GNU bug report logs - #51833
SECURITY: Sanitize the permissions for guix daemon socket?

Previous Next

Package: guix;

Reported by: Jacob Hrbek <kreyren <at> rixotstudio.cz>

Date: Sun, 14 Nov 2021 09:20:01 UTC

Severity: normal

Done: Tobias Geerinckx-Rice <me <at> tobias.gr>

Bug is archived. No further changes may be made.

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Jacob Hrbek <kreyren <at> rixotstudio.cz>
To: "bug-guix <at> gnu.org" <bug-guix <at> gnu.org>
Subject: SECURITY: Sanitize the permissions for guix daemon socket?
Date: Sun, 14 Nov 2021 09:18:46 +0000

[Message part 1 (text/plain, inline)]

The /var/guix/daemon-socket/socket is by default set to be owned by root:root with chmod 0666 that allows **ALL** users on the system to interact with guix daemon to write in the store directory.

Proposing to define a group (or use guixbuild group?) to by default deny access to the socket to all users without the group as i see this being a security issue waiting to happen.

-- Jacob "Kreyren" Hrbek

Sent with ProtonMail Secure Email.

[Message part 2 (text/html, inline)]

[publickey - kreyren@rixotstudio.cz - 0x1677DB82.asc (application/pgp-keys, attachment)]

[signature.asc (application/pgp-signature, attachment)]

This bug report was last modified 3 years and 194 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #51833 SECURITY: Sanitize the permissions for guix daemon socket?

GNU bug report logs - #51833
SECURITY: Sanitize the permissions for guix daemon socket?