From debbugs-submit-bounces@debbugs.gnu.org Mon Oct 21 00:40:13 2024 Received: (at submit) by debbugs.gnu.org; 21 Oct 2024 04:40:13 +0000 Received: from localhost ([127.0.0.1]:49658 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t2kDE-0001oq-NS for submit@debbugs.gnu.org; Mon, 21 Oct 2024 00:40:13 -0400 Received: from lists.gnu.org ([209.51.188.17]:50688) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t2f94-00036z-Dq for submit@debbugs.gnu.org; Sun, 20 Oct 2024 19:15:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t2f8d-0004Zb-VS for guix-patches@gnu.org; Sun, 20 Oct 2024 19:15:08 -0400 Received: from mailout.russelstein.xyz ([2605:6400:20:11e::1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t2f8b-0003T6-2h for guix-patches@gnu.org; Sun, 20 Oct 2024 19:15:07 -0400 DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=russelstein.xyz; s=ed25519; h=Content-Type:MIME-Version:Message-ID:Date: Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=hfyf/NvfLfIn3tTho7V5qNBPCmNWx805z3QlxOUW3yM=; b=R110zxw3LitNTSuEt1yDvDzkWD BX2e5GGl+Bl2n0kJUbkeYznoKyQpcUNQP8ZpN+afFLc8vf6AW/89qC4arPBQ==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=russelstein.xyz; s=rsa; h=Content-Type:MIME-Version:Message-ID:Date:Subject :To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=hfyf/NvfLfIn3tTho7V5qNBPCmNWx805z3QlxOUW3yM=; b=DiwykGMEtfhrlGcf4kiZYCMuwP yyBW0QJjRndTUWs8M8vOnqwPQ41XGRPXF0ZAYnzcTIaiPlDT7/D9NTsYKQ/hJt8ZtVTom13JDbcs4 r2SjkGJNkhhnzcqsN847d7zlMWDv9DZg5ir86zdjrCC15JLSNX8BupsTFwxchvgvJqsJzAimPRMP5 7PikKwVrr2o6M7wuH7FGQeTLFiUQxdiHDnvNd6asIdhwmQyXDbrh6oMG9iHPTnFNZGep9f3EHrkCk Z13dQhJQs7tcWuNdK2oSOnB7UmBSP+1G85DR9Wi6r6xS84Kr9ZFx7HZ+oWNqBHGbPeLMh3TEOnnXl CCH6QsRe4wwnS4P+5lDAIfm1v5+xe5JULUEpOxYna5te5h9YrQuskIxivcXIFc5aC7UI8I9o1eChI 0oOubIol+A0JIBKejZqxYaJOgidKduKnC02wnz144eFeQPMJZfMkRUKefg8ulZwJrpPh2DB9Oslmw KEaPPo3NtXtP1UPq/eYGuzXey2LJesinYUYtL7+K3gh+MjKCOyQ5Rtk/Nn9f5S0CvcqBJFI2jDgJt UhJ7MZu7Tq/u87MJV2xgjk8IxKnA1NYzApSr86H43xnAA3k0anlCtCyadFuKAmMFdkpfQ8/DBeN3+ tvZPCzew0VjhEdh5+h0NxrFzqlwdYiF+uNYHzumoc=; Received: by russelstein.xyz with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.98) (envelope-from ) id 1t2f8V-000000001VV-3Wrv for guix-patches@gnu.org; Sun, 20 Oct 2024 18:15:00 -0500 From: Reepca Russelstein To: guix-patches@gnu.org Subject: [PATCH] restrict access to daemon-socket in tests Date: Sun, 20 Oct 2024 18:13:55 -0500 Message-ID: <87h696jrkc.fsf@russelstein.xyz> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 0.9 X-Spam-Bar: / X-Spam-Score-Int: 9 X-Spam-Report: Spam detection software, running on the system "Sanctum", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: In guix-daemons run with --disable-chroot, only trusted users should be allowed access to the daemon socket, because anyone with access to the daemon socket in this situation can take control over the [...] Content analysis details: (0.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 NO_RELAYS Informational: message was not relayed via SMTP 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 0.4 FROM_SUSPICIOUS_NTLD_FP From abused NTLD Received-SPF: pass client-ip=2605:6400:20:11e::1; envelope-from=reepca@russelstein.xyz; helo=mailout.russelstein.xyz X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Mon, 21 Oct 2024 00:40:08 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain In guix-daemons run with --disable-chroot, only trusted users should be allowed access to the daemon socket, because anyone with access to the daemon socket in this situation can take control over the build user (or if there are no build users, the daemon user) by making a builder put a setuid binary in /tmp. As I would like to strongly encourage the regular running of 'make check', it would therefore be good to limit access to the test-environment daemon's socket. The attached patch does this by modifying test-env so that it ensures strict permissions on $GUIX_STATE_DIRECTORY/daemon-socket. - reepca --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-build-aux-test-env.in-restrict-access-to-daemon-sock.patch Content-Transfer-Encoding: quoted-printable From=202e74d48f103e8561f8099b474faa413483aa6613 Mon Sep 17 00:00:00 2001 Message-ID: <2e74d48f103e8561f8099b474faa413483aa6613.1729465925.git.reepca= @russelstein.xyz> From: