GNU bug report logs -
#47584
Race condition in ‘copy-account-skeletons’: possible privilege escalation.
Previous Next
Reported by: Maxime Devos <maximedevos <at> telenet.be>
Date: Sat, 3 Apr 2021 16:10:02 UTC
Severity: important
Tags: patch, security
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
Maxime Devos <maximedevos <at> telenet.be> skribis:
> +The attack consists of the user being logged in after the account
> +skeletons have been copied to the home directory, but before the
> +owner of the account skeletons have been set. The user then deletes
> +a copied account skeleton (e.g. `$HOME/.gdbinit`) and replaces
> +it with a symbolic link to a file not owned by the user, such as
> +`/etc/shadow`.
Also… in this paragraph, it’s not entirely clear which user we’re
talking about it. In news.scm, I reworded it like so:
The attack can happen when @command{guix system reconfigure} is running.
Running @command{guix system reconfigure} can trigger the creation of new user
accounts if the configuration specifies new accounts. If a user whose account
is being created manages to log in after the account has been created but
before ``skeleton files'' copied to its home directory have the right
ownership, they may, by creating an appropriately-named symbolic link in the
home directory pointing to a sensitive file, such as @file{/etc/shadow}, get
root privileges.
It may also be worth mentioning that the user is likely unable to log in
at all at that point, as I wrote here:
https://issues.guix.gnu.org/47584#6
WDYT?
Ludo’.
This bug report was last modified 260 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.