVsbAorKysgYi93ZWJzaXRlL3Bvc3RzL2hv bWUtc3ltbGluay5tZApAQCAtMCwwICsxLDEwMyBAQAordGl0bGU6IFJpc2sgb2YgbG9jYWwgcHJp dmlsZWdlIGVzY2FsYXRpb24gaW4gYWNjb3VudCBjcmVhdGlvbgorZGF0ZTogMjAyMS0wNC0wMyAx NzozMAorYXV0aG9yOiBNYXhpbWUgRGV2b3MKK3RhZ3M6IFNlY3VyaXR5IEFkdmlzb3J5CistLS0K KworQSBzZWN1cml0eSB2dWxuZXJhYmlsaXR5IHRoYXQgY2FuIGxlYWQgdG8gbG9jYWwgcHJpdmls ZWdlIGVzY2FsYXRpb24KK2hhcyBiZWVuIGZvdW5kIGluIHRoZSBhY3RpdmF0aW9uIGNvZGUgb2Yg dXNlciBhY2NvdW50cyAoZXhjbHVkaW5nCitzeXN0ZW0gYWNjb3VudHMpLiAgSXQgZG9lcyBub3Qg YWZmZWN0IHVzZXJzIG9uIGZvcmVpZ24gZGlzdHJvcworYW5kIGlzIG9ubHkgZXhwbG9pdGFibGUg ZHVyaW5nIHN5c3RlbSByZWNvbmZpZ3VyYXRpb24uCisKK1RoaXMgZXhwbG9pdCBpcyBfbm90XyBp bXBvc3NpYmxlIG9uIG1hY2hpbmVzIHdoZXJlIHRoZSBMaW51eCBbcHJvdGVjdGVkCitzeW1saW5r c10oaHR0cHM6Ly9zeXNjdGwtZXhwbG9yZXIubmV0L2ZzL3Byb3RlY3RlZF9zeW1saW5rcy8pIGZl YXR1cmUKK2lzIGVuYWJsZWQuICBJdCBpcyBiZWxpZXZlZCB0aGUgYXR0YWNrIGNhbiBhbHNvIGJl IHBlcmZvcm1lZCB1c2luZyBoYXJkCitsaW5rcy4KKworIyBWdWxuZXJhYmlsaXR5CisKK1RoZSBh dHRhY2sgY29uc2lzdHMgb2YgdGhlIHVzZXIgYmVpbmcgbG9nZ2VkIGluIGFmdGVyIHRoZSBhY2Nv dW50Citza2VsZXRvbnMgaGF2ZSBiZWVuIGNvcGllZCB0byB0aGUgaG9tZSBkaXJlY3RvcnksIGJ1 dCBiZWZvcmUgdGhlCitvd25lciBvZiB0aGUgYWNjb3VudCBza2VsZXRvbnMgaGF2ZSBiZWVuIHNl dC4gIFRoZSB1c2VyIHRoZW4gZGVsZXRlcworYSBjb3BpZWQgYWNjb3VudCBza2VsZXRvbiAoZS5n LiBgJEhPTUUvLmdkYmluaXRgKSBhbmQgcmVwbGFjZXMKK2l0IHdpdGggYSBzeW1ib2xpYyBsaW5r IHRvIGEgZmlsZSBub3Qgb3duZWQgYnkgdGhlIHVzZXIsIHN1Y2ggYXMKK2AvZXRjL3NoYWRvd2Au CisKK1RoZSBhY3RpdmF0aW9uIGNvZGUgdGhlbiBjaGFuZ2VzIHRoZSBvd25lcnNoaXAgb2YgdGhl IGZpbGUgdGhlIHN5bWJvbGljCitsaW5rIHBvaW50cyB0byBpbnN0ZWFkIG9mIHRoZSBzeW1ib2xp YyBsaW5rIGl0c2VsZi4gIEF0IHRoYXQgcG9pbnQsIHRoZQordXNlciBoYXMgcmVhZC13cml0ZSBh Y2Nlc3MgdG8gdGhlIHRhcmdldCBmaWxlLgorCisjIEZpeAorCitUaGlzIFtidWddKGh0dHBzOi8v aXNzdWVzLmd1aXguZ251Lm9yZy80NzU4NCkgaGFzIGJlZW4KKzwhLS0gWFhYIGluc2VydCB0aGUg Y29tbWl0IGlkIC0tPgorW2ZpeGVkXShodHRwczovL2dpdC5zYXZhbm5haC5nbnUub3JnL2NnaXQv Z3VpeC5naXQvY29tbWl0Lz9pZD0gWFhYKS4KK1NlZSBiZWxvdyBmb3IgdXBncmFkZSBpbnN0cnVj dGlvbnMuCisKK1RoZSBmaXggY29uc2lzdCBvZiBpbml0aWFsbHkgY3JlYXRpbmcgdGhlIGhvbWUg ZGlyZWN0b3J5IHJvb3Qtb3duZWQgYW5kIG9ubHkKK2NoYW5naW5nIHRoZSBvd25lciBvZiB0aGUg aG9tZSBkaXJlY3Rvcnkgb25jZSBhbGwgc2tlbGV0b25zIGhhdmUgYmVlbiBjb3BpZWQKK2FuZCB0 aGVpciBvd25lciBoYXMgYmVlbiBzZXQuCisKKyMgVXBncmFkaW5nCisKK1RvIHVwZ3JhZGUgdGhl IEd1aXggU3lzdGVtLCBydW4gc29tZXRoaW5nIGxpa2U6CisKK2BgYAorZ3VpeCBwdWxsCitzdWRv IGd1aXggc3lzdGVtIHJlY29uZmlndXJlIC9ydW4vY3VycmVudC1zeXN0ZW0vY29uZmlndXJhdGlv bi5zY20KK3N1ZG8gcmVib290CitgYGAKKworQXMgdGhlIHVzZXIgYWNjb3VudCBhY3RpdmF0aW9u IGNvZGUgaXMgcnVuIGFzIGEgc2hlcGhlcmQgc2VydmljZSwKK3RoZSBsYXN0IHN0ZXAgaXMgcmVx dWlyZWQgdG8gbWFrZSBzdXJlIHRoZSBmaXhlZCBhY3RpdmF0aW9uIGNvZGUKK2lzIHJ1biBpbiB0 aGUgZnV0dXJlLgorCitUbyBhdm9pZCB0aGUgdnVsbmVyYWJpbGl0eSB3aGlsZSB1cGdyYWRpbmcg dGhlIHN5c3RlbSwgb25seSBkZWNsYXJlCituZXcgdXNlciBhY2NvdW50cyBpbiB0aGUgY29uZmln dXJhdGlvbiBmaWxlIGFmdGVyIHRoZSBHdWl4IFN5c3RlbQoraGFzIGJlZW4gdXBncmFkZWQuCisK KyMgQ29uY2x1c2lvbnMKKworVGhlIGFjdGl2YXRpb24gY29kZSBpbiBHdWl4IFN5c3RlbSBvcmln aW5hbGx5IHdhcyB3cml0dGVuIHdpdGggdGhlCithc3N1bXB0aW9uIHRoYXQgbm8gb3RoZXIgY29k ZSB3YXMgcnVubmluZyBhdCB0aGUgc2FtZSB0aW1lIGluIG1pbmQuCitIb3dldmVyLCB0aGlzIGlz IG5vdCBhIHJlYXNvbmFibGUgYXNzdW1wdGlvbiBpbiBwcmFjdGljZSwgYXMgdGhpcwordnVsbmVy YWJpbGl0eSBkZW1vbnN0cmF0ZXMuICBUaHVzLCBpdCBtYXkgYmUgd29ydGh3aGlsZSB0byBsb29r CitvdmVyIG90aGVyIGFjdGl2YXRpb24gY29kZSBmb3Igc2ltaWxhciBpc3N1ZXMuCisKK1doaWxl IGludmVzdGlnYXRpbmcgaG93IHRvIGZpeCB0aGUgaXNzdWUsIGl0IGJlY2FtZSBhcHBhcmVudCBH TlUgR3VpbGUsCit0aGUgaW1wbGVtZW50YXRpb24gb2YgdGhlIEFsZ29yaXRobWljIExhbmd1YWdl IFNjaGVtZSBHTlUgR3VpeCBpcword3JpdHRlbiBpbiwgaXMgbGFja2luZyBpbiBwcmltaXRpdmVz IHRoYXQgdXN1YWxseSBhcmUgdXNlZCB0byBhdm9pZAordGhlc2Uga2luZCBvZiBpc3N1ZXMsIHN1 Y2ggYG9wZW5hdGAgYW5kIGBPX05PRk9MTE9XYC4KKworV2hpbGUgdGhlc2UgcHJpbWl0aXZlcyB0 dXJuZWQgb3V0IG5vdCB0byBiZSBuZWNlc3NhcnkgdG8gZml4IHRoZQoraXNzdWUgYW5kIGEgW3Bh dGNoIHNlcmllc10oPGh0dHBzOi8vbGlzdHMuZ251Lm9yZy9hcmNoaXZlL2h0bWwvZ3VpbGUtZGV2 ZWwvMjAyMS0wMy9tc2cwMDAyNi5odG1sPikKK3RvIEdOVSBHdWlsZSBoYXMgYmVlbiBzdWJtaXR0 ZWQgdGhhdCBhZGRzIHRoZXNlIHByaW1pdGl2ZXMsIHRoaXMgZG9lcworc2VydmUgYXMgYSByZW1h aW5kZXIgdGhhdCBHTlUgR3VpbGUgaXMgYSBjcml0aWNhbCBjb21wb25lbnQgb2YKK0d1aXggU3lz dGVtIGFuZCB3b3JraW5nIGFyb3VuZCBtaXNzaW5nIHByaW1pdGl2ZXMgd2lsbCBub3QgYWx3YXlz IGJlIHBvc3NpYmxlLgorCitUaGlzIGlzc3VlIGlzIHRyYWNrZWQgYXMKK1tidWfCoCM0NzU4NF0o aHR0cHM6Ly9pc3N1ZXMuZ3VpeC5nbnUub3JnLzQ3NTg0KTsgeW91IGNhbiByZWFkIHRoZSB0aHJl YWQKK2ZvciBtb3JlIGluZm9ybWF0aW9uLgorCitQbGVhc2UgcmVwb3J0IGFueSBpc3N1ZXMgeW91 IG1heSBoYXZlIHRvCitbYGd1aXgtZGV2ZWxAZ251Lm9yZ2BdKGh0dHBzOi8vZ3VpeC5nbnUub3Jn L2VuL2NvbnRhY3QvKS4gIFNlZSB0aGUKK1tzZWN1cml0eSB3ZWIgcGFnZV0oaHR0cHM6Ly9ndWl4 LmdudS5vcmcvZW4vc2VjdXJpdHkvKSBmb3IgaW5mb3JtYXRpb24KK29uIGhvdyB0byByZXBvcnQg c2VjdXJpdHkgaXNzdWVzLgorCisjIyMjIEFib3V0IEdOVSBHdWl4CisKK1tHTlUgR3VpeF0oaHR0 cHM6Ly9ndWl4LmdudS5vcmcpIGlzIGEgdHJhbnNhY3Rpb25hbCBwYWNrYWdlIG1hbmFnZXIgYW5k CithbiBhZHZhbmNlZCBkaXN0cmlidXRpb24gb2YgdGhlIEdOVSBzeXN0ZW0gdGhhdCBbcmVzcGVj dHMgdXNlcgorZnJlZWRvbV0oaHR0cHM6Ly93d3cuZ251Lm9yZy9kaXN0cm9zL2ZyZWUtc3lzdGVt LWRpc3RyaWJ1dGlvbi1ndWlkZWxpbmVzLmh0bWwpLgorR3VpeCBjYW4gYmUgdXNlZCBvbiB0b3Ag b2YgYW55IHN5c3RlbSBydW5uaW5nIHRoZSBIdXJkIG9yIHRoZSBMaW51eAora2VybmVsLCBvciBp dCBjYW4gYmUgdXNlZCBhcyBhIHN0YW5kYWxvbmUgb3BlcmF0aW5nIHN5c3RlbSBkaXN0cmlidXRp b24KK2ZvciBpNjg2LCB4ODZfNjQsIEFSTXY3LCBhbmQgQUFyY2g2NCBtYWNoaW5lcy4KKworSW4g YWRkaXRpb24gdG8gc3RhbmRhcmQgcGFja2FnZSBtYW5hZ2VtZW50IGZlYXR1cmVzLCBHdWl4IHN1 cHBvcnRzCit0cmFuc2FjdGlvbmFsIHVwZ3JhZGVzIGFuZCByb2xsLWJhY2tzLCB1bnByaXZpbGVn ZWQgcGFja2FnZSBtYW5hZ2VtZW50LAorcGVyLXVzZXIgcHJvZmlsZXMsIGFuZCBnYXJiYWdlIGNv bGxlY3Rpb24uICBXaGVuIHVzZWQgYXMgYSBzdGFuZGFsb25lCitHTlUvTGludXggZGlzdHJpYnV0 aW9uLCBHdWl4IG9mZmVycyBhIGRlY2xhcmF0aXZlLCBzdGF0ZWxlc3MgYXBwcm9hY2ggdG8KK29w ZXJhdGluZyBzeXN0ZW0gY29uZmlndXJhdGlvbiBtYW5hZ2VtZW50LiAgR3VpeCBpcyBoaWdobHkg Y3VzdG9taXphYmxlCithbmQgaGFja2FibGUgdGhyb3VnaCBbR3VpbGVdKGh0dHBzOi8vd3d3Lmdu dS5vcmcvc29mdHdhcmUvZ3VpbGUpCitwcm9ncmFtbWluZyBpbnRlcmZhY2VzIGFuZCBleHRlbnNp b25zIHRvIHRoZQorW1NjaGVtZV0oaHR0cDovL3NjaGVtZXJzLm9yZykgbGFuZ3VhZ2UuCi0tIAoy LjMxLjEKCg== --=-cTv1bCQGArOkSc+1oSbJ-- --=-HMNpXMB6vK27ddQ1Dtzt Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYGiXTRccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7oxTAQCeeZXcTeSkip96gSft8n+eq6/B iZoD91S8vYW1vc4PwAEAku2n5CPJ5b9ZcEXXD8sFCxIHTLEwK7vAJdDShW6F9gU= =6RhR -----END PGP SIGNATURE----- --=-HMNpXMB6vK27ddQ1Dtzt-- From debbugs-submit-bounces@debbugs.gnu.org Sat Apr 03 12:33:00 2021 Received: (at 47584) by debbugs.gnu.org; 3 Apr 2021 16:33:00 +0000 Received: from localhost ([127.0.0.1]:34368 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSjCm-0002pD-Gs for submit@debbugs.gnu.org; Sat, 03 Apr 2021 12:33:00 -0400 Received: from baptiste.telenet-ops.be ([195.130.132.51]:41568) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSjCj-0002p2-5p for 47584@debbugs.gnu.org; Sat, 03 Apr 2021 12:32:58 -0400 Received: from butterfly.local ([213.132.158.53]) by baptiste.telenet-ops.be with bizsmtp id oGYu2400D19Qjf101GYvVU; Sat, 03 Apr 2021 18:32:55 +0200 Message-ID: <67e04c1c532d4553c5456ebf581d7d3d3d59733c.camel@telenet.be> Subject: Re: bug#47584: Race condition in =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99=3A?= possible privilege escalation. From: Maxime Devos To: 47584@debbugs.gnu.org Date: Sat, 03 Apr 2021 18:32:54 +0200 In-Reply-To: <63fbd9e37cc3582daf265277e64f0a99b20e05ec.camel@telenet.be> References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> <63fbd9e37cc3582daf265277e64f0a99b20e05ec.camel@telenet.be> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1617467575; bh=Sw/UfKzDCrSltxYl/oPfddr3GjoJV0OoFTZcWIAll7c=; h=Subject:From:To:Date:In-Reply-To:References; b=ZlErvDbK0rZxPgnpY8PyDoNp/xTxYUruL/L1za+Oml+85nc0FCCqup9cZ+f/BUwP3 OnId5chxG7KkrK10H+KnkBJ68YH5mvfEKTl6iBPhD+KA805+hVdeB3YUwMFwOyUhfs iEocylNsYI+2vq/f6NbtVSNlJ7zmM9cKH9gx0B7WNz7oMeyPP+f4LRsIG+djdec3sL ljrFYYafj75U97JTjVRFgvpLvLV7b1ukt2IXn4JY54cDbAP5K8gLO9IKbAoGNjXx0n /XL62UdwRLfUzyc/goegwFh+SGjwOOgdxQJ02sCuRkmdJJzU6yVMosRiRkXW/IVfF6 L5Vr3Em+njZXg== X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On Sat, 2021-04-03 at 18:22 +0200, Maxime Devos wrote: > + ;; It is important 'chown' is called after 'copy-account-skeletons' > + ;; Otherwise, a malicious user with good timing could > + ;; create a symlink in HOME that would be dereferenced by > + ;; 'copy-account-skeletons'. Oops please add a period after 'copy-account-skeletons'; From debbugs-submit-bounces@debbugs.gnu.org Sat Apr 03 12:38:20 2021 Received: (at control) by debbugs.gnu.org; 3 Apr 2021 16:38:20 +0000 Received: from localhost ([127.0.0.1]:34373 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSjHw-0002xD-5i for submit@debbugs.gnu.org; Sat, 03 Apr 2021 12:38:20 -0400 Received: from xavier.telenet-ops.be ([195.130.132.52]:55906) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSjHu-0002x5-NT for control@debbugs.gnu.org; Sat, 03 Apr 2021 12:38:19 -0400 Received: from butterfly.local ([213.132.158.53]) by xavier.telenet-ops.be with bizsmtp id oGeG2401b19Qjf101GeHtd; Sat, 03 Apr 2021 18:38:17 +0200 Message-ID: Subject: Re: bug#47584: Race condition in =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99=3A?= possible privilege escalation. From: Maxime Devos To: control@debbugs.gnu.org Date: Sat, 03 Apr 2021 18:38:16 +0200 In-Reply-To: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> Content-Type: text/plain User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1617467897; bh=/IlqC4o2kLPW+OwBz70B2IzPfM8Ayqibq2P3v9cjY4Q=; h=Subject:From:To:Date:In-Reply-To:References; b=hX3OQMV5CgAncrzvSkBbvwWbvzcT/1l0ut3eZyp6a0qh4TlwY+ejULAaq9I11IGx+ jb6YRW0D9SUTgVnZwGeho39HkCzi3q3XX+fiEheIAsJbywEz/uQ8rmRDyRcM2hXGTQ dRSBopkMfGQjRsxYKfc/FHMVrsD7DBN61n9M2lV8Qqtwu+KpxQuma2BTGKn3GOQMZK n6ZhwW/7Ou0Ei7/qU5xmGExO4VewQrdnBuORaypgJ2/rctKM/dGyuQHg4oAS66u6rs tDlre8YssTYyPQHZOK6rajQSVRzXFlJxWELDK3D/s9qB1Xx9+l7Nh2zWUvzD3lT0kd 0Xj7GVAITXUfA== X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) tags 47584 + security patch severity 47584 important thanks From debbugs-submit-bounces@debbugs.gnu.org Sat Apr 03 16:15:54 2021 Received: (at 47584) by debbugs.gnu.org; 3 Apr 2021 20:15:55 +0000 Received: from localhost ([127.0.0.1]:34479 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSmgU-00066S-FT for submit@debbugs.gnu.org; Sat, 03 Apr 2021 16:15:54 -0400 Received: from eggs.gnu.org ([209.51.188.92]:54496) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSmgS-00066G-Vi for 47584@debbugs.gnu.org; Sat, 03 Apr 2021 16:15:53 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59075) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSmgN-00082b-LI; Sat, 03 Apr 2021 16:15:47 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=40540 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lSmgN-0002lt-5e; Sat, 03 Apr 2021 16:15:47 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Maxime Devos Subject: Re: bug#47584: Race condition in =?utf-8?Q?=E2=80=98copy-account-?= =?utf-8?Q?skeletons=E2=80=99=3A?= possible privilege escalation. References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> <63fbd9e37cc3582daf265277e64f0a99b20e05ec.camel@telenet.be> Date: Sat, 03 Apr 2021 22:15:45 +0200 In-Reply-To: <63fbd9e37cc3582daf265277e64f0a99b20e05ec.camel@telenet.be> (Maxime Devos's message of "Sat, 03 Apr 2021 18:22:12 +0200") Message-ID: <87y2dzw2dq.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 Cc: 47584@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi Maxime, Maxime Devos skribis: > From 9672bd37bf50db1e0989d0b84035c4788422bd31 Mon Sep 17 00:00:00 2001 > From: Maxime Devos > Date: Tue, 30 Mar 2021 22:36:14 +0200 > Subject: [PATCH 1/2] activation: Do not dereference symlinks in home dire= ctory > creation. > MIME-Version: 1.0 > Content-Type: text/plain; charset=3DUTF-8 > Content-Transfer-Encoding: 8bit > > Fixes . > > * gnu/build/activation.scm > (copy-account-skeletons): Do not chown the home directory; leave this > to 'activate-user-home'. > (activate-user-home): Only chown the home directory after the account > skeletons have been copied. > > Co-authored-by: Ludovic Court=C3=A8s . Pushed: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=3D2161820ebbbab62a5= ce76c9101ebaec54dc61586 > From d071ee3aff5be1a6d7876d7411e70f7283dce1fb Mon Sep 17 00:00:00 2001 > From: Maxime Devos > Date: Sat, 3 Apr 2021 12:19:10 +0200 > Subject: [PATCH 2/2] news: Add entry for user account activation > vulnerability. > > TODO for guix committer: correct the commit id appropriately. > > * etc/news.scm: Add entry. I tweaked it to (1) make it clear upfront that only Guix System is affected, (2) to explicitly recommend an upgrade on Guix System, and (3) to clarify when the attack can happen. Thanks for finding the issue, for reporting it at guix-security, and for preparing these patches! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Sat Apr 03 16:27:34 2021 Received: (at 47584) by debbugs.gnu.org; 3 Apr 2021 20:27:34 +0000 Received: from localhost ([127.0.0.1]:34489 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSmrm-0006NQ-3i for submit@debbugs.gnu.org; Sat, 03 Apr 2021 16:27:34 -0400 Received: from eggs.gnu.org ([209.51.188.92]:56066) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSmrk-0006NE-GC for 47584@debbugs.gnu.org; Sat, 03 Apr 2021 16:27:33 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59280) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSmre-00051O-Ac; Sat, 03 Apr 2021 16:27:26 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=40574 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lSmrd-0004vc-BL; Sat, 03 Apr 2021 16:27:25 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Maxime Devos Subject: Re: bug#47584: Race condition in =?utf-8?Q?=E2=80=98copy-account-?= =?utf-8?Q?skeletons=E2=80=99=3A?= possible privilege escalation. References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> Date: Sat, 03 Apr 2021 22:27:23 +0200 In-Reply-To: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> (Maxime Devos's message of "Sat, 03 Apr 2021 18:09:16 +0200") Message-ID: <87sg47w1uc.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 Cc: 47584@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Note that this issue is about Guix System; users of Guix on other distros are unaffected. Maxime Devos skribis: > The attack consists of the user being logged in after the account > skeletons have been copied to the home directory, but before the > owner of the account skeletons have been set. The user then deletes > a copied account skeleton (e.g. @file{$HOME/.gdbinit}) and replaces > it with a symbolic link to a file not owned by the user, such as > @file{/etc/shadow}. > > The activation code then changes the ownership > of the file the symbolic link points to instead of the symbolic > link itself. At that point, the user has read-write access > to the target file. To give a bit more context, account creation on Guix System happens while =E2=80=98guix system reconfigure=E2=80=99 is running. The user whose account is being created thus needs to be able to log in right during the time window described above. Users whose password is uninitialized (i.e., the =E2=80=98password=E2=80=99= field of is left unspecified=C2=B9) cannot log in at that point, unle= ss possibly if the OpenSSH configuration specifies an authorized key for the user account. Ludo=E2=80=99. =C2=B9 https://guix.gnu.org/manual/en/html_node/User-Accounts.html =C2=B2 https://guix.gnu.org/manual/en/html_node/Networking-Services.html#in= dex-openssh_002dservice_002dtype From debbugs-submit-bounces@debbugs.gnu.org Sat Apr 03 16:33:27 2021 Received: (at 47584) by debbugs.gnu.org; 3 Apr 2021 20:33:27 +0000 Received: from localhost ([127.0.0.1]:34494 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSmxS-0006Wy-S7 for submit@debbugs.gnu.org; Sat, 03 Apr 2021 16:33:27 -0400 Received: from eggs.gnu.org ([209.51.188.92]:56836) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSmxR-0006Wk-9y for 47584@debbugs.gnu.org; Sat, 03 Apr 2021 16:33:26 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59347) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSmxM-0007qA-2f; Sat, 03 Apr 2021 16:33:20 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=40606 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lSmxL-0006CL-GT; Sat, 03 Apr 2021 16:33:19 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Maxime Devos Subject: Re: bug#47584: Race condition in =?utf-8?Q?=E2=80=98copy-account-?= =?utf-8?Q?skeletons=E2=80=99=3A?= possible privilege escalation. References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> Date: Sat, 03 Apr 2021 22:33:18 +0200 In-Reply-To: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> (Maxime Devos's message of "Sat, 03 Apr 2021 18:09:16 +0200") Message-ID: <87mtufw1kh.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 Cc: 47584@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Maxime Devos skribis: > The attack consists of the user being logged in after the account > skeletons have been copied to the home directory, but before the > owner of the account skeletons have been set. The user then deletes > a copied account skeleton (e.g. @file{$HOME/.gdbinit}) and replaces > it with a symbolic link to a file not owned by the user, such as > @file{/etc/shadow}. > > The activation code then changes the ownership > of the file the symbolic link points to instead of the symbolic > link itself. At that point, the user has read-write access > to the target file. In the draft blog post, you mention that the attack cannot be carried out when protected symlinks are enabled. This is now the case by default on Guix System=C2=B9, so in that case, a system upgraded from a commit after March 16th is unaffected. Ludo=E2=80=99. =C2=B9 https://issues.guix.gnu.org/47013#13 From debbugs-submit-bounces@debbugs.gnu.org Sat Apr 03 16:46:04 2021 Received: (at 47584) by debbugs.gnu.org; 3 Apr 2021 20:46:04 +0000 Received: from localhost ([127.0.0.1]:34499 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSn9g-0006p7-71 for submit@debbugs.gnu.org; Sat, 03 Apr 2021 16:46:04 -0400 Received: from eggs.gnu.org ([209.51.188.92]:58360) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSn9a-0006oM-Pp for 47584@debbugs.gnu.org; Sat, 03 Apr 2021 16:46:03 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59400) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSn9U-0004wN-TZ; Sat, 03 Apr 2021 16:45:52 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=40702 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lSn9U-0006yr-F2; Sat, 03 Apr 2021 16:45:52 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Maxime Devos Subject: Re: bug#47584: Race condition in =?utf-8?Q?=E2=80=98copy-account-?= =?utf-8?Q?skeletons=E2=80=99=3A?= possible privilege escalation. References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> <9c0c5f5906e45e83ecae84ae8858ddaf4ea78569.camel@telenet.be> Date: Sat, 03 Apr 2021 22:45:51 +0200 In-Reply-To: <9c0c5f5906e45e83ecae84ae8858ddaf4ea78569.camel@telenet.be> (Maxime Devos's message of "Sat, 03 Apr 2021 18:26:53 +0200") Message-ID: <87czvbw0zk.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 Cc: 47584@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Maxime Devos skribis: > From 7937b9f18085569e5d7cb8a3c4dc08e1088a94a9 Mon Sep 17 00:00:00 2001 > From: Maxime Devos > Date: Sat, 3 Apr 2021 18:02:05 +0200 > Subject: [PATCH] =3D?UTF-8?q?website:=3D20Add=3D20post=3D20about=3D20vuln= erability?=3D > =3D?UTF-8?q?=3D20in=3D20=3DE2=3D80=3D98copy-account-skeletons=3DE2=3D80= =3D99.?=3D > MIME-Version: 1.0 > Content-Type: text/plain; charset=3DUTF-8 > Content-Transfer-Encoding: 8bit > > * website/posts/home-symlink.md: New post. It=E2=80=99s unfortunate that this is going out during a week-end, and a three-day week-end on top of that in some regions of the world, with many people not seeing the message and not being able to act upon it for three days. > +title: Risk of local privilege escalation in account creation > +date: 2021-04-03 17:30 > +author: Maxime Devos > +tags: Security Advisory > +--- > + > +A security vulnerability that can lead to local privilege escalation > +has been found in the activation code of user accounts (excluding > +system accounts). It does not affect users on foreign distros > +and is only exploitable during system reconfiguration. How about this, taken from the news.scm entry I tweaked: A security vulnerability that can lead to local privilege escalation has been found in the code that creates user accounts on Guix System=E2=80=94Guix on other distros is unaffected. The system is only v= ulnerable during the activation of non-system user accounts that do not already exi= st. (This is more upfront about who=E2=80=99s affected and avoids the technical= term =E2=80=9Cactivation code=E2=80=9D which makes no sense outside the circle o= f Guix System and NixOS hackers.) > +This exploit is _not_ impossible on machines where the Linux [protected > +symlinks](https://sysctl-explorer.net/fs/protected_symlinks/) feature > +is enabled. It is believed the attack can also be performed using hard > +links. Please mention that protected symlinks are enabled by default on Guix System since a March 16th commit, with a link to . > +# Conclusions > + > +The activation code in Guix System originally was written with the > +assumption that no other code was running at the same time in mind. > +However, this is not a reasonable assumption in practice, as this > +vulnerability demonstrates. Thus, it may be worthwhile to look > +over other activation code for similar issues. That=E2=80=99s an interesting conclusion for us developers, but not necessa= rily for the users this is targeting. It also sounds unnecessarily scary and casual. > +While investigating how to fix the issue, it became apparent GNU Guile, > +the implementation of the Algorithmic Language Scheme GNU Guix is > +written in, is lacking in primitives that usually are used to avoid > +these kind of issues, such `openat` and `O_NOFOLLOW`. > + > +While these primitives turned out not to be necessary to fix the > +issue and a [patch series]() > +to GNU Guile has been submitted that adds these primitives, this does > +serve as a remainder that GNU Guile is a critical component of > +Guix System and working around missing primitives will not always be pos= sible. All this is true but also probably too detailed (or not enough, depending on the reader). How about just mentioning that work is ongoing to support the `openat` family of POSIX functions in Guile, which, when used, while help address this class of vulnerability? Otherwise LGTM, thanks! Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Sat Apr 03 16:49:33 2021 Received: (at 47584) by debbugs.gnu.org; 3 Apr 2021 20:49:33 +0000 Received: from localhost ([127.0.0.1]:34503 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSnD2-0006ts-T8 for submit@debbugs.gnu.org; Sat, 03 Apr 2021 16:49:33 -0400 Received: from eggs.gnu.org ([209.51.188.92]:58748) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSnD1-0006tf-SF for 47584@debbugs.gnu.org; Sat, 03 Apr 2021 16:49:32 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59420) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSnCw-0006WG-LM; Sat, 03 Apr 2021 16:49:26 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=40718 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lSnCw-00078K-0C; Sat, 03 Apr 2021 16:49:26 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Maxime Devos Subject: Re: bug#47584: Race condition in =?utf-8?Q?=E2=80=98copy-account-?= =?utf-8?Q?skeletons=E2=80=99=3A?= possible privilege escalation. References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> <9c0c5f5906e45e83ecae84ae8858ddaf4ea78569.camel@telenet.be> Date: Sat, 03 Apr 2021 22:49:24 +0200 In-Reply-To: <9c0c5f5906e45e83ecae84ae8858ddaf4ea78569.camel@telenet.be> (Maxime Devos's message of "Sat, 03 Apr 2021 18:26:53 +0200") Message-ID: <878s5zw0tn.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 Cc: 47584@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Maxime Devos skribis: > +The attack consists of the user being logged in after the account > +skeletons have been copied to the home directory, but before the > +owner of the account skeletons have been set. The user then deletes > +a copied account skeleton (e.g. `$HOME/.gdbinit`) and replaces > +it with a symbolic link to a file not owned by the user, such as > +`/etc/shadow`. Also=E2=80=A6 in this paragraph, it=E2=80=99s not entirely clear which use= r we=E2=80=99re talking about it. In news.scm, I reworded it like so: The attack can happen when @command{guix system reconfigure} is running. Running @command{guix system reconfigure} can trigger the creation of new= user accounts if the configuration specifies new accounts. If a user whose ac= count is being created manages to log in after the account has been created but before ``skeleton files'' copied to its home directory have the right ownership, they may, by creating an appropriately-named symbolic link in = the home directory pointing to a sensitive file, such as @file{/etc/shadow}, = get root privileges. It may also be worth mentioning that the user is likely unable to log in at all at that point, as I wrote here: https://issues.guix.gnu.org/47584#6 WDYT? Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Sun Apr 04 03:36:33 2021 Received: (at 47584) by debbugs.gnu.org; 4 Apr 2021 07:36:33 +0000 Received: from localhost ([127.0.0.1]:34805 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSxJB-00060q-6x for submit@debbugs.gnu.org; Sun, 04 Apr 2021 03:36:33 -0400 Received: from laurent.telenet-ops.be ([195.130.137.89]:46292) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSxJ8-00060f-De for 47584@debbugs.gnu.org; Sun, 04 Apr 2021 03:36:31 -0400 Received: from butterfly.local ([213.132.130.22]) by laurent.telenet-ops.be with bizsmtp id oXcT240040V8PTH01XcTjC; Sun, 04 Apr 2021 09:36:28 +0200 Message-ID: <7ab30aad812e5de1216c95b3becb784e3363e615.camel@telenet.be> Subject: Re: bug#47584: Race condition in =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99=3A?= possible privilege escalation. From: Maxime Devos To: Ludovic =?ISO-8859-1?Q?Court=E8s?= Date: Sun, 04 Apr 2021 09:36:05 +0200 In-Reply-To: <87mtufw1kh.fsf@gnu.org> References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> <87mtufw1kh.fsf@gnu.org> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-GgihR8j2Jc6JXdkG+YPu" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1617521788; bh=szhUwAbkOkCRbakpAFlC5wxskctYFLOMA/DJFceAFZ4=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=YU9jg1/kGhBqN9Qn+8IIPwEZxApVwS5MyOn0co4KfBE5UPnlQxh/N6gc+v9cYUSke xnzN9wyJoodGai+GpQ+JBcMIRCdNYvUISSzBl4m/rFXghM/LNePu5yg+f2bl7UBBTZ Vd7i8Z4x4fxuAvzOy2PVpvvrVDcs0TSrs8kmgIrEQ4PAyPRb64P8C6wbk0DCJaNtGv MV5JnttCWd9d+ZsaLoVNkNtn7eYEcYpcO6Ih8ola8TA7dJgSQqmU0Zf8x4b3iWAkqG DTQJtTzpmD/yyTmuUJueeOOnncAt8YntEtTOInuDhBfnLNR2RdN0zeUBw2w7UUk8+H U1UeqEj75b1eg== X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 Cc: 47584@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-GgihR8j2Jc6JXdkG+YPu Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, 2021-04-03 at 22:33 +0200, Ludovic Court=C3=A8s wrote: > Maxime Devos skribis: >=20 > > The attack consists of the user being logged in after the account > > skeletons have been copied to the home directory, but before the > > owner of the account skeletons have been set. The user then deletes > > a copied account skeleton (e.g. @file{$HOME/.gdbinit}) and replaces > > it with a symbolic link to a file not owned by the user, such as > > @file{/etc/shadow}. > >=20 > > The activation code then changes the ownership > > of the file the symbolic link points to instead of the symbolic > > link itself. At that point, the user has read-write access > > to the target file. >=20 > In the draft blog post, you mention that the attack cannot be carried > out when protected symlinks are enabled. In the blog post, I thought I wrote the attack can be carried out *even if* protected symlinks are enabled. Looking at https://sysctl-explorer.net/fs/protected_symlinks/, I don't think the Linux protected symlink feature helps, as home directories are never sticky and word-writable. Perhaps I should have written =E2=80=98possible=E2=80=99 instead of =E2=80= =98not impossible=E2=80=99 in the blog post. > Please mention that protected symlinks are enabled by default on Guix > System since a March 16th commit, with a link to [...] See my response above. I agree with all other comments on this bug report. Greetings, Maxime. --=-GgihR8j2Jc6JXdkG+YPu Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYGlsZRccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7nfCAQDK+Ax9TJ45aL/KI0IrAe7ViBOR Cchmjv3U/Nfrr73cggEA6DKXJYvn8dc+pKJy8XosAFkl/GwWjcnHHtqH08zp/QM= =UX7H -----END PGP SIGNATURE----- --=-GgihR8j2Jc6JXdkG+YPu-- From debbugs-submit-bounces@debbugs.gnu.org Sun Apr 04 09:29:16 2021 Received: (at 47584) by debbugs.gnu.org; 4 Apr 2021 13:29:16 +0000 Received: from localhost ([127.0.0.1]:35111 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lT2oS-00023e-9U for submit@debbugs.gnu.org; Sun, 04 Apr 2021 09:29:16 -0400 Received: from albert.telenet-ops.be ([195.130.137.90]:55058) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lT2oP-00023T-7x for 47584@debbugs.gnu.org; Sun, 04 Apr 2021 09:29:10 -0400 Received: from butterfly.local ([213.132.130.22]) by albert.telenet-ops.be with bizsmtp id odV62400H0V8PTH06dV73o; Sun, 04 Apr 2021 15:29:07 +0200 Message-ID: <06e348e862e473525b9a6d7fbeb9a142bb6a1ddd.camel@telenet.be> Subject: Re: bug#47584: Race condition in =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99=3A?= possible privilege escalation. From: Maxime Devos To: 47584@debbugs.gnu.org Date: Sun, 04 Apr 2021 15:29:01 +0200 In-Reply-To: <9c0c5f5906e45e83ecae84ae8858ddaf4ea78569.camel@telenet.be> References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> <9c0c5f5906e45e83ecae84ae8858ddaf4ea78569.camel@telenet.be> Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-tziKAX3PL53RU3HssADc" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1617542947; bh=24DjltUEbGHgGmft/sP6tyIl8Ks4Fem+fXpL+Z6MXqQ=; h=Subject:From:To:Date:In-Reply-To:References; b=B07PAPv60A4OUzYFQw7vymQkh7T8OLaUdnX73mu9pwhO0UmE0DYrpWCrXdB+AMUk4 3vxfWdxtEPfzvaca2qMkc0gb4FpZiT0JfM0DoL2XRGKQE2HtEK0hzKt2dmrYN6Whhv nf8SNHrd2fFi1XDx71cWfH45wQ+rnspra264z7woTvOFaQgHEEWD3EVHTqhmQF9NS5 gJ05m7GI+QLxNQqsHuoIe6NWB0fgxVdj3us+cB6aFtUwxIB2M7JZd5vSx0itBukuFi qUS9rKdfj5r1WJGqWxy8AGtbIAyD+KdocWSh6DGMM9TdCi4Zsl35Y84oxR6BkYT4bE vyLxgXpz9coBA== X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-tziKAX3PL53RU3HssADc Content-Type: multipart/mixed; boundary="=-Alt/SRaDwMpdmXfDXDES" --=-Alt/SRaDwMpdmXfDXDES Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, 2021-04-03 at 18:26 +0200, Maxime Devos wrote: > A suggested blog post is attached. A revised blog post is attached. The following points are currently _not_ addressed: Ludovic Court=C3=A8s wrote: > Also=E2=80=A6 in this paragraph, it=E2=80=99s not entirely clear which u= ser we=E2=80=99re > talking about it. In news.scm, I reworded it like so: > The attack can happen when @command{guix system reconfigure} is running. > Running @command{guix system reconfigure} can trigger the creation of ne= w user > accounts if the configuration specifies new accounts. If a user whose a= ccount > is being created manages to log in after the account has been created bu= t > before ``skeleton files'' copied to its home directory have the right > ownership, they may, by creating an appropriately-named symbolic link in= the > home directory pointing to a sensitive file, such as @file{/etc/shadow},= get > root privileges. > > It may also be worth mentioning that the user is likely unable to log in > at all at that point, as I wrote here: I can't think of something along these lines to write at the moment ... Greetings, Maxime. --=-Alt/SRaDwMpdmXfDXDES Content-Disposition: attachment; filename*0=0001-website-Add-post-about-vulnerability-in-copy-account.pat; filename*1=ch Content-Transfer-Encoding: base64 Content-Type: text/x-patch; name="0001-website-Add-post-about-vulnerability-in-copy-account.patch"; charset="UTF-8" RnJvbSAxMGI0NTI4YWFjNmNkOWMwYzM0MTYzNGI5ZjE2M2YwYTM4ZWM0YzZiIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBNYXhpbWUgRGV2b3MgPG1heGltZWRldm9zQHRlbGVuZXQuYmU+ CkRhdGU6IFNhdCwgMyBBcHIgMjAyMSAxODowMjowNSArMDIwMApTdWJqZWN0OiBbUEFUQ0hdID0/ VVRGLTg/cT93ZWJzaXRlOj0yMEFkZD0yMHBvc3Q9MjBhYm91dD0yMHZ1bG5lcmFiaWxpdHk/PQog PT9VVEYtOD9xPz0yMGluPTIwPUUyPTgwPTk4Y29weS1hY2NvdW50LXNrZWxldG9ucz1FMj04MD05 OS4/PQpNSU1FLVZlcnNpb246IDEuMApDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9 VVRGLTgKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogOGJpdAoKKiB3ZWJzaXRlL3Bvc3RzL2hv bWUtc3ltbGluay5tZDogTmV3IHBvc3QuCgpDby1hdXRob3JlZC1ieTogTHVkb3ZpYyBDb3VydMOo cyA8bHVkb0BnbnUub3JnPgotLS0KIHdlYnNpdGUvcG9zdHMvaG9tZS1zeW1saW5rLm1kIHwgODYg KysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysKIDEgZmlsZSBjaGFuZ2VkLCA4NiBp bnNlcnRpb25zKCspCiBjcmVhdGUgbW9kZSAxMDA2NDQgd2Vic2l0ZS9wb3N0cy9ob21lLXN5bWxp bmsubWQKCmRpZmYgLS1naXQgYS93ZWJzaXRlL3Bvc3RzL2hvbWUtc3ltbGluay5tZCBiL3dlYnNp dGUvcG9zdHMvaG9tZS1zeW1saW5rLm1kCm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAw MDAuLjY3ZjMwNTMKLS0tIC9kZXYvbnVsbAorKysgYi93ZWJzaXRlL3Bvc3RzL2hvbWUtc3ltbGlu ay5tZApAQCAtMCwwICsxLDg2IEBACit0aXRsZTogUmlzayBvZiBsb2NhbCBwcml2aWxlZ2UgZXNj YWxhdGlvbiBpbiBhY2NvdW50IGNyZWF0aW9uCitkYXRlOiAyMDIxLTA0LTA0IDE1OjMwCithdXRo b3I6IE1heGltZSBEZXZvcywgTHVkb3ZpYyBDb3VydMOocwordGFnczogU2VjdXJpdHkgQWR2aXNv cnkKKy0tLQorCitBIHNlY3VyaXR5IHZ1bG5lcmFiaWxpdHkgdGhhdCBjYW4gbGVhZCB0byBsb2Nh bCBwcml2aWxlZ2UKK2VzY2FsYXRpb24gaGFzIGJlZW4gZm91bmQgaW4gdGhlIGNvZGUgdGhhdCBj cmVhdGVzIHVzZXIgYWNjb3VudHMgb24gR3VpeAorU3lzdGVt4oCUR3VpeCBvbiBvdGhlciBkaXN0 