GNU bug report logs - #55361
[Installer] Extra unprivileged “root” account added

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Wed, 11 May 2022 09:37:01 UTC

Severity: important

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: bokr <at> bokr.com
To: 55361 <at> debbugs.gnu.org, ludo <at> gnu.org
Subject: bug#55361: [Installer] Extra unprivileged “root” account added
Date: Sat, 21 May 2022 14:54:34 +0200

Hello,

On +2022-05-21 00:19:06 +0200, Ludovic Courtès wrote:
> Ludovic Courtès <ludo <at> gnu.org> skribis:
> 
> > The installer built from:
> >
> > Generation 214      May 02 2022 21:44:14    (current)
> >   guix 6b588da
> >     repository URL: https://git.savannah.gnu.org/git/guix.git
> >     branch: master
> >     commit: 6b588da368c77cde82ea2f22ca315116228777ad
> >
> > … adds an unprivileged “root” account to the ‘users’ section of the OS
> > config.
> 
> Fixed in 48c748226e2a94d2dec9bfdf84601455f00d6f5e, which reverts
> c2125e59d0774cda3e559adeb056459a5f23586b.
> 
> Ludo’.
> 
> 
>
--8<---------------cut here---------------start------------->8---
commit c2125e59d0774cda3e559adeb056459a5f23586b
Author: Mathieu Othacehe <othacehe <at> gnu.org>
Date:   Mon Apr 4 16:38:09 2022 +0200

    installer: user: Remove useless filtering.
--8<---------------cut here---------------end--------------->8---


--8<---------------cut here---------------start------------->8---
commit 48c748226e2a94d2dec9bfdf84601455f00d6f5e
Author: Ludovic Courtès <ludo <at> gnu.org>
Date:   Fri May 20 20:41:02 2022 +0200

    Revert "installer: user: Remove useless filtering."
    
    This reverts commit c2125e59d0774cda3e559adeb056459a5f23586b.
    
    Fixes <https://issues.guix.gnu.org/55361>.
--8<---------------cut here---------------end--------------->8---

Assuming my date-diff hack worked:
--8<---------------cut here---------------start------------->8---
~/wb/guix]$ date-diff '2022-04-04 16:38:09' '2022-05-20 20:41:02'
46days 4hrs 2min 53sec
--8<---------------cut here---------------end--------------->8---

Is this like coming home from 46day vacation and noticing
that, oops, someone left the kitchen door open,
and hoping no ++ungoodniks noticed? Or meh?

Is. or should there be, a required signoff on an
exploitability assessment in the commit, when it
has that scent? (e.g. anything possibly opening
a door to root privilges).

Personally, I am happy to see "fixed," but I would be happier
seeing a signed exploitability assessment, esp if by someone
concentrating on that aspect of things.

Thoughts?

--
Regards,
Bengt Richter
This bug report was last modified 3 years ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.