GNU bug report logs -
#57910
[PATCH] Add link to 'pre-inst-env' from 'installing from git' docs
Previous Next
To reply to this bug, email your comments to 57910 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#57910; Package
guix-patches.
(Sun, 18 Sep 2022 14:56:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Emma Turner <em.turner <at> tutanota.com>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sun, 18 Sep 2022 14:56:03 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
[0001-doc-link-pre-inst-env-from-building-from-git-docs.patch (text/x-patch, attachment)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#57910; Package
guix-patches.
(Sun, 18 Sep 2022 17:27:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 57910 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
merge 57909 57910
thanks
The given example "make authenticate" is insecure, it has a TOCTTOU
problem as indicated at <https://issues.guix.gnu.org/22883#59>:
> Moreover, I don't think running 'make authenticate' after 'git pull'
> would really work -- after you pulled, git-authenticate could've been
> modified, so the verify-commit you did earlier doesn't apply anymore.
The solution that was proposed
> We can solve it by removing ./pre-inst-env from the command in ‘make
> authenticate’.
would be undone by the proposed patch. Even then, it remains insecure,
as an attacker could have modified the "make authenticate", as explained
in more detail at <https://logs.guix.gnu.org/guix/2022-09-14.log#172610>.
As such, I think we really shouldn't recommend "make authenticate" (and
even remove "make authenticate". In fact, I think we should remove
"make authenticate" and replace the instructions with a direct "guix git
authenticate ...".
As such, I propose that:
* you adjust the patch to note that authenticating the checkout is
impossible if you don't already have Guix installed (instead of
recommending the insecure "make authenticate")
* I write a patch removing "make authenticate" and adjusting old uses
of "make authenticate" to "guix git authenticate ...".
Greetings,
Maxime.
[OpenPGP_0x49E3EE22191725EE.asc (application/pgp-keys, attachment)]
[OpenPGP_signature (application/pgp-signature, attachment)]
Merged 57909 57910.
Request was from
Maxime Devos <maximedevos <at> telenet.be>
to
control <at> debbugs.gnu.org.
(Sun, 18 Sep 2022 17:27:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#57910; Package
guix-patches.
(Sun, 18 Sep 2022 18:54:03 GMT)
Full text and
rfc822 format available.
Message #13 received at 57910 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 18-09-2022 19:26, Maxime Devos wrote:
> [...]
>
> As such, I propose that:
>
> * you adjust the patch to note that authenticating the checkout is
> impossible if you don't already have Guix installed (instead of
> recommending the insecure "make authenticate")
>
> * I write a patch removing "make authenticate" and adjusting old uses
> of "make authenticate" to "guix git authenticate ...".
I have attached a patch for the latter.
Greetings,
Maxime.
[0001-WIP-Only-use-make-authenticate-for-etc-git-pre-push.patch (text/x-patch, attachment)]
[OpenPGP_0x49E3EE22191725EE.asc (application/pgp-keys, attachment)]
[OpenPGP_signature (application/pgp-signature, attachment)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#57910; Package
guix-patches.
(Mon, 19 Sep 2022 06:43:04 GMT)
Full text and
rfc822 format available.
Message #16 received at 57910 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi Maxime,
Thanks for your replies. I hadn't thought about the issue with make authenticate, but makes complete sense! Thanks for explaining.
I've attached an updated patch, which I think does what you asked for (replacing make authenticate with guix git authenticate.
Many thanks,
Emma
Sep 18, 2022, 19:53 by maximedevos <at> telenet.be:
>
>
> On 18-09-2022 19:26, Maxime Devos wrote:
>
>> [...]
>>
>> As such, I propose that:
>>
>> * you adjust the patch to note that authenticating the checkout is
>> impossible if you don't already have Guix installed (instead of
>> recommending the insecure "make authenticate")
>>
>> * I write a patch removing "make authenticate" and adjusting old uses
>> of "make authenticate" to "guix git authenticate ...".
>>
>
>
> I have attached a patch for the latter.
>
> Greetings,
> Maxime.
>
[0001-doc-contrib-recommend-guix-git-authenticate.patch (text/x-patch, attachment)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#57910; Package
guix-patches.
(Mon, 19 Sep 2022 09:38:02 GMT)
Full text and
rfc822 format available.
Message #19 received at 57910 <at> debbugs.gnu.org (full text, mbox):
Hi,
Sorry, I'd tried to close 57909 as soon as I realised I'd made duplicate issues, but then it's only just come through, and closed both issues since they were merged.
I'll hopefully remember going forward to give debbugs lots of time!
Emma
Did not alter fixed versions and reopened.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Mon, 19 Sep 2022 13:02:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
guix-patches <at> gnu.org:
bug#57910; Package
guix-patches.
(Mon, 19 Sep 2022 13:28:03 GMT)
Full text and
rfc822 format available.