cm9zIGlzIHVuYWZmZWN0ZWQuICBUaGUgc3lzdGVtIGlzIG9ubHkgdnVsbmVyYWJsZQorZHVyaW5n IHRoZSBhY3RpdmF0aW9uIG9mIG5vbi1zeXN0ZW0gdXNlciBhY2NvdW50cyB0aGF0IGRvIG5vdCBh bHJlYWR5IGV4aXN0LgorCitUaGlzIGV4cGxvaXQgaXMgX25vdF8gcHJldmVudGVkIGJ5IHRoZSBM aW51eCBbcHJvdGVjdGVkCitzeW1saW5rc10oaHR0cHM6Ly9zeXNjdGwtZXhwbG9yZXIubmV0L2Zz L3Byb3RlY3RlZF9zeW1saW5rcy8pIGZlYXR1cmUuCisKKyMgVnVsbmVyYWJpbGl0eQorCitUaGUg YXR0YWNrIGNvbnNpc3RzIG9mIHRoZSB1c2VyIGJlaW5nIGxvZ2dlZCBpbiBhZnRlciB0aGUgYWNj b3VudAorc2tlbGV0b25zIGhhdmUgYmVlbiBjb3BpZWQgdG8gdGhlIGhvbWUgZGlyZWN0b3J5LCBi dXQgYmVmb3JlIHRoZQorb3duZXIgb2YgdGhlIGFjY291bnQgc2tlbGV0b25zIGhhdmUgYmVlbiBz ZXQuICBUaGUgdXNlciB0aGVuIGRlbGV0ZXMKK2EgY29waWVkIGFjY291bnQgc2tlbGV0b24gKGUu Zy4gYCRIT01FLy5nZGJpbml0YCkgYW5kIHJlcGxhY2VzCitpdCB3aXRoIGEgc3ltYm9saWMgbGlu ayB0byBhIGZpbGUgbm90IG93bmVkIGJ5IHRoZSB1c2VyLCBzdWNoIGFzCitgL2V0Yy9zaGFkb3dg LgorCitUaGUgYWN0aXZhdGlvbiBjb2RlIHRoZW4gY2hhbmdlcyB0aGUgb3duZXJzaGlwIG9mIHRo ZSBmaWxlIHRoZSBzeW1ib2xpYworbGluayBwb2ludHMgdG8gaW5zdGVhZCBvZiB0aGUgc3ltYm9s aWMgbGluayBpdHNlbGYuICBBdCB0aGF0IHBvaW50LCB0aGUKK3VzZXIgaGFzIHJlYWQtd3JpdGUg YWNjZXNzIHRvIHRoZSB0YXJnZXQgZmlsZS4KKworIyBGaXgKKworVGhpcyBbYnVnXShodHRwczov L2lzc3Vlcy5ndWl4LmdudS5vcmcvNDc1ODQpIGhhcyBiZWVuCitbZml4ZWRdKGh0dHBzOi8vZ2l0 LnNhdmFubmFoLmdudS5vcmcvY2dpdC9ndWl4LmdpdC9jb21taXQvP2lkPTIxNjE4MjBlYmJiYWI2 MmE1Y2U3NmM5MTAxZWJhZWM1NGRjNjE1ODYpLgorU2VlIGJlbG93IGZvciB1cGdyYWRlIGluc3Ry dWN0aW9ucy4KKworVGhlIGZpeCBjb25zaXN0IG9mIGluaXRpYWxseSBjcmVhdGluZyB0aGUgaG9t ZSBkaXJlY3Rvcnkgcm9vdC1vd25lZCBhbmQgb25seQorY2hhbmdpbmcgdGhlIG93bmVyIG9mIHRo ZSBob21lIGRpcmVjdG9yeSBvbmNlIGFsbCBza2VsZXRvbnMgaGF2ZSBiZWVuIGNvcGllZAorYW5k IHRoZWlyIG93bmVyIGhhcyBiZWVuIHNldC4KKworIyBVcGdyYWRpbmcKKworVG8gdXBncmFkZSB0 aGUgR3VpeCBTeXN0ZW0sIHJ1biBzb21ldGhpbmcgbGlrZToKKworYGBgCitndWl4IHB1bGwKK3N1 ZG8gZ3VpeCBzeXN0ZW0gcmVjb25maWd1cmUgL3J1bi9jdXJyZW50LXN5c3RlbS9jb25maWd1cmF0 aW9uLnNjbQorc3VkbyByZWJvb3QKK2BgYAorCitBcyB0aGUgdXNlciBhY2NvdW50IGFjdGl2YXRp b24gY29kZSBpcyBydW4gYXMgYSBzaGVwaGVyZCBzZXJ2aWNlLAordGhlIGxhc3Qgc3RlcCBpcyBy ZXF1aXJlZCB0byBtYWtlIHN1cmUgdGhlIGZpeGVkIGFjdGl2YXRpb24gY29kZQoraXMgcnVuIGlu IHRoZSBmdXR1cmUuCisKK1RvIGF2b2lkIHRoZSB2dWxuZXJhYmlsaXR5IHdoaWxlIHVwZ3JhZGlu ZyB0aGUgc3lzdGVtLCBvbmx5IGRlY2xhcmUKK25ldyB1c2VyIGFjY291bnRzIGluIHRoZSBjb25m aWd1cmF0aW9uIGZpbGUgYWZ0ZXIgdGhlIEd1aXggU3lzdGVtCitoYXMgYmVlbiB1cGdyYWRlZC4K KworIyBDb25jbHVzaW9ucworCitXb3JrIGlzIG9uZ29pbmcgdG8gc3VwcG9ydCB0aGUgYG9wZW5h dGAgZmFtaWx5IG9mIFBPU0lYIGZ1bmN0aW9ucyBpbgorR3VpbGUsIHdoaWNoLCB3aGVuIHVzZWQs IGhlbHAgYWRkcmVzcyB0aGlzIGNsYXNzIG9mIHZ1bG5lcmFiaWxpdGllcy4KKworVGhpcyBpc3N1 ZSBpcyB0cmFja2VkIGFzCitbYnVnwqAjNDc1ODRdKGh0dHBzOi8vaXNzdWVzLmd1aXguZ251Lm9y Zy80NzU4NCk7IHlvdSBjYW4gcmVhZCB0aGUgdGhyZWFkCitmb3IgbW9yZSBpbmZvcm1hdGlvbi4K KworUGxlYXNlIHJlcG9ydCBhbnkgaXNzdWVzIHlvdSBtYXkgaGF2ZSB0bworW2BndWl4LWRldmVs QGdudS5vcmdgXShodHRwczovL2d1aXguZ251Lm9yZy9lbi9jb250YWN0LykuICBTZWUgdGhlCitb c2VjdXJpdHkgd2ViIHBhZ2VdKGh0dHBzOi8vZ3VpeC5nbnUub3JnL2VuL3NlY3VyaXR5LykgZm9y IGluZm9ybWF0aW9uCitvbiBob3cgdG8gcmVwb3J0IHNlY3VyaXR5IGlzc3Vlcy4KKworIyMjIyBB Ym91dCBHTlUgR3VpeAorCitbR05VIEd1aXhdKGh0dHBzOi8vZ3VpeC5nbnUub3JnKSBpcyBhIHRy YW5zYWN0aW9uYWwgcGFja2FnZSBtYW5hZ2VyIGFuZAorYW4gYWR2YW5jZWQgZGlzdHJpYnV0aW9u IG9mIHRoZSBHTlUgc3lzdGVtIHRoYXQgW3Jlc3BlY3RzIHVzZXIKK2ZyZWVkb21dKGh0dHBzOi8v d3d3LmdudS5vcmcvZGlzdHJvcy9mcmVlLXN5c3RlbS1kaXN0cmlidXRpb24tZ3VpZGVsaW5lcy5o dG1sKS4KK0d1aXggY2FuIGJlIHVzZWQgb24gdG9wIG9mIGFueSBzeXN0ZW0gcnVubmluZyB0aGUg SHVyZCBvciB0aGUgTGludXgKK2tlcm5lbCwgb3IgaXQgY2FuIGJlIHVzZWQgYXMgYSBzdGFuZGFs b25lIG9wZXJhdGluZyBzeXN0ZW0gZGlzdHJpYnV0aW9uCitmb3IgaTY4NiwgeDg2XzY0LCBBUk12 NywgYW5kIEFBcmNoNjQgbWFjaGluZXMuCisKK0luIGFkZGl0aW9uIHRvIHN0YW5kYXJkIHBhY2th Z2UgbWFuYWdlbWVudCBmZWF0dXJlcywgR3VpeCBzdXBwb3J0cwordHJhbnNhY3Rpb25hbCB1cGdy YWRlcyBhbmQgcm9sbC1iYWNrcywgdW5wcml2aWxlZ2VkIHBhY2thZ2UgbWFuYWdlbWVudCwKK3Bl ci11c2VyIHByb2ZpbGVzLCBhbmQgZ2FyYmFnZSBjb2xsZWN0aW9uLiAgV2hlbiB1c2VkIGFzIGEg c3RhbmRhbG9uZQorR05VL0xpbnV4IGRpc3RyaWJ1dGlvbiwgR3VpeCBvZmZlcnMgYSBkZWNsYXJh dGl2ZSwgc3RhdGVsZXNzIGFwcHJvYWNoIHRvCitvcGVyYXRpbmcgc3lzdGVtIGNvbmZpZ3VyYXRp b24gbWFuYWdlbWVudC4gIEd1aXggaXMgaGlnaGx5IGN1c3RvbWl6YWJsZQorYW5kIGhhY2thYmxl IHRocm91Z2ggW0d1aWxlXShodHRwczovL3d3dy5nbnUub3JnL3NvZnR3YXJlL2d1aWxlKQorcHJv Z3JhbW1pbmcgaW50ZXJmYWNlcyBhbmQgZXh0ZW5zaW9ucyB0byB0aGUKK1tTY2hlbWVdKGh0dHA6 Ly9zY2hlbWVycy5vcmcpIGxhbmd1YWdlLgotLSAKMi4zMS4xCgo= --=-Alt/SRaDwMpdmXfDXDES-- --=-tziKAX3PL53RU3HssADc Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYIADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYGm/HhccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7gOuAP4tiShMw0wcPnXaQOEAsH2ZF8+K fWgrX6P5rFS+2lysTgEAtFETSQvqwdujktK3lf2czEe0XVj+ioF2hjoccFbxCQ4= =7Hri -----END PGP SIGNATURE----- --=-tziKAX3PL53RU3HssADc-- From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 05 15:55:42 2021 Received: (at 47584) by debbugs.gnu.org; 5 Apr 2021 19:55:42 +0000 Received: from localhost ([127.0.0.1]:38637 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTVK2-0003Zf-8F for submit@debbugs.gnu.org; Mon, 05 Apr 2021 15:55:42 -0400 Received: from eggs.gnu.org ([209.51.188.92]:37598) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTVK0-0003ZQ-70 for 47584@debbugs.gnu.org; Mon, 05 Apr 2021 15:55:40 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:36383) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lTVJs-00038g-IC; Mon, 05 Apr 2021 15:55:34 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=46782 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lTVJJ-0002gb-Gt; Mon, 05 Apr 2021 15:55:05 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Maxime Devos Subject: Re: bug#47584: Race condition in =?utf-8?Q?=E2=80=98copy-account-?= =?utf-8?Q?skeletons=E2=80=99=3A?= possible privilege escalation. References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> <87mtufw1kh.fsf@gnu.org> <7ab30aad812e5de1216c95b3becb784e3363e615.camel@telenet.be> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 16 Germinal an 229 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 05 Apr 2021 21:54:56 +0200 In-Reply-To: <7ab30aad812e5de1216c95b3becb784e3363e615.camel@telenet.be> (Maxime Devos's message of "Sun, 04 Apr 2021 09:36:05 +0200") Message-ID: <87zgycqzfz.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 Cc: Leo Famulari , 47584@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi Maxime, Maxime Devos skribis: > On Sat, 2021-04-03 at 22:33 +0200, Ludovic Court=C3=A8s wrote: >> Maxime Devos skribis: >>=20 >> > The attack consists of the user being logged in after the account >> > skeletons have been copied to the home directory, but before the >> > owner of the account skeletons have been set. The user then deletes >> > a copied account skeleton (e.g. @file{$HOME/.gdbinit}) and replaces >> > it with a symbolic link to a file not owned by the user, such as >> > @file{/etc/shadow}. >> >=20 >> > The activation code then changes the ownership >> > of the file the symbolic link points to instead of the symbolic >> > link itself. At that point, the user has read-write access >> > to the target file. >>=20 >> In the draft blog post, you mention that the attack cannot be carried >> out when protected symlinks are enabled. > > In the blog post, I thought I wrote the attack can be carried out > *even if* protected symlinks are enabled. Looking at > > https://sysctl-explorer.net/fs/protected_symlinks/, > > I don't think the Linux protected symlink feature helps, as home > directories are never sticky and word-writable. Oh right, my bad, I overlooked this. > Perhaps I should have written =E2=80=98possible=E2=80=99 instead of =E2= =80=98not impossible=E2=80=99 > in the blog post. Dunno, maybe it=E2=80=99s just me not paying enough attention. > I agree with all other comments on this bug report. OK. It does mean that the bug is hardly exploitable in practice: you have to be able to log in at all, and if you=E2=80=99re able to log in, you= have to log in precisely within the 1s (or less) that follows account creation, which sounds challenging (TCP + SSH connection establishment is likely to take as much time or more, likewise for typing in your password.) It=E2=80=99s also one-time chance. Do I get it right? Does it warrant as strong messaging as for the recent daemon =E2=80=98--keep-failed=E2=80=99 vulnerability? Thanks, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 06 05:56:49 2021 Received: (at 47584) by debbugs.gnu.org; 6 Apr 2021 09:56:49 +0000 Received: from localhost ([127.0.0.1]:39234 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTiS1-0003fj-9B for submit@debbugs.gnu.org; Tue, 06 Apr 2021 05:56:49 -0400 Received: from albert.telenet-ops.be ([195.130.137.90]:40674) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTiRz-0003fZ-AE for 47584@debbugs.gnu.org; Tue, 06 Apr 2021 05:56:48 -0400 Received: from butterfly.local ([213.119.235.56]) by albert.telenet-ops.be with bizsmtp id pMwk240041Dh5Ut06MwlpH; Tue, 06 Apr 2021 11:56:45 +0200 Message-ID: <00621260aa43f1918aaf0f0bb2318bf359b826c3.camel@telenet.be> Subject: Re: bug#47584: Race condition in =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99=3A?= possible privilege escalation. From: Maxime Devos To: Ludovic =?ISO-8859-1?Q?Court=E8s?= Date: Tue, 06 Apr 2021 11:56:23 +0200 In-Reply-To: <87zgycqzfz.fsf@gnu.org> References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> <87mtufw1kh.fsf@gnu.org> <7ab30aad812e5de1216c95b3becb784e3363e615.camel@telenet.be> <87zgycqzfz.fsf@gnu.org> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-B/f2LK5SH1auzwQX5K/f" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1617703005; bh=9PumJZ8JhDKSK4oMiQdzCuIPgUTftNIqOt8tscAGGeQ=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=Bzjq5aL12xO2hc252nimbtrPuWzGL4wGiz7TycHpIvyo6NP3vNRwYkC3qzGMz39jm QoTW83ROoyn9j2cxIQrIh6AATpyKp5owLMLTpUdXPyqotE8oFtSMXAeZ10DHkq6RIH htFsQ/lkGqtPGhXk9NVPqLzPNbayyyWA1wX+pDfAGbwdOqHuHT+SLfqLqctOFf4GIH tcXGXiqIH/43XP7fX3lc0a5FSuD0xqqcVph4mxjkuG1Ns4EWy6oQuUqiXX/zQPnBnV JoSAkjxINkCcvqoCKj7gJfAFIPqFtS6rrnoMGsisCoTLNpwScS2vrUtIGUQgZOKIZB G76FbH8zf2lAg== X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 Cc: Leo Famulari , 47584@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-B/f2LK5SH1auzwQX5K/f Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 2021-04-05 at 21:54 +0200, Ludovic Court=C3=A8s wrote: > [...] >=20 > OK. It does mean that the bug is hardly exploitable in practice: you > have to be able to log in at all, Yes. > and if you=E2=80=99re able to log in, you have > to log in precisely within the 1s (or less) that follows account > creation, which sounds challenging (TCP + SSH connection establishment > is likely to take as much time or more, Is logging in possible when the home directory doesn't exist? It isn't possible from the console. I guess it isn't possible from SSH either. If it is possible, then the window would be somewhat larger I think. Account creation is done at activation time, while creating home directories is done as a shepherd service (see account-service-type in gnu/system/shadow.scm). > likewise for typing in your password.) An attacker could copy and paste, or have used a single-character password, to save some time. > It=E2=80=99s also one-time chance. Yes. > Do I get it right? I think so, except the window might be larger (but still a one-time chance)= . > Does it warrant as strong messaging as for the recent daemon > =E2=80=98--keep-failed=E2=80=99 vulnerability? As it is a one-time chance, with a limited window, and only under specific circumstances (creating a new user account), I don't think so. But I would still recommend to upgrade. Does the blog post have =E2=80=98too strong me= ssaging=E2=80=99?