Reepca Russelstein Date: Sat, 19 Oct 2024 20:48:29 -0500 Subject: [PATCH] build-aux: test-env.in: restrict access to daemon-socket in tests. With the weak isolation available to the test daemon, it is essential to disallow untrusted access to it, as otherwise another local user can gain o= ur user's credentials easily. * build-aux/test-env.in: ensure the daemon-socket directory is freshly-crea= ted with 0700 permissions. Change-Id: I742f70fc6fc28e5b4dc88d590eef3daf1b964670 =2D-- build-aux/test-env.in | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/build-aux/test-env.in b/build-aux/test-env.in index ca786437e9..9caa29da58 100644 =2D-- a/build-aux/test-env.in +++ b/build-aux/test-env.in @@ -97,7 +97,12 @@ then GUIX_ALLOW_UNAUTHENTICATED_SUBSTITUTES \ GUIX_CONFIGURATION_DIRECTORY XDG_CACHE_HOME =20 + # Create a fresh directory with restrictive permissions so that our te= st + # daemon's weak isolation can't be exploited by other users + rm -rf "$GUIX_STATE_DIRECTORY/daemon-socket" + mkdir -m 0700 "$GUIX_STATE_DIRECTORY/daemon-socket" + # Launch the daemon without chroot support because is may be # unavailable, for instance if we're not running as root. "@abs_top_builddir@/pre-inst-env" \ =2D-=20 2.45.2 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEEdNapMPRLm4SepVYGwWaqSV9/GJwFAmcVjrQXHHJlZXBjYUBy dXNzZWxzdGVpbi54eXoACgkQwWaqSV9/GJwY8Af+O8kPoQ6YsxG5dn7+5PPmnrpX FtewbMVFZR7/AoT70ie6hgNo39m6HIsDgvkui3e/skAWrcZynu88ujYRJTi41AGU Z2UuZr3xvKH1bFifsU320UbVeRpcDh5CqsCUz7zB21SXWxRstjcxQpM5G+D9SEsH zCmfwoQ3TEeHvq76aqXb6FBkyLfMi1OSGO5t4LLCUlDoqsRuio6rwAuKc6sc37QP 5sbIhmmSfUqFYfkEYEOmGHYsVdGBzJqIbpmlk1UoEN+SZE10AtiDArLIAy7IiHEq +vpHXP3UFlU+2qBYGz01yJgOq8K0JBiM61Jb5qrzbBpTgIVdVOFIqHxxCtys/g== =BEI0 -----END PGP SIGNATURE----- --==-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Thu Oct 24 08:37:09 2024 Received: (at 73924-done) by debbugs.gnu.org; 24 Oct 2024 12:37:09 +0000 Received: from localhost ([127.0.0.1]:33982 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3x5Q-00011Z-LH for submit@debbugs.gnu.org; Thu, 24 Oct 2024 08:37:08 -0400 Received: from eggs.gnu.org ([209.51.188.92]:55076) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3x5P-00011L-07 for 73924-done@debbugs.gnu.org; Thu, 24 Oct 2024 08:37:07 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t3x4n-0000L9-Pg; Thu, 24 Oct 2024 08:36:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=8SJcR94ySPO8YvSdqmK0AVdY4rrwzGfR2xeiQPNE1h8=; b=VGm0AhBanQ7+qCxjp7fc uOSNmutiCV4kTDsGPOjU/KiQCNks3zyW9apIIYGDuG/KyM4RIB2BdhpvyRN23wW9KlTbid+gEq7jZ PWE86ru1VWVFWPgXhLXpzMbEbMw0sr771EkM/lXfTzjya6WXfWIEivGj+se9yQNQo7Oa7BxMuhFaG qnJMKTaV9nHKrbZwsxd/GuUEP08cTUy9OwpdQNvajRqi+d0YFQY8lErrCgQ1wT1aS/dIdmP7SeA4i ayakPVhkE70HRllOkOfOButO37gasNYXnLpXYawFp1EiX6GOO5CZuo/5nOm5SBthbQbQgY/sIuZou Luwt/0p9T++uVw==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Reepca Russelstein Subject: Re: [bug#73924] [PATCH] restrict access to daemon-socket in tests In-Reply-To: <87h696jrkc.fsf@russelstein.xyz> (Reepca Russelstein's message of "Sun, 20 Oct 2024 18:13:55 -0500") References: <87h696jrkc.fsf@russelstein.xyz> Date: Thu, 24 Oct 2024 14:36:27 +0200 Message-ID: <877c9x65kk.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 73924-done Cc: 73924-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hi, Reepca Russelstein skribis: > From 2e74d48f103e8561f8099b474faa413483aa6613 Mon Sep 17 00:00:00 2001 > Message-ID: <2e74d48f103e8561f8099b474faa413483aa6613.1729465925.git.reep= ca@russelstein.xyz> > From: Reepca Russelstein > Date: Sat, 19 Oct 2024 20:48:29 -0500 > Subject: [PATCH] build-aux: test-env.in: restrict access to daemon-socket= in > tests. > > With the weak isolation available to the test daemon, it is essential to > disallow untrusted access to it, as otherwise another local user can gain= our > user's credentials easily. > > * build-aux/test-env.in: ensure the daemon-socket directory is freshly-cr= eated > with 0700 permissions. > > Change-Id: I742f70fc6fc28e5b4dc88d590eef3daf1b964670 Applied, thanks! Ludo=E2=80=99. From unknown Mon Aug 18 15:39:44 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Fri, 22 Nov 2024 12:24:08 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator