GNU bug report logs - #73924
[PATCH] restrict access to daemon-socket in tests

Previous Next

Package: guix-patches;

Reported by: Reepca Russelstein <reepca <at> russelstein.xyz>

Date: Mon, 21 Oct 2024 04:41:03 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Reepca Russelstein <reepca <at> russelstein.xyz>
To: guix-patches <at> gnu.org
Subject: [PATCH] restrict access to daemon-socket in tests
Date: Sun, 20 Oct 2024 18:13:55 -0500

[Message part 1 (text/plain, inline)]

In guix-daemons run with --disable-chroot, only trusted users should be
allowed access to the daemon socket, because anyone with access to the
daemon socket in this situation can take control over the build user (or
if there are no build users, the daemon user) by making a builder put a
setuid binary in /tmp.

As I would like to strongly encourage the regular running of 'make
check', it would therefore be good to limit access to the
test-environment daemon's socket.  The attached patch does this by
modifying test-env so that it ensures strict permissions on
$GUIX_STATE_DIRECTORY/daemon-socket.

- reepca

[0001-build-aux-test-env.in-restrict-access-to-daemon-sock.patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

This bug report was last modified 270 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #73924 [PATCH] restrict access to daemon-socket in tests

GNU bug report logs - #73924
[PATCH] restrict access to daemon-socket in tests