=20 Greetings, Maxime --=-B/f2LK5SH1auzwQX5K/f Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYGwwRxccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7rX2AP0ak8CCNXY2v2apFETUInxpt8UZ 6E0vkWhJvLARcgTkHwEAnnHFIqZOe+EvFa3Ex3qOefhHRIiwFKE8xB0gCdpZsQQ= =oG1p -----END PGP SIGNATURE----- --=-B/f2LK5SH1auzwQX5K/f-- From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 06 07:57:22 2021 Received: (at 47584) by debbugs.gnu.org; 6 Apr 2021 11:57:22 +0000 Received: from localhost ([127.0.0.1]:39399 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTkKg-0002op-Bk for submit@debbugs.gnu.org; Tue, 06 Apr 2021 07:57:22 -0400 Received: from eggs.gnu.org ([209.51.188.92]:37502) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTkKd-0002ob-UX for 47584@debbugs.gnu.org; Tue, 06 Apr 2021 07:57:21 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:48624) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lTkKX-0005qN-W0; Tue, 06 Apr 2021 07:57:14 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=37184 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lTkKU-00012l-2L; Tue, 06 Apr 2021 07:57:13 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Maxime Devos Subject: Re: bug#47584: Race condition in =?utf-8?Q?=E2=80=98copy-account-?= =?utf-8?Q?skeletons=E2=80=99=3A?= possible privilege escalation. References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> <87mtufw1kh.fsf@gnu.org> <7ab30aad812e5de1216c95b3becb784e3363e615.camel@telenet.be> <87zgycqzfz.fsf@gnu.org> <00621260aa43f1918aaf0f0bb2318bf359b826c3.camel@telenet.be> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 17 Germinal an 229 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 06 Apr 2021 13:57:08 +0200 In-Reply-To: <00621260aa43f1918aaf0f0bb2318bf359b826c3.camel@telenet.be> (Maxime Devos's message of "Tue, 06 Apr 2021 11:56:23 +0200") Message-ID: <87v98zmxrf.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 Cc: Leo Famulari , 47584@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Hi Maxime, Maxime Devos skribis: > On Mon, 2021-04-05 at 21:54 +0200, Ludovic Court=C3=A8s wrote: >> [...] >>=20 >> OK. It does mean that the bug is hardly exploitable in practice: you >> have to be able to log in at all, > Yes. > >> and if you=E2=80=99re able to log in, you have >> to log in precisely within the 1s (or less) that follows account >> creation, which sounds challenging (TCP + SSH connection establishment >> is likely to take as much time or more, > > Is logging in possible when the home directory doesn't exist? I think so. > An attacker could copy and paste, or have used a single-character passwor= d, > to save some time. Hmm yes. It=E2=80=99s a bit a far-fetched though: the attacker would have passed the sysadmin the output of the =E2=80=98crypt=E2=80=99 procedure, su= ch that the sysadmin cannot know the password length. >> Does it warrant as strong messaging as for the recent daemon >> =E2=80=98--keep-failed=E2=80=99 vulnerability? > > As it is a one-time chance, with a limited window, and only under specific > circumstances (creating a new user account), I don't think so. But I wou= ld > still recommend to upgrade. Does the blog post have =E2=80=98too strong = messaging=E2=80=99?=20 The blog post and info-guix messages are the highest levels of visibility we can give, roughly. So I think we have to think twice before doing that or truly important issues will eventually go unnoticed. The risk with this issue seems much lower than that of the keep-failed issue, it even looks super low. WDYT? Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Wed Apr 07 14:28:14 2021 Received: (at 47584) by debbugs.gnu.org; 7 Apr 2021 18:28:15 +0000 Received: from localhost ([127.0.0.1]:45177 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUCuU-0002Ce-NZ for submit@debbugs.gnu.org; Wed, 07 Apr 2021 14:28:14 -0400 Received: from laurent.telenet-ops.be ([195.130.137.89]:56166) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUCuS-0002CR-3X for 47584@debbugs.gnu.org; Wed, 07 Apr 2021 14:28:13 -0400 Received: from butterfly.local ([213.251.102.137]) by laurent.telenet-ops.be with bizsmtp id puU72400A2xsM2D01uU8kb; Wed, 07 Apr 2021 20:28:09 +0200 Message-ID: Subject: Re: bug#47584: Race condition in =?UTF-8?Q?=E2=80=98copy-account-skeletons=E2=80=99=3A?= possible privilege escalation. From: Maxime Devos To: Ludovic =?ISO-8859-1?Q?Court=E8s?= Date: Wed, 07 Apr 2021 20:28:02 +0200 In-Reply-To: <87v98zmxrf.fsf@gnu.org> References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> <87mtufw1kh.fsf@gnu.org> <7ab30aad812e5de1216c95b3becb784e3363e615.camel@telenet.be> <87zgycqzfz.fsf@gnu.org> <00621260aa43f1918aaf0f0bb2318bf359b826c3.camel@telenet.be> <87v98zmxrf.fsf@gnu.org> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-MmiMrWQqyZkv5dund8Bl" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1617820089; bh=V5SCqM9HS4MttbUN6MW9gVJW4K4L0cmmWu8oDMAnEGY=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=LrAIAYFHdjL3CwlGKOHj/SuaghzeJv/xkEmWByp0AXfKrhmRD9srKv7s960hNrDmH 15ithFj+li5GCDZSUiJ8UVV7PDmDKyKE5fT1D3Yi70ofMomO4VeHLF4Exxpkdpqu5r fIx7Ou7MKQCaOi7w6XqLsSKNMgRWJ01g2Qp7pCu5g6bHigDvwEoTWW0hyZYRE+xc2q g8xJv+Jl0ru9z1kqX59+ysBQ6QKVg3RAURVvSo+Awqd3WhJpx+crIr3VHzhHFRFtA1 MSTHax9B4GbMfQ9DEc3wJmSdhdGFwkWhGpiFiTWVDGfsC/Hp9qc50+tRb07QRGSR/4 1BcIz7PoZQCwg== X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 Cc: Leo Famulari , 47584@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-MmiMrWQqyZkv5dund8Bl Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2021-04-06 at 13:57 +0200, Ludovic Court=C3=A8s wrote: > [...] >=20 > The blog post and info-guix messages are the highest levels of > visibility we can give, roughly. So I think we have to think twice > before doing that or truly important issues will eventually go > unnoticed. >=20 > The risk with this issue seems much lower than that of the keep-failed > issue, it even looks super low. >=20 > WDYT? That is a good point, but I still wonder if there's *somewhere* this can be posted. I was going to start a thread at guix-devel about blog posts in general (categories, what can be posted as a =E2=80=98officia= l=E2=80=99 blog post on guix.gnu.org, any maximal frequencies ...) but I ended up being busy with other things. Greetings, Maxime. --=-MmiMrWQqyZkv5dund8Bl Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYG35shccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7mywAP9WT/4fcsut/kfKl1AGtJClAHcr hqxh/JDbDLfjIFoMZQEAl3CncOdeiCIhTTK9caA/P3zWJIb0URWoVNqPDJgrrw4= =o7S+ -----END PGP SIGNATURE----- --=-MmiMrWQqyZkv5dund8Bl-- From debbugs-submit-bounces@debbugs.gnu.org Fri Oct 21 05:31:37 2022 Received: (at 47584) by debbugs.gnu.org; 21 Oct 2022 09:31:37 +0000 Received: from localhost ([127.0.0.1]:37041 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oloNN-0007GA-23 for submit@debbugs.gnu.org; Fri, 21 Oct 2022 05:31:37 -0400 Received: from baptiste.telenet-ops.be ([195.130.132.51]:46092) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oloN7-0007Fm-JK for 47584@debbugs.gnu.org; Fri, 21 Oct 2022 05:31:35 -0400 Received: from [192.168.76.79] ([188.189.36.127]) by baptiste.telenet-ops.be with bizsmtp id aZXF2800C2kbXl001ZXGrj; Fri, 21 Oct 2022 11:31:18 +0200 Message-ID: <5c6c936c-7558-a6a1-5a36-ba8bb38db530@telenet.be> Date: Fri, 21 Oct 2022 11:31:14 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.3.1 Content-Language: en-US To: 47584@debbugs.gnu.org From: Maxime Devos Subject: =?UTF-8?Q?Re=3a_Race_condition_in_=e2=80=98copy-account-skeletons?= =?UTF-8?Q?=e2=80=99=3a_possible_privilege_escalation=2e?= Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------1uEYuDdvLEjh3ns8SgrmCDw9" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22; t=1666344678; bh=LUeL62XQmP244tE0V7epSAktqDPcLLea5biwmrVi8Pg=; h=Date:To:From:Subject; b=ZQV/r9h7zdM+r0B5Cqc6oinKf2BbL+NwTuorRVhiZxBK3FPMe64+vHUX7HutV3zBW vO5nxlvvpiZlp9wknOdnCgYVWSasOegsjYSMxyznisDDqwITijVNcQ2aqrhTPdqTgF GxYDYnTAd846Zt/KqlB02o+LK8xJAukm3eWnAM8KLwTCPObz/5SXfUzkqTfI7eIjcL RLIStf0MN1iQeNu1wss74PgFBHUCjk9Zp1x3C5WPSph8X2EAiXV6O3Wx+NTSC5Mz8P mzGndqGajfCAPx9zNnhUK9RBOin8QXKUA4lcKDNniB3zhgkvSH83yQc2+BS5U6kMDL IjmnnlOUPAI/g== X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47584 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------1uEYuDdvLEjh3ns8SgrmCDw9 Content-Type: multipart/mixed; boundary="------------q4J6rdjdcC0Q1Mn4siH0zR0t"; protected-headers="v1" From: Maxime Devos To: 47584@debbugs.gnu.org Message-ID: <5c6c936c-7558-a6a1-5a36-ba8bb38db530@telenet.be> Subject: =?UTF-8?Q?Re=3a_Race_condition_in_=e2=80=98copy-account-skeletons?= =?UTF-8?Q?=e2=80=99=3a_possible_privilege_escalation=2e?= --------------q4J6rdjdcC0Q1Mn4siH0zR0t Content-Type: multipart/mixed; boundary="------------UuUnl01SZrUY0uhfhpOoHz8j" --------------UuUnl01SZrUY0uhfhpOoHz8j Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64 Tm93IG9wZW5hdCBldGMgaXMgaW4gR3VpbGUsIEkndmUgbG9va2VkIGludG8gYWRqdXN0aW5n IG1rZGlyLXAvcGVybXMgDQphcHByb3ByaWF0ZWx5LiAgVE9ETzogY2hhbmdlIHRoZSBHdWls ZSB1c2VkIGZvciBhY3RpdmF0aW9uIHRvIHNvbWUgDQpjb21taXQgdGhhdCBoYXMgb3BlbmF0 IGV0YywgYWRqdXN0IHBhdGNoIGFjY29yZGluZyB0byB0ZXN0IGZhaWx1cmVzLiANCihOb3Qg dGVzdGVkIHlldCkNCg0KR3JlZXRpbmdzLA0KTWF4aW1lLg0KDQo= --------------UuUnl01SZrUY0uhfhpOoHz8j Content-Type: text/x-patch; charset=UTF-8; name="mkdir-p.diff" Content-Disposition: attachment; filename="mkdir-p.diff" Content-Transfer-Encoding: base64 ZGlmZiAtLWdpdCBhL2dudS9idWlsZC9hY3RpdmF0aW9uLnNjbSBiL2dudS9idWlsZC9hY3Rp dmF0aW9uLnNjbQppbmRleCAxMGM5MDQ1NzQwLi5lZTUyYmIxOTc5IDEwMDY0NAotLS0gYS9n bnUvYnVpbGQvYWN0aXZhdGlvbi5zY20KKysrIGIvZ251L2J1aWxkL2FjdGl2YXRpb24uc2Nt CkBAIC01LDcgKzUsNyBAQAogOzs7IENvcHlyaWdodCDCqSAyMDE1LCAyMDE4IE1hcmsgSCBX ZWF2ZXIgPG1od0BuZXRyaXMub3JnPgogOzs7IENvcHlyaWdodCDCqSAyMDE4IEFydW4gSXNh YWMgPGFydW5pc2FhY0BzeXN0ZW1yZWJvb3QubmV0PgogOzs7IENvcHlyaWdodCDCqSAyMDE4 LCAyMDE5IFJpY2FyZG8gV3VybXVzIDxyZWthZG9AZWxlcGhseS5uZXQ+Ci07OzsgQ29weXJp Z2h0IMKpIDIwMjEgTWF4aW1lIERldm9zIDxtYXhpbWVkZXZvc0B0ZWxlbmV0LmJlPgorOzs7 IENvcHlyaWdodCDCqSAyMDIxLCAyMDIyIE1heGltZSBEZXZvcyA8bWF4aW1lZGV2b3NAdGVs ZW5ldC5iZT4KIDs7OyBDb3B5cmlnaHQgwqkgMjAyMCBDaHJpc3RpbmUgTGVtbWVyLVdlYmJl ciA8Y3dlYmJlckBkdXN0eWNsb3VkLm9yZz4KIDs7OyBDb3B5cmlnaHQgwqkgMjAyMSBCcmlj ZSBXYWVnZW5laXJlIDxicmljZUB3YWVnZW5laS5yZT4KIDs7OwpAQCAtNjUsNDUgKzY1LDYx IEBAIChkZWZpbmUgKGRvdC1vci1kb3QtZG90PyBmaWxlKQogICAobWVtYmVyIGZpbGUgJygi LiIgIi4uIikpKQogCiA7OyBCYXNlZCB1cG9uIG1rZGlyLXAgZnJvbSAoZ3VpeCBidWlsZCB1 dGlscykKLShkZWZpbmUgKHZlcmlmeS1ub3Qtc3ltYm9saWMgZGlyKQotICAiVmVyaWZ5IERJ UiBvciBpdHMgYW5jZXN0b3JzIGFyZW4ndCBzeW1ib2xpYyBsaW5rcy4iCisoZGVmaW5lICht a2Rpci1wL3Blcm1zIGRpcmVjdG9yeSBvd25lciBiaXRzKQorICAiQ3JlYXRlIGRpcmVjdG9y eSBESVJFQ1RPUlkgYW5kIGFsbCBpdHMgYW5jZXN0b3JzLgorCitBZGRpdGlvbmFsbHksIHZl cmlmeSBubyBjb21wb25lbnQgb2YgRElSRUNUT1JZIGlzIGEgc3ltYm9saWMgbGluaywKK3dp dGhvdXQgVE9DVFRPVSByYWNlcy4gIEhvd2V2ZXIsIGlmIE9XTkVSIGRpZmZlcnMgZnJvbSB0 aGUgdGhlIGN1cnJlbnQKKyhwcm9jZXNzKSB1aWQvZ2lkLCB0aGVyZSBpcyBhIHNtYWxsIHdp