GNU bug report logs - #73924
[PATCH] restrict access to daemon-socket in tests

Previous Next

Package: guix-patches;

Reported by: Reepca Russelstein <reepca <at> russelstein.xyz>

Date: Mon, 21 Oct 2024 04:41:03 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Reepca Russelstein <reepca <at> russelstein.xyz>
Subject: bug#73924: closed (Re: [bug#73924] [PATCH] restrict access to
 daemon-socket in tests)
Date: Thu, 24 Oct 2024 12:38:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#73924: [PATCH] restrict access to daemon-socket in tests

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 73924 <at> debbugs.gnu.org.

-- 
73924: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=73924
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Ludovic Courtès <ludo <at> gnu.org>
To: Reepca Russelstein <reepca <at> russelstein.xyz>
Cc: 73924-done <at> debbugs.gnu.org
Subject: Re: [bug#73924] [PATCH] restrict access to daemon-socket in tests
Date: Thu, 24 Oct 2024 14:36:27 +0200

Hi,

Reepca Russelstein <reepca <at> russelstein.xyz> skribis:

> From 2e74d48f103e8561f8099b474faa413483aa6613 Mon Sep 17 00:00:00 2001
> Message-ID: <2e74d48f103e8561f8099b474faa413483aa6613.1729465925.git.reepca <at> russelstein.xyz>
> From: Reepca Russelstein <reepca <at> russelstein.xyz>
> Date: Sat, 19 Oct 2024 20:48:29 -0500
> Subject: [PATCH] build-aux: test-env.in: restrict access to daemon-socket in
>  tests.
>
> With the weak isolation available to the test daemon, it is essential to
> disallow untrusted access to it, as otherwise another local user can gain our
> user's credentials easily.
>
> * build-aux/test-env.in: ensure the daemon-socket directory is freshly-created
>   with 0700 permissions.
>
> Change-Id: I742f70fc6fc28e5b4dc88d590eef3daf1b964670

Applied, thanks!

Ludo’.


[Message part 3 (message/rfc822, inline)]
From: Reepca Russelstein <reepca <at> russelstein.xyz>
To: guix-patches <at> gnu.org
Subject: [PATCH] restrict access to daemon-socket in tests
Date: Sun, 20 Oct 2024 18:13:55 -0500

[Message part 4 (text/plain, inline)]
In guix-daemons run with --disable-chroot, only trusted users should be
allowed access to the daemon socket, because anyone with access to the
daemon socket in this situation can take control over the build user (or
if there are no build users, the daemon user) by making a builder put a
setuid binary in /tmp.

As I would like to strongly encourage the regular running of 'make
check', it would therefore be good to limit access to the
test-environment daemon's socket.  The attached patch does this by
modifying test-env so that it ensures strict permissions on
$GUIX_STATE_DIRECTORY/daemon-socket.

- reepca


[0001-build-aux-test-env.in-restrict-access-to-daemon-sock.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 287 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.