Message #24 received at 57910 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 19-09-2022 08:12, Emma Turner wrote:
> Hi Maxime,
>
> Thanks for your replies. I hadn't thought about the issue with make authenticate, but makes complete sense! Thanks for explaining.
>
> I've attached an updated patch, which I think does what you asked for (replacing make authenticate with guix git authenticate.
Aside from the copyright line in doc/guix.texi, looks good to me, though
given the security concerns and the impact on a _large_ number of users,
it would be best if someone else verified things as well.
Greetings,
Maxime.
[OpenPGP_0x49E3EE22191725EE.asc (application/pgp-keys, attachment)]
[OpenPGP_signature (application/pgp-signature, attachment)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#57910; Package
guix-patches.
(Sat, 24 Sep 2022 15:59:02 GMT)
Full text and
rfc822 format available.
Message #27 received at 57910 <at> debbugs.gnu.org (full text, mbox):
Hi,
Maxime Devos <maximedevos <at> telenet.be> skribis:
> As such, I think we really shouldn't recommend "make authenticate"
> (and even remove "make authenticate". In fact, I think we should
> remove "make authenticate" and replace the instructions with a direct
> "guix git authenticate ...".
“make authenticate” runs ‘guix git authenticate’ with the right
parameters; importantly, it runs the already-installed ‘guix’, not the
one in the build tree, so it’s safe (prepending “./pre-inst-env”
wouldn’t be safe as you wrote).
So I’m not sure we really need changes; WDYT?
Ludo’.
Information forwarded
to
guix-patches <at> gnu.org:
bug#57910; Package
guix-patches.
(Sat, 24 Sep 2022 16:24:03 GMT)
Full text and
rfc822 format available.
Message #30 received at 57910 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 24-09-2022 17:58, Ludovic Courtès wrote:
> Hi,
>
> Maxime Devos<maximedevos <at> telenet.be> skribis:
>
>> As such, I think we really shouldn't recommend "make authenticate"
>> (and even remove "make authenticate". In fact, I think we should
>> remove "make authenticate" and replace the instructions with a direct
>> "guix git authenticate ...".
> “make authenticate” runs ‘guix git authenticate’ with the right
> parameters; importantly, it runs the already-installed ‘guix’, not the
> one in the build tree, so it’s safe (prepending “./pre-inst-env”
> wouldn’t be safe as you wrote).
>
> So I’m not sure we really need changes; WDYT?
While ordinarily, it is true that "make authenticate" runs "guix git
authenticate" (and not ./pre-inst-env guix git authenticate), an
attacker could have modified Makefile.am to _not_ call "guix git
authenticate", as I've explained in the paragraph above the one you quoted:
> The solution that was proposed [...]. __Even then, it remains
> insecure, as an attacker could have modified the "make authenticate",
> as explained in more detail at
> <https://logs.guix.gnu.org/guix/2022-09-14.log#172610>.
More concretely, I've worked out a method the hypothetical attacker
could use the fact that "Makefile.am" is used before it is authenticated
in the message pointed to by the link I quoted:
https://logs.guix.gnu.org/guix/2022-09-14.log#172610 :
<maximed>civodul: Currently, it's like verifying the authenticity of a
gnupg tarball, by extracting the gnupg tarball, compiling it, and
running the freshly compiled gnupg tarball.
<antipode>Translated to Guix:
<antipode>(1) You run "git pull" (2) an attacker has intercepted the
network connection and modified Makefile.am's authenticate target to
always 'succeed'. Additionally, the attacker inserts some malicious code
somewhere (e.g. some code in Makefile.am to upload your GnuPG keys to
evil.com). To add some stealth, the modified Makefile.am automatically
reverts the malicious commit. (3) You run "make authenticate" as
recommended by the manual, and now the attacker has your private keys.
Do you see a flaw in this explanation?
Greetings,
Maxime.
[OpenPGP_0x49E3EE22191725EE.asc (application/pgp-keys, attachment)]
[OpenPGP_signature (application/pgp-signature, attachment)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#57910; Package
guix-patches.
(Sun, 25 Sep 2022 20:07:02 GMT)
Full text and
rfc822 format available.
Message #33 received at 57910 <at> debbugs.gnu.org (full text, mbox):
Hi,
Maxime Devos <maximedevos <at> telenet.be> skribis:
> While ordinarily, it is true that "make authenticate" runs "guix git
> authenticate" (and not ./pre-inst-env guix git authenticate), an
> attacker could have modified Makefile.am to _not_ call "guix git
> authenticate", as I've explained in the paragraph above the one you
> quoted:
Oh you’re right; sorry for overlooking this.
So yes, that calls for recommending the full ‘guix git authenticate’
command for the initial checkout.
Thanks,
Ludo’.
This bug report was last modified 2 years and 267 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.