bmRvdyBpbiB3aGljaCBESVJFQ1RPUlkgaXMgc2V0IHRvIHRoZQorY3VycmVudCAocHJvY2Vz cykgdWlkL2dpZCBpbnN0ZWFkIG9mIE9XTkVSLiAgVGhpcyBpcyBub3QgZXhwZWN0ZWQgdG8g YmUKK2EgcHJvYmxlbSBpbiBwcmFjdGljZS4KKworVGhlIHBlcm1pc3Npb24gYml0cyBhbmQg b3duZXIgb2YgRElSRUNUT1JZIGFyZSBzZXQgdG8gQklUUyBhbmQgT1dORVIuCitBbnl0aGlu ZyBhYm92ZSBESVJFQ1RPUlkgdGhhdCBhbHJlYWR5IGV4aXN0cyBrZWVwcworaXRzIG9sZCBv d25lciBhbmQgYml0cy4gIEZvciBjb21wb25lbnRzIHRoYXQgZG8gbm90IGV4aXN0IHlldCwg dGhlIG93bmVyCithbmQgYml0cyBhcmUgc2V0IGFjY29yZGluZyB0byB0aGUgZGVmYXVsdCBi ZWhhdmlvdXIgb2YgJ21rZGlyJy4iCiAgIChkZWZpbmUgYWJzb2x1dGU/Ci0gICAgKHN0cmlu Zy1wcmVmaXg/ICIvIiBkaXIpKQorICAgIChzdHJpbmctcHJlZml4PyAiLyIgZGlyZWN0b3J5 KSkKIAogICAoZGVmaW5lIG5vdC1zbGFzaAogICAgIChjaGFyLXNldC1jb21wbGVtZW50IChj aGFyLXNldCAjXC8pKSkKIAotICAoZGVmaW5lICh2ZXJpZnktY29tcG9uZW50IGZpbGUpCi0g ICAgKHVubGVzcyAoZXE/ICdkaXJlY3RvcnkgKHN0YXQ6dHlwZSAobHN0YXQgZmlsZSkpKQot ICAgICAgKGVycm9yICJmaWxlIG5hbWUgY29tcG9uZW50IGlzIG5vdCBhIGRpcmVjdG9yeSIg ZGlyKSkpCi0KLSAgKGxldCBsb29wICgoY29tcG9uZW50cyAoc3RyaW5nLXRva2VuaXplIGRp ciBub3Qtc2xhc2gpKQotICAgICAgICAgICAgIChyb290ICAgICAgIChpZiBhYnNvbHV0ZT8K LSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiIKLSAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIi4iKSkpCisgIDs7IEJ5IGNvbWJpbmluZyBPX05PRk9MTE9XIGFuZCBPX0RJ UkVDVE9SWSwgdGhpcyBwcm9jZWR1cmUgYXV0b21hdGljYWxseQorICA7OyB2ZXJpZmllcyB0 aGF0IG5vIGNvbXBvbmVudHMgYXJlIHN5bWxpbmtzLgorICAoZGVmaW5lIG9wZW4tZmxhZ3Mg KGxvZ2lvciBPX0NMT0VYRUMgOyBkb24ndCBwYXNzIHRoZSBwb3J0IG9uIHRvIHN1YnByb2Nl c3NlcworICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPX05PRk9MTE9XIDsgZG9uJ3Qg Zm9sbG93IHN5bWxpbmtzCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9fRElSRUNU T1JZIDsgcmVqZWN0IGFueXRoaW5nIG5vdCBhIGRpcmVjdG9yeQorICAgICAgICAgICAgICAg ICAgICAgICAgICAgICBPX1BBVEgpKSA7IFRPRE86IERvZXMgSHVyZCBoYXZlIE9fUEFUSD8K KyAgCisgIChsZXQgbG9vcCAoKGNvbXBvbmVudHMgKHN0cmluZy10b2tlbml6ZSBkaXJlY3Rv cnkgbm90LXNsYXNoKSkKKyAgICAgICAgICAgICAocm9vdCAob3BlbiAoaWYgYWJzb2x1dGU/ ICIvIiAiLiIpIG9wZW4tZmxhZ3MpKSkKICAgICAobWF0Y2ggY29tcG9uZW50cwogICAgICAg KChoZWFkIHRhaWwgLi4uKQotICAgICAgIChsZXQgKChmaWxlIChzdHJpbmctYXBwZW5kIHJv b3QgIi8iIGhlYWQpKSkKLSAgICAgICAgIChjYXRjaCAnc3lzdGVtLWVycm9yCi0gICAgICAg ICAgIChsYW1iZGEgKCkKLSAgICAgICAgICAgICAodmVyaWZ5LWNvbXBvbmVudCBmaWxlKQot ICAgICAgICAgICAgIChsb29wIHRhaWwgZmlsZSkpCi0gICAgICAgICAgIChsYW1iZGEgYXJn cwotICAgICAgICAgICAgIChpZiAoPSBFTk9FTlQgKHN5c3RlbS1lcnJvci1lcnJubyBhcmdz KSkKLSAgICAgICAgICAgICAgICAgI3QKLSAgICAgICAgICAgICAgICAgKGFwcGx5IHRocm93 IGFyZ3MpKSkpKSkKLSAgICAgICgoKSAjdCkpKSkKLQotOzsgVE9ETzogdGhlIFRPQ1RUT1Ug cmFjZSBjYW4gYmUgYWRkcmVzc2VkIG9uY2UgZ3VpbGUgaGFzIGJpbmRpbmdzCi07OyBmb3Ig ZnN0YXRhdCwgb3BlbmF0IGFuZCBmcmllbmRzLgotKGRlZmluZSAobWtkaXItcC9wZXJtcyBk aXJlY3Rvcnkgb3duZXIgYml0cykKLSAgIkNyZWF0ZSB0aGUgZGlyZWN0b3J5IERJUkVDVE9S WSBhbmQgYWxsIGl0cyBhbmNlc3RvcnMuCi1WZXJpZnkgbm8gY29tcG9uZW50IG9mIERJUkVD VE9SWSBpcyBhIHN5bWJvbGljIGxpbmsuCi1XYXJuaW5nOiB0aGlzIGlzIGN1cnJlbnRseSBz dXNwZWN0IHRvIGEgVE9DVFRPVSByYWNlISIKLSAgKHZlcmlmeS1ub3Qtc3ltYm9saWMgZGly ZWN0b3J5KQotICAobWtkaXItcCBkaXJlY3RvcnkpCi0gIChjaG93biBkaXJlY3RvcnkgKHBh c3N3ZDp1aWQgb3duZXIpIChwYXNzd2Q6Z2lkIG93bmVyKSkKLSAgKGNobW9kIGRpcmVjdG9y eSBiaXRzKSkKKyAgICAgICAobGV0IHJldHJ5ICgpCisgICAgICAgICA7OyBJbiB0aGUgdXN1 YWwgY2FzZSwgd2UgZXhwZWN0IEhFQUQgdG8gYWxyZWFkeSBleGlzdC4KKyAgICAgICAgICht YXRjaCAoY2F0Y2ggJ3N5c3RlbS1lcnJvcgorICAgICAgICAgICAgICAgICAgKGxhbWJkYSAo KQorICAgICAgICAgICAgICAgICAgICAob3BlbmF0IHJvb3QgaGVhZCBvcGVuLWZsYWdzKSkK KyAgICAgICAgICAgICAgICAgIChsYW1iZGEgYXJncworICAgICAgICAgICAgICAgICAgICAo aWYgKD0gRU5PRU5UIChzeXN0ZW0tZXJyb3ItZXJybm8gYXJncykpCisgICAgICAgICAgICAg ICAgICAgICAgICAjZmFsc2UKKyAgICAgICAgICAgICAgICAgICAgICAgIChhcHBseSB0aHJv dyBhcmdzKSkpKQorICAgICAgICAgICAoKD8gcG9ydD8gbmV3LXJvb3QpCisgICAgICAgICAg ICAoY2xvc2Ugcm9vdCkKKyAgICAgICAgICAgIChsb29wIHRhaWwgbmV3LXJvb3QpKQorICAg ICAgICAgICAoI2ZhbHNlCisgICAgICAgICAgICA7OyBJZiBub3QsIGNyZWF0ZSBpdC4KKyAg ICAgICAgICAgIChjYXRjaCAnc3lzdGVtLWVycm9yCisgICAgICAgICAgICAgIChsYW1iZGEg XworICAgICAgICAgICAgICAgIChta2RpcmF0IHJvb3QgaGVhZCkpCisgICAgICAgICAgICAg IChsYW1iZGEgYXJncworICAgICAgICAgICAgICAgIDs7IFNvbWVvbmUgZWxzZSBjcmVhdGVk IHRoZSBkaXJlY3RvcnkuICBVbmV4cGVjdGVkIGJ1dCBmaW5lLgorICAgICAgICAgICAgICAg ICh1bmxlc3MgKD0gRUVYSVNUIChzeXN0ZW0tZXJyb3ItZXJybm8gYXJncykpCisgICAgICAg ICAgICAgICAgICAoYXBwbHkgdGhyb3cgYXJncykpKSkKKyAgICAgICAgICAgIChyZXRyeSkp KSkpCisgICAgICAoKCkKKyAgICAgICAoY2hvd24gZGlyZWN0b3J5IChwYXNzd2Q6dWlkIG93 bmVyKSAocGFzc3dkOmdpZCBvd25lcikpCisgICAgICAgKGNobW9kIGRpcmVjdG9yeSBiaXRz KSkpKSkKIAogKGRlZmluZSogKGNvcHktYWNjb3VudC1za2VsZXRvbnMgaG9tZQogICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgIzprZXkK --------------UuUnl01SZrUY0uhfhpOoHz8j Content-Type: application/pgp-keys; name="OpenPGP_0x49E3EE22191725EE.asc" Content-Disposition: attachment; filename="OpenPGP_0x49E3EE22191725EE.asc" Content-Description: OpenPGP public key Content-Transfer-Encoding: quoted-printable -----BEGIN PGP PUBLIC KEY BLOCK----- xjMEX4ch6BYJKwYBBAHaRw8BAQdANPb/d6MrGnGi5HyvODCkBUJPRjiFQcRU5V+m xvMaAa/NL01heGltZSBEZXZvcyA8bWF4aW1lLmRldm9zQHN0dWRlbnQua3VsZXV2 ZW4uYmU+wpAEExYIADgWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCX4ch6AIbAwUL CQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBJ4+4iGRcl7japAQC3opZ2KGWzWmRc /gIWSu0AAcfMwyinFEEPa/QhUt2CogD/e2RdF4CYAgaRHJJmZ9WU7piKbLZ7llB4 LzgezVDHggzNJU1heGltZSBEZXZvcyA8bWF4aW1lZGV2b3NAdGVsZW5ldC5iZT7C kAQTFggAOBYhBMHzPuIMUo/bfdcBH0nj7iIZFyXuBQJf56ycAhsDBQsJCAcDBRUK CQgLBRYCAwEAAh4BAheAAAoJEEnj7iIZFyXujpQBAKV1SwDDl4f24rXciDlB9L8W ycZt30CgbewMSRQk4mvbAP9dFMbVVixYBd6C8cfhR+NsOBGiOJnQABlUmgNuqGFJ Dc44BF+HIegSCisGAQQBl1UBBQEBB0BOlzIWiJzgobMF6/cqwLaLk7jIcFSZ++c0 k9cCNT6YXwMBCAfCeAQYFggAIBYhBMHzPuIMUo/bfdcBH0nj7iIZFyXuBQJfhyHo AhsMAAoJEEnj7iIZFyXuMr0BAJc8cl5PGvVmVuSQVKjleNl4DK1/XAaPAYPe34AE fZJPAP9IqLCQhH/FeJanHqBP8gNdGNI2qn8RnnLVfRJgUjZ1BA=3D=3D =3DOVqp -----END PGP PUBLIC KEY BLOCK----- --------------UuUnl01SZrUY0uhfhpOoHz8j-- --------------q4J6rdjdcC0Q1Mn4siH0zR0t-- --------------1uEYuDdvLEjh3ns8SgrmCDw9 Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wnsEABYIACMWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCY1Jm4gUDAAAAAAAKCRBJ4+4iGRcl7q9T AP9yW53q4BI0m3WU8Qw4pcoelvXMKgtrlwaVVO7avd1R4wD+Juw0HHTX5Rv5m/hYxXq6aaU9nr5Q QJvCAd+uGjstIQU= =uI6R -----END PGP SIGNATURE----- --------------1uEYuDdvLEjh3ns8SgrmCDw9-- From debbugs-submit-bounces@debbugs.gnu.org Fri Oct 28 12:03:35 2022 Received: (at 47584) by debbugs.gnu.org; 28 Oct 2022 16:03:35 +0000 Received: from localhost ([127.0.0.1]:34108 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ooRpX-0005RM-Gj for submit@debbugs.gnu.org; Fri, 28 Oct 2022 12:03:35 -0400 Received: from baptiste.telenet-ops.be ([195.130.132.51]:43702) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ooRpS-0005R8-3A for 47584@debbugs.gnu.org; Fri, 28 Oct 2022 12:03:33 -0400 Received: from [192.168.30.79] ([213.119.228.183]) by baptiste.telenet-ops.be with bizsmtp id dU3S2800F3y3Lwt01U3SbB; Fri, 28 Oct 2022 18:03:26 +0200 Message-ID: <0d5b596b-cc47-aafc-bee9-5b23d734298c@telenet.be> Date: Fri, 28 Oct 2022 18:03:26 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.3.1 Content-Language: en-US To: 47584@debbugs.gnu.org From: Maxime Devos Subject: [DRAFT PATCH v2 0/4] Fix race condition in mkdir-p/perms Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------a1Jw7ny301aXBL0w25NKKgZf" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22; t=1666973007; bh=KklCISjVDTXeo4N8GO3lV5G4BZ4P9OwS6cak4we1kck=; h=Date:To:From:Subject; b=bnXy5b0F+DwI8cn8YfH/7xsUgzkpjrRMKBJyX1cJhce9mPT9nfPUyoWKIb8kyEFGl 8N/IwpPYUh/Aj56WGkpv6RyLaGVCIRwLamUZuRC+1SGNEYioLSc0tWcIGbyLhJo3EE NgqJybUe2JsrPA18OdyT46F3MZYEd/ISSAVNRs5Xga2XI1prLMDjDSDy0AGDO3RtYd fneC0a5LiGR4tpnRAA13xXj3d35Tf4HBfGk+OJwRVtaTrj9yAjBVtZwSZPZji8bdrx 0DYR8bmG2MxdFDkxlMtFHkt8TalnchqJIcqN6QJdvCUwmiqmvbmftudzX9gP+99/Rz vPNK4RXoj38kQ== X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------a1Jw7ny301aXBL0w25NKKgZf Content-Type: multipart/mixed; boundary="------------W7NilB8u1d23D2nCb4Mxagrb"; protected-headers="v1" From: Maxime Devos To: 47584@debbugs.gnu.org Message-ID: <0d5b596b-cc47-aafc-bee9-5b23d734298c@telenet.be> Subject: [DRAFT PATCH v2 0/4] Fix race condition in mkdir-p/perms --------------W7NilB8u1d23D2nCb4Mxagrb Content-Type: multipart/mixed; boundary="------------9LAnGxBAjhsozj54f7Xnt9MG" --------------9LAnGxBAjhsozj54f7Xnt9MG Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64 ID4gVE9ETzogY2hhbmdlIHRoZSBHdWlsZSB1c2VkIGZvciBhY3RpdmF0aW9uIHRvIHNvbWUN CiA+IGNvbW1pdCB0aGF0IGhhcyBvcGVuYXQgZXRjLCBbLi4uXQ0KDQpUaGlzIGlzIGRvbmUg bm93LCBidXQgIm1ha2UgY2hlY2stc3lzdGVtIiBub3cgZmFpbHMgZHVlIHRvIGFuIG9wZW5z c2wgDQpidWlsZCBmYWlsdXJlLCBzZWUgbGF0ZXN0IHBhdGNoLCBzbyBub3QgeWV0IGFwcGxp YWJsZSAuLi4NCg== --------------9LAnGxBAjhsozj54f7Xnt9MG Content-Type: application/pgp-keys; name="OpenPGP_0x49E3EE22191725EE.asc" Content-Disposition: attachment; filename="OpenPGP_0x49E3EE22191725EE.asc" Content-Description: OpenPGP public key Content-Transfer-Encoding: quoted-printable -----BEGIN PGP PUBLIC KEY BLOCK----- xjMEX4ch6BYJKwYBBAHaRw8BAQdANPb/d6MrGnGi5HyvODCkBUJPRjiFQcRU5V+m xvMaAa/NL01heGltZSBEZXZvcyA8bWF4aW1lLmRldm9zQHN0dWRlbnQua3VsZXV2 ZW4uYmU+wpAEExYIADgWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCX4ch6AIbAwUL CQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBJ4+4iGRcl7japAQC3opZ2KGWzWmRc /gIWSu0AAcfMwyinFEEPa/QhUt2CogD/e2RdF4CYAgaRHJJmZ9WU7piKbLZ7llB4 LzgezVDHggzNJU1heGltZSBEZXZvcyA8bWF4aW1lZGV2b3NAdGVsZW5ldC5iZT7C kAQTFggAOBYhBMHzPuIMUo/bfdcBH0nj7iIZFyXuBQJf56ycAhsDBQsJCAcDBRUK CQgLBRYCAwEAAh4BAheAAAoJEEnj7iIZFyXujpQBAKV1SwDDl4f24rXciDlB9L8W ycZt30CgbewMSRQk4mvbAP9dFMbVVixYBd6C8cfhR+NsOBGiOJnQABlUmgNuqGFJ Dc44BF+HIegSCisGAQQBl1UBBQEBB0BOlzIWiJzgobMF6/cqwLaLk7jIcFSZ++c0 k9cCNT6YXwMBCAfCeAQYFggAIBYhBMHzPuIMUo/bfdcBH0nj7iIZFyXuBQJfhyHo AhsMAAoJEEnj7iIZFyXuMr0BAJc8cl5PGvVmVuSQVKjleNl4DK1/XAaPAYPe34AE fZJPAP9IqLCQhH/FeJanHqBP8gNdGNI2qn8RnnLVfRJgUjZ1BA=3D=3D =3DOVqp -----END PGP PUBLIC KEY BLOCK----- --------------9LAnGxBAjhsozj54f7Xnt9MG-- --------------W7NilB8u1d23D2nCb4Mxagrb-- --------------a1Jw7ny301aXBL0w25NKKgZf Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wnsEABYIACMWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCY1v9TgUDAAAAAAAKCRBJ4+4iGRcl7hUf AQC4Io6UYUJeAdByB8zysBCs/fIN/Ja0Dqv36paV2YNKpwD/RMvfQKbKVlFAIe1uiK/o/x+pHZso dokT8rRfeMPoPQw= =pM6e -----END PGP SIGNATURE----- --------------a1Jw7ny301aXBL0w25NKKgZf-- From debbugs-submit-bounces@debbugs.gnu.org Fri Oct 28 12:04:18 2022 Received: (at 47584) by debbugs.gnu.org; 28 Oct 2022 16:04:18 +0000 Received: from localhost ([127.0.0.1]:34120 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ooRqD-0005T4-VE for submit@debbugs.gnu.org; Fri, 28 Oct 2022 12:04:18 -0400 Received: from michel.telenet-ops.be ([195.130.137.88]:56246) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ooRqA-0005Sb-Oa for 47584@debbugs.gnu.org; Fri, 28 Oct 2022 12:04:15 -0400 Received: from localhost.localdomain ([213.119.228.183]) by michel.telenet-ops.be with bizsmtp id dU4B2800F3y3Lwt06U4CSl; Fri, 28 Oct 2022 18:04:12 +0200 From: Maxime Devos To: 47584@debbugs.gnu.org Subject: [PATCH 2/3] WIP gnu: Change the Guile used for activation to one that has 'openat'. Date: Fri, 28 Oct 2022 18:04:08 +0200 Message-Id: <20221028160409.31887-2-maximedevos@telenet.be> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221028160409.31887-1-maximedevos@telenet.be> References: <20221028160409.31887-1-maximedevos@telenet.be> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22; t=1666973052; bh=0F1Hr4edlP5OrtvRIA1MrDIoaH4G+4vNT8z/hev/rls=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=NUQiwd7Uxzz2248r1Q2Su8Bdvo+Fr/6K9IBxjWQrh0l6CCUk5HcEQ0sMSWhzW/Ia7 kRTCQefqBs6DqBVaOkeAtj1EPB+2UbAXM2okAK28bTOLALV2x3BCsQtxKb359ojs/8 fd+eNOl/xAaOkNeZYPYfBfqnJSUzmb1zxl2MgSoDKPOQ/533VtMMSIVZrT1TkHNA6q w3ZSWCKBKcEEgHhjx/MF58eWF5dQc4G7orsmcID2kaH8bb0QUwWStV3+tyqyVNAktV R3KS3xXDTW8nBRmq04onRTHHG9ym0C+p+jNqimPDTdXUxuDzNxSfUGYQq/fF7nwNbT vcKaWBjCnxEbg== X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47584 Cc: Maxime Devos X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) TODO: when doing "make check-system TESTS=ldap", I get a build failure of openssl@1.1.1l, I suspect it's a situation like again, though I haven't investigated yet. Test Summary Report ------------------- ../test/recipes/80-test_ssl_new.t (Wstat: 256 Tests: 29 Failed: 1) Failed test: 12 Non-zero exit status: 1 Files=158, Tests=2636, 157 wallclock secs ( 2.29 usr 0.18 sys + 104.74 cusr 28.04 csys = 135.25 CPU) Result: FAIL make[1]: *** [Makefile:208: _tests] Error 1 make[1]: Leaving directory '/tmp/guix-build-openssl-1.1.1l.drv-0/openssl-1.1.1l' make: *** [Makefile:205: tests] Error 2 Test suite failed, dumping logs. error: in phase 'check': uncaught exception: %exception #<&invoke-error program: "make" arguments: ("test") exit-status: 2 term-signal: #f stop-signal: #f> phase `check' failed after 157.1 seconds command "make" "test" failed with status 2 note: keeping build directory `/tmp/guix-build-openssl-1.1.1l.drv-1' builder for `/gnu/store/jhijsrxqh586l8ck61ppkhydkb158hj0-openssl-1.1.1l.drv' failed with exit code 1 build of /gnu/store/jhijsrxqh586l8ck61ppkhydkb158hj0-openssl-1.1.1l.drv failed [...] This is required by the next patch, in which 'mkdir-p/perms' uses 'openat'. * gnu/packages/guile.scm (guile-for-activation): New variable. * gnu/services.scm (activation-script)[actions]: Set #:guile to guile-for-activation. * gnu/packages/make-bootstrap.scm (%guile-static-stripped/initrd): New variable. * gnu/system/linux-initrd.scm (expression->initrd): Use %guile-static-stripped/initrd instead of %guile-static-stripped. --- gnu/packages/guile.scm | 5 +++++ gnu/packages/make-bootstrap.scm | 15 ++++++++++++--- gnu/services.scm | 5 ++++- gnu/system/linux-initrd.scm | 4 ++-- 4 files changed, 23 insertions(+), 6 deletions(-) diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm index 936fc8649f..1d1b0bd77b 100644 --- a/gnu/packages/guile.scm +++ b/gnu/packages/guile.scm @@ -460,6 +460,11 @@ (define-public guile-next gperf))) (synopsis "Development version of GNU Guile")))) +;; The important thing here is that this Guile has 'openat' and friends +;; for (gnu build activation), which at time of writing isn't available +;; in any release yet. +(define-public guile-for-activation guile-next) + (define* (make-guile-readline guile #:optional (name "guile-readline")) (package (name name) diff --git a/gnu/packages/make-bootstrap.scm b/gnu/packages/make-bootstrap.scm index 4ea97368a9..8852caa406 100644 --- a/gnu/packages/make-bootstrap.scm +++ b/gnu/packages/make-bootstrap.scm @@ -7,6 +7,7 @@ ;;; Copyright © 2019, 2020 Marius Bakke ;;; Copyright © 2020 Mathieu Othacehe ;;; Copyright © 2021 Pierre Langlois +;;; Copyright © 2022 Maxime Devos ;;; ;;; This file is part of GNU Guix. ;;; @@ -57,7 +58,8 @@ (define-module (gnu packages make-bootstrap) %mes-bootstrap-tarball %bootstrap-tarballs - %guile-static-stripped)) + %guile-static-stripped + %guile-static-stripped/initrd)) ;;; Commentary: ;;; @@ -794,14 +796,21 @@ (define* (make-guile-static-stripped static-guile) (synopsis "Minimal statically-linked and relocatable Guile"))) (define %guile-static-stripped - ;; A stripped static Guile 3.0 binary, for use in initrds - ;; and during bootstrap. + ;; A stripped static Guile 3.0 binary, for use during bootstrap. (make-guile-static-stripped (make-guile-static guile-3.0 '("guile-2.2-default-utf8.patch" "guile-3.0-linux-syscalls.patch" "guile-3.0-relocatable.patch")))) +;; Like %guile-static-stripped, but for use in initrds. +(define %guile-static-stripped/initrd + (make-guile-static-stripped + (make-guile-static guile-for-activation + '("guile-2.2-default-utf8.patch" + "guile-3.0-linux-syscalls.patch" + "guile-3.0-relocatable.patch")))) + (define (tarball-package pkg) "Return a package containing a tarball of PKG." (package diff --git a/gnu/services.scm b/gnu/services.scm index 2abef557d4..e051f9e821 100644 --- a/gnu/services.scm +++ b/gnu/services.scm @@ -6,6 +6,7 @@ ;;; Copyright © 2021 raid5atemyhomework ;;; Copyright © 2020 Christine Lemmer-Webber ;;; Copyright © 2020, 2021 Brice Waegeneire +;;; Copyright © 2022 Maxime Devos ;;; ;;; This file is part of GNU Guix. ;;; @@ -41,6 +42,7 @@ (define-module (gnu services) #:use-module (guix utils) #:use-module (gnu packages base) #:use-module (gnu packages bash) + #:use-module ((gnu packages guile) #:select (guile-for-activation)) #:use-module (gnu packages hurd) #:use-module (gnu system setuid) #:use-module (srfi srfi-1) @@ -610,7 +612,8 @@ (define* (activation-service->script service) (define (activation-script gexps) "Return the system's activation script, which evaluates GEXPS." (define actions - (map (cut program-file "activate-service.scm" <>) gexps)) + (map (cut program-file "activate-service.scm" <> + #:guile guile-for-activation) gexps)) (program-file "activate.scm" (with-imported-modules (source-module-closure diff --git a/gnu/system/linux-initrd.scm b/gnu/system/linux-initrd.scm index 4c4c78e444..b65d830a17 100644 --- a/gnu/system/linux-initrd.scm +++ b/gnu/system/linux-initrd.scm @@ -36,7 +36,7 @@ (define-module (gnu system linux-initrd) #:use-module ((gnu packages xorg) #:select (console-setup xkeyboard-config)) #:use-module ((gnu packages make-bootstrap) - #:select (%guile-static-stripped)) + #:select (%guile-static-stripped/initrd)) #:use-module (gnu system file-systems) #:use-module (gnu system mapped-devices) #:use-module (gnu system keyboard) @@ -62,7 +62,7 @@ (define-module (gnu system linux-initrd) (define* (expression->initrd exp #:key - (guile %guile-static-stripped) + (guile %guile-static-stripped/initrd) (gzip gzip) (name "guile-initrd") (system (%current-system))) -- 2.38.0 From debbugs-submit-bounces@debbugs.gnu.org Fri Oct 28 12:04:19 2022 Received: (at 47584) by debbugs.gnu.org; 28 Oct 2022 16:04:19 +0000 Received: from localhost ([127.0.0.1]:34122 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ooRqE-0005T6-JV for submit@debbugs.gnu.org; Fri, 28 Oct 2022 12:04:19 -0400 Received: from michel.telenet-ops.be ([195.130.137.88]:56248) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ooRqA-0005Sc-Om for 47584@debbugs.gnu.org; Fri, 28 Oct 2022 12:04:16 -0400 Received: from localhost.localdomain ([213.119.228.183]) by michel.telenet-ops.be with bizsmtp id dU4B2800F3y3Lwt06U4BSd; Fri, 28 Oct 2022 18:04:11 +0200 From: Maxime Devos To: 47584@debbugs.gnu.org Subject: [PATCH 1/3] guile-next: Update to 3.0.8-793fb46. Date: Fri, 28 Oct 2022 18:04:07 +0200 Message-Id: <20221028160409.31887-1-maximedevos@telenet.be> X-Mailer: git-send-email 2.38.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22; t=1666973052; bh=9RoY0EGI8SLIb2a5R868slxa0B9kHF9XHSiwx+Ai0co=; h=From:To:Cc:Subject:Date; b=Jm/sBdbNJZiHUCZv78iGItWkATLAMtWF4Ghdyh0zS1mVb08wf2hoW9rqGAeUiIHhl dYUu/L7xrRxC8mq75gMqBB8dyga0pkymFCmgtRgJjJOHlcc/sAgb21jfOLy+Zz1Zbv 7Iw5Vm2kINbgYbYqa0oRWiSe2a77MctNW4QidB9Fs+sfXHm0X3OQMfIyKI2v0iyzx4 6zC/MwLA1LPDS5ZVNGPDzKeSXXywQoi8I3kSwGcbDzdytyubo6d+Jm+yCa8jWQwCF6 p9y8lOpn3lrkpSfnH4nZKjhXoNtER0V3uGQIK+XW5+tWUrZMA37Lk3rDKrmSIDIHdQ lQ5w+Y2Buo2+A== X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47584 Cc: Maxime Devos X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/packages/guile.scm (guile-next): Update to 3.0.8, commit 793fb46. [arguments]: Remove 'skip-failing-tests', as presumably the issues are fixed in the new version. --- gnu/packages/guile.scm | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/gnu/packages/guile.scm b/gnu/packages/guile.scm index fcdf75051c..936fc8649f 100644 --- a/gnu/packages/guile.scm +++ b/gnu/packages/guile.scm @@ -431,11 +431,11 @@ (define-public guile-3.0/fixed ; when heavily loaded) (define-public guile-next - (let ((version "3.0.7") + (let ((version "3.0.8") (revision "0") - (commit "d70c1dbebf9ac0fd45af4578c23983ec4a7da535")) + (commit "793fb46a1e69fa2156805e4a97b340cf62e096a6")) (package - (inherit guile-3.0) + (inherit guile-3.0-latest) (name "guile-next") (version (git-version version revision commit)) (source (origin @@ -447,19 +447,10 @@ (define-public guile-next (file-name (git-file-name name version)) (sha256 (base32 - "05rsk9lh5kchbav3lwfwgvgybrykqqjmkkc6689fhb3mjr5m3dqj")))) - (arguments - (substitute-keyword-arguments (package-arguments guile-3.0) - ((#:phases phases '%standard-phases) - `(modify-phases ,phases - (add-before 'check 'skip-failing-tests - (lambda _ - (substitute* "test-suite/standalone/test-out-of-memory" - (("!#") "!#\n\n(exit 77)\n")) - (delete-file "test-suite/tests/version.test") - #t)))))) + "0x42qhsdgx7mg6ap2zgbpbj3f5yhjapyr3xkpzb1z6f2yc8rdlsw")))) (native-inputs - (modify-inputs (package-native-inputs guile-3.0) + (modify-inputs (package-native-inputs guile-3.0-latest) + (replace "guile" this-package) ; for cross-compilation (prepend autoconf automake libtool base-commit: 31a56967e2869c916b7a5e8ee570e8e10f0210a5 prerequisite-patch-id: 2712efb97bf33985fd0658e4dd8e936dc08be5fe prerequisite-patch-id: 9d2409b480a8bff0fef029b4b095922d4957e06f prerequisite-patch-id: 51a32abca3efec1ba67ead59b8694c5ea3129ad3 prerequisite-patch-id: 9092927761a340c07a99f5f3ed314a6add04cdee prerequisite-patch-id: d0af09fbd5ee0ef60bdee53b87d729e46c1db2ca prerequisite-patch-id: c2b101598fa5b6f93470ae41d51a983dcb931b04 -- 2.38.0 From debbugs-submit-bounces@debbugs.gnu.org Fri Oct 28 12:04:25 2022 Received: (at 47584) by debbugs.gnu.org; 28 Oct 2022 16:04:26 +0000 Received: from localhost ([127.0.0.1]:34127 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ooRqL-0005TU-13 for submit@debbugs.gnu.org; Fri, 28 Oct 2022 12:04:25 -0400 Received: from michel.telenet-ops.be ([195.130.137.88]:56244) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ooRqA-0005Sd-Oc for 47584@debbugs.gnu.org; Fri, 28 Oct 2022 12:04:17 -0400 Received: from localhost.localdomain ([213.119.228.183]) by michel.telenet-ops.be with bizsmtp id dU4B2800F3y3Lwt06U4CSp; Fri, 28 Oct 2022 18:04:12 +0200 From: Maxime Devos To: 47584@debbugs.gnu.org Subject: [PATCH 3/3] activation: Fix TOCTTOU in mkdir-p/perms. Date: Fri, 28 Oct 2022 18:04:09 +0200 Message-Id: <20221028160409.31887-3-maximedevos@telenet.be> X-Mailer: git-send-email 2.38.0 In-Reply-To: <20221028160409.31887-1-maximedevos@telenet.be> References: <20221028160409.31887-1-maximedevos@telenet.be> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22; t=1666973052; bh=cp9gdROeKyKOVhm7ov7oMK+2nzQun7O7h7vn+Qg8fMw=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=XSVvzIGIXYbFDLKseiqrgJZ7JFqodD5dJmoV1UJFgP9QA9GgtuxasVcAUoUMaWk/k QrdlutabopbGdY84ELHUk99pKVJHmkCu/pdOdSxx3WKYAX5AUBquwwAdomJQ96xRRr 2ZNf+M8DTH7UGNUZySTuVBnSch2nWvhkFOSSpYGQ6Ha99twW+wPZ2ywecr3gVSt9w6 