GNU bug report logs - #73924
[PATCH] restrict access to daemon-socket in tests

Previous Next

Package: guix-patches;

Reported by: Reepca Russelstein <reepca <at> russelstein.xyz>

Date: Mon, 21 Oct 2024 04:41:03 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 73924 in the body.
You can then email your comments to 73924 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#73924; Package guix-patches. (Mon, 21 Oct 2024 04:41:03 GMT) Full text and rfc822 format available.
Acknowledgement sent to Reepca Russelstein <reepca <at> russelstein.xyz>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Mon, 21 Oct 2024 04:41:03 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Reepca Russelstein <reepca <at> russelstein.xyz>
To: guix-patches <at> gnu.org
Subject: [PATCH] restrict access to daemon-socket in tests
Date: Sun, 20 Oct 2024 18:13:55 -0500

[Message part 1 (text/plain, inline)]
In guix-daemons run with --disable-chroot, only trusted users should be
allowed access to the daemon socket, because anyone with access to the
daemon socket in this situation can take control over the build user (or
if there are no build users, the daemon user) by making a builder put a
setuid binary in /tmp.

As I would like to strongly encourage the regular running of 'make
check', it would therefore be good to limit access to the
test-environment daemon's socket.  The attached patch does this by
modifying test-env so that it ensures strict permissions on
$GUIX_STATE_DIRECTORY/daemon-socket.

- reepca


[0001-build-aux-test-env.in-restrict-access-to-daemon-sock.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]
Reply sent to Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility. (Thu, 24 Oct 2024 12:38:01 GMT) Full text and rfc822 format available.
Notification sent to Reepca Russelstein <reepca <at> russelstein.xyz>:
bug acknowledged by developer. (Thu, 24 Oct 2024 12:38:02 GMT) Full text and rfc822 format available.

Message #10 received at 73924-done <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Reepca Russelstein <reepca <at> russelstein.xyz>
Cc: 73924-done <at> debbugs.gnu.org
Subject: Re: [bug#73924] [PATCH] restrict access to daemon-socket in tests
Date: Thu, 24 Oct 2024 14:36:27 +0200

Hi,

Reepca Russelstein <reepca <at> russelstein.xyz> skribis:

> From 2e74d48f103e8561f8099b474faa413483aa6613 Mon Sep 17 00:00:00 2001
> Message-ID: <2e74d48f103e8561f8099b474faa413483aa6613.1729465925.git.reepca <at> russelstein.xyz>
> From: Reepca Russelstein <reepca <at> russelstein.xyz>
> Date: Sat, 19 Oct 2024 20:48:29 -0500
> Subject: [PATCH] build-aux: test-env.in: restrict access to daemon-socket in
>  tests.
>
> With the weak isolation available to the test daemon, it is essential to
> disallow untrusted access to it, as otherwise another local user can gain our
> user's credentials easily.
>
> * build-aux/test-env.in: ensure the daemon-socket directory is freshly-created
>   with 0700 permissions.
>
> Change-Id: I742f70fc6fc28e5b4dc88d590eef3daf1b964670

Applied, thanks!

Ludo’.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Fri, 22 Nov 2024 12:24:08 GMT) Full text and rfc822 format available.
This bug report was last modified 268 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.