5/13/KLz5f+5CZYv54Wyf5YziZUgffKMsXhzSpBnFwofFYWV0bl1OlWZgfJOjQE4P9 5Gic2R/EOIOPcgCssI3a0ZWVD4n2vUxNvgt1IAiYcsVOmyNxMaTRmLug6BUO7o1yeU 8PVPf5oyOHUoA== X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47584 Cc: Maxime Devos X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) I removed the 'Based upon mkdir-p from (guix build utils)' comment because it's quite a bit different now. * gnu/build/activation.scm (verify-not-symbolic): Delete. (mkdir-p/perms): Rewrite in terms of 'openat'. --- gnu/build/activation.scm | 90 +++++++++++++++++++++++++--------------- 1 file changed, 57 insertions(+), 33 deletions(-) diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm index 10c9045740..29c6f2ce4c 100644 --- a/gnu/build/activation.scm +++ b/gnu/build/activation.scm @@ -5,7 +5,7 @@ ;;; Copyright © 2015, 2018 Mark H Weaver ;;; Copyright © 2018 Arun Isaac ;;; Copyright © 2018, 2019 Ricardo Wurmus -;;; Copyright © 2021 Maxime Devos +;;; Copyright © 2021, 2022 Maxime Devos ;;; Copyright © 2020 Christine Lemmer-Webber ;;; Copyright © 2021 Brice Waegeneire ;;; @@ -64,46 +64,70 @@ (define %skeleton-directory (define (dot-or-dot-dot? file) (member file '("." ".."))) -;; Based upon mkdir-p from (guix build utils) -(define (verify-not-symbolic dir) - "Verify DIR or its ancestors aren't symbolic links." +(define (mkdir-p/perms directory owner bits) + "Create directory DIRECTORY and all its ancestors. + +Additionally, verify no component of DIRECTORY is a symbolic link, +without TOCTTOU races. However, if OWNER differs from the the current +(process) uid/gid, there is a small window in which DIRECTORY is set to the +current (process) uid/gid instead of OWNER. This is not expected to be +a problem in practice. + +The permission bits and owner of DIRECTORY are set to BITS and OWNER. +Anything above DIRECTORY that already exists keeps +its old owner and bits. For components that do not exist yet, the owner +and bits are set according to the default behaviour of 'mkdir'." (define absolute? - (string-prefix? "/" dir)) + (string-prefix? "/" directory)) (define not-slash (char-set-complement (char-set #\/))) - (define (verify-component file) - (unless (eq? 'directory (stat:type (lstat file))) - (error "file name component is not a directory" dir))) + ;; By combining O_NOFOLLOW and O_DIRECTORY, this procedure automatically + ;; verifies that no components are symlinks. + (define open-flags (logior O_CLOEXEC ; don't pass the port on to subprocesses + O_NOFOLLOW ; don't follow symlinks + O_DIRECTORY)) ; reject anything not a directory - (let loop ((components (string-tokenize dir not-slash)) - (root (if absolute? - "" - "."))) + (let loop ((components (string-tokenize directory not-slash)) + (root (open (if absolute? "/" ".") open-flags))) (match components ((head tail ...) - (let ((file (string-append root "/" head))) - (catch 'system-error - (lambda () - (verify-component file) - (loop tail file)) - (lambda args - (if (= ENOENT (system-error-errno args)) - #t - (apply throw args)))))) - (() #t)))) - -;; TODO: the TOCTTOU race can be addressed once guile has bindings -;; for fstatat, openat and friends. -(define (mkdir-p/perms directory owner bits) - "Create the directory DIRECTORY and all its ancestors. -Verify no component of DIRECTORY is a symbolic link. -Warning: this is currently suspect to a TOCTTOU race!" - (verify-not-symbolic directory) - (mkdir-p directory) - (chown directory (passwd:uid owner) (passwd:gid owner)) - (chmod directory bits)) + (let retry () + ;; In the usual case, we expect HEAD to already exist. + (match (catch 'system-error + (lambda () + (openat root head open-flags)) + (lambda args + (if (= ENOENT (system-error-errno args)) + #false + (begin + (close-port root) + (apply throw args))))) + ((? port? new-root) + (close root) + (loop tail new-root)) + (#false + ;; If not, create it. + (catch 'system-error + (lambda _ + (mkdirat root head)) + (lambda args + ;; Someone else created the directory. Unexpected but fine. + (unless (= EEXIST (system-error-errno args)) + (close-port root) + (apply throw args)))) + (retry))))) + (() + (catch 'system-error + (lambda () + (chown root (passwd:uid owner) (passwd:gid owner)) + (chmod root bits)) + (lambda args + (close-port root) + (apply throw args))) + (close-port root) + (values))))) (define* (copy-account-skeletons home #:key -- 2.38.0 From debbugs-submit-bounces@debbugs.gnu.org Fri Oct 28 12:05:51 2022 Received: (at 47584) by debbugs.gnu.org; 28 Oct 2022 16:05:51 +0000 Received: from localhost ([127.0.0.1]:34134 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ooRrj-0005Vw-27 for submit@debbugs.gnu.org; Fri, 28 Oct 2022 12:05:51 -0400 Received: from xavier.telenet-ops.be ([195.130.132.52]:48862) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ooRrh-0005Vl-9D for 47584@debbugs.gnu.org; Fri, 28 Oct 2022 12:05:49 -0400 Received: from [192.168.30.79] ([213.119.228.183]) by xavier.telenet-ops.be with bizsmtp id dU5n2800Q3y3Lwt01U5nsc; Fri, 28 Oct 2022 18:05:48 +0200 Message-ID: <3b9decf0-7fb1-4426-2636-1a68eb19992e@telenet.be> Date: Fri, 28 Oct 2022 18:05:47 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.3.1 Subject: Re: [PATCH 1/3] guile-next: Update to 3.0.8-793fb46. Content-Language: en-US To: 47584@debbugs.gnu.org References: <20221028160409.31887-1-maximedevos@telenet.be> From: Maxime Devos In-Reply-To: <20221028160409.31887-1-maximedevos@telenet.be> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------4IFrpWHhcSXW7srkE7NLEkmk" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r22; t=1666973148; bh=slOCJW1MOmI2VIwYgmQd4ggMUAf647pG9MvZl2mw7jg=; h=Date:Subject:To:References:From:In-Reply-To; b=Pytdxi8l/byt0e5GxKEuVZ4hQI5s2AP2cSQyjcpSOekPKDiWCStcEL9TFWjhLKZgf J8LmhW/g0qasgZ+qphd2IbiRp+vrL5DecYyARFl+ecZVaUkSB7p143oDmNkz0rMnl6 Ev/pFVzP7dD4YLIpRRuaTQz3wZWNYHweqiWEAXTQZ4FNnt2AdNj7NtEMwspmaHkqbN 54iHESx+vK/IZ1yo3UYnj5zq7pUPciZOW0XzKzE6zVGd2rQcWd2mpx+aBnLvB30PIA h+Q77yANgVPUIa7vvq52E3Y35Uoel6KV6DGvQtGb8S8DcJ6V8ncCg1oWcijV5x0WA5 7qcFQAA0NfT+A== X-Spam-Score: -2.5 (--) X-Debbugs-Envelope-To: 47584 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.5 (---) This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------4IFrpWHhcSXW7srkE7NLEkmk Content-Type: multipart/mixed; boundary="------------T4EijfH0Wh0LYQWMOnWa5Dgu"; protected-headers="v1" From: Maxime Devos To: 47584@debbugs.gnu.org Message-ID: <3b9decf0-7fb1-4426-2636-1a68eb19992e@telenet.be> Subject: Re: [PATCH 1/3] guile-next: Update to 3.0.8-793fb46. References: <20221028160409.31887-1-maximedevos@telenet.be> In-Reply-To: <20221028160409.31887-1-maximedevos@telenet.be> --------------T4EijfH0Wh0LYQWMOnWa5Dgu Content-Type: multipart/mixed; boundary="------------NyguYZGwiFKNbaVSkZkM2H1H" --------------NyguYZGwiFKNbaVSkZkM2H1H Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64 T24gMjgtMTAtMjAyMiAxODowNCwgTWF4aW1lIERldm9zIHdyb3RlOg0KPiAgICAgICAgIChu YXRpdmUtaW5wdXRzDQo+IC0gICAgICAgKG1vZGlmeS1pbnB1dHMgKHBhY2thZ2UtbmF0aXZl LWlucHV0cyBndWlsZS0zLjApDQo+ICsgICAgICAgKG1vZGlmeS1pbnB1dHMgKHBhY2thZ2Ut bmF0aXZlLWlucHV0cyBndWlsZS0zLjAtbGF0ZXN0KQ0KPiArICAgICAgICAgKHJlcGxhY2Ug Imd1aWxlIiB0aGlzLXBhY2thZ2UpIDsgZm9yIGNyb3NzLWNvbXBpbGF0aW9uDQoNCkkgZm9y Z290IHRvIG1lbnRpb24gdGhpcyBpbiB0aGUgY29tbWl0IG1lc3NhZ2UuDQo= --------------NyguYZGwiFKNbaVSkZkM2H1H Content-Type: application/pgp-keys; name="OpenPGP_0x49E3EE22191725EE.asc" Content-Disposition: attachment; filename="OpenPGP_0x49E3EE22191725EE.asc" Content-Description: OpenPGP public key Content-Transfer-Encoding: quoted-printable -----BEGIN PGP PUBLIC KEY BLOCK----- xjMEX4ch6BYJKwYBBAHaRw8BAQdANPb/d6MrGnGi5HyvODCkBUJPRjiFQcRU5V+m xvMaAa/NL01heGltZSBEZXZvcyA8bWF4aW1lLmRldm9zQHN0dWRlbnQua3VsZXV2 ZW4uYmU+wpAEExYIADgWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCX4ch6AIbAwUL CQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBJ4+4iGRcl7japAQC3opZ2KGWzWmRc /gIWSu0AAcfMwyinFEEPa/QhUt2CogD/e2RdF4CYAgaRHJJmZ9WU7piKbLZ7llB4 LzgezVDHggzNJU1heGltZSBEZXZvcyA8bWF4aW1lZGV2b3NAdGVsZW5ldC5iZT7C kAQTFggAOBYhBMHzPuIMUo/bfdcBH0nj7iIZFyXuBQJf56ycAhsDBQsJCAcDBRUK CQgLBRYCAwEAAh4BAheAAAoJEEnj7iIZFyXujpQBAKV1SwDDl4f24rXciDlB9L8W ycZt30CgbewMSRQk4mvbAP9dFMbVVixYBd6C8cfhR+NsOBGiOJnQABlUmgNuqGFJ Dc44BF+HIegSCisGAQQBl1UBBQEBB0BOlzIWiJzgobMF6/cqwLaLk7jIcFSZ++c0 k9cCNT6YXwMBCAfCeAQYFggAIBYhBMHzPuIMUo/bfdcBH0nj7iIZFyXuBQJfhyHo AhsMAAoJEEnj7iIZFyXuMr0BAJc8cl5PGvVmVuSQVKjleNl4DK1/XAaPAYPe34AE fZJPAP9IqLCQhH/FeJanHqBP8gNdGNI2qn8RnnLVfRJgUjZ1BA=3D=3D =3DOVqp -----END PGP PUBLIC KEY BLOCK----- --------------NyguYZGwiFKNbaVSkZkM2H1H-- --------------T4EijfH0Wh0LYQWMOnWa5Dgu-- --------------4IFrpWHhcSXW7srkE7NLEkmk Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- wnsEABYIACMWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCY1v92wUDAAAAAAAKCRBJ4+4iGRcl7qqf AP9E3+nmkAVxdMwxdN298XlK8T3PE6WdGCrADyq7fbfIHgEAzWlRr0fwo/0FR65dAjK6pGNAfHG6 wngLeeG0KZZ3egI= =GjzH -----END PGP SIGNATURE----- --------------4IFrpWHhcSXW7srkE7NLEkmk-- From debbugs-submit-bounces@debbugs.gnu.org Fri Sep 06 07:31:49 2024 Received: (at 47584-done) by debbugs.gnu.org; 6 Sep 2024 11:31:49 +0000 Received: from localhost ([127.0.0.1]:52253 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1smXBt-0000an-1M for submit@debbugs.gnu.org; Fri, 06 Sep 2024 07:31:49 -0400 Received: from eggs.gnu.org ([209.51.188.92]:46762) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1smXBr-0000aN-Ej for 47584-done@debbugs.gnu.org; Fri, 06 Sep 2024 07:31:47 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1smVbG-0007QU-OS; Fri, 06 Sep 2024 05:49:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=PWhvfz+mCWrpVOFknXTV44cIul8bkutAViVBEJV7vtQ=; b=mpLk6bglRQWWpPdvBm1n kQ5h8X0Qm6nOAkiaJ8UHXnK9+ZOrYqtqb5pJl6X4GFKq5kA6mlLSZLnuFqfl9gYfZtyN6AYHkC1Rr mMGTD9JXHaPBn4wZ/lVjYQLJCbrW5sNpbTx/+FB+XRgXTyWm9WJiT6gMPzEFiWkrMgWc4JtbBA+mD wQZTWHRlAz5uN0C4ba/VZvur+jfx4mUtZMRndN9VQAvASezOr4qHRzCXOCi6UW6XvbxrDkWWZjDBO 1iLBivvSVkeV6FXch2WKAdP8nozsXyooOXsE0bA9hH6BVfrQHVxnxwQJqbGdnEMIutX5qvOSXlxl+ z144zli/Yf+LIw==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Maxime Devos Subject: Re: bug#47584: Race condition in =?utf-8?Q?=E2=80=98copy-account-?= =?utf-8?Q?skeletons=E2=80=99=3A?= possible privilege escalation. In-Reply-To: <20221028160409.31887-3-maximedevos@telenet.be> (Maxime Devos's message of "Fri, 28 Oct 2022 18:04:09 +0200") References: <20221028160409.31887-1-maximedevos@telenet.be> <20221028160409.31887-3-maximedevos@telenet.be> Date: Fri, 06 Sep 2024 11:49:46 +0200 Message-ID: <87jzfpyuv9.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 47584-done Cc: 47584-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello, Maxime Devos skribis: > I removed the 'Based upon mkdir-p from (guix build utils)' > comment because it's quite a bit different now. > > * gnu/build/activation.scm (verify-not-symbolic): Delete. > (mkdir-p/perms): Rewrite in terms of 'openat'. Finally pushed as c1283e203995c8d84584e701b965efe086d1d666, now that Guile 3.0.9 with the *at family of procedures is the default (and has been for a while, actually). Great work both in Guile upstream and in Guix here. Ludo=E2=80=99. From unknown Sun Jun 22 17:14:11 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 05 Oct 2024 11:24:19 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator