GNU bug report logs - #73925
[PATCH] add access control to daemon socket in shepherd service

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 73925 in the body.
You can then email your comments to 73925 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Reepca Russelstein <reepca <at> russelstein.xyz>
To: guix-patches <at> gnu.org
Subject: [PATCH] add access control to daemon socket in shepherd service
Date: Sun, 20 Oct 2024 18:31:31 -0500

[Message part 1 (text/plain, inline)]

Passing "--disable-chroot" to guix-daemon makes it possible for the
build users to be taken over by anybody who can start a build: they need
only cause a builder to put a setuid binary in /tmp.  That being said,
there are some situations where it currently can't be avoided, like on
Hurd.  It would also probably be good to have the ability to harden a
guix daemon in general by restricting access to it.  For example,
there's no reason that the ntpd user needs access to the guix daemon
(note that this is distinct from access to the *store*, which is of
course always world-readable).

The attached patch implements that restriction for users of
guix-service-type by limiting access to /var/guix/daemon-socket in
accordance with the user-supplied permissions, user, and group.

Example usage:

------------------------------------
;; Limit access to the guix-daemon socket to members of the "users"
;; group
(modify-services %desktop-services
  (guix-service-type config =>
                     (guix-configuration
                      (inherit config)
                      (socket-directory-perms #o750)
                      (socket-directory-group "users"))))
------------------------------------

- reepca

[0001-services-guix-configuration-add-access-control-to-da.patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #8 received at 73925 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Reepca Russelstein <reepca <at> russelstein.xyz>
Cc: 73925 <at> debbugs.gnu.org
Subject: Re: [bug#73925] [PATCH] add access control to daemon socket in
 shepherd service
Date: Thu, 24 Oct 2024 14:43:48 +0200

Hi,

Reepca Russelstein <reepca <at> russelstein.xyz> skribis:

> From b5163889efb544cfe83cd2bcb3ebd3a957c95a18 Mon Sep 17 00:00:00 2001
> Message-ID: <b5163889efb544cfe83cd2bcb3ebd3a957c95a18.1729465936.git.reepca <at> russelstein.xyz>
> From: Reepca Russelstein <reepca <at> russelstein.xyz>
> Date: Sat, 19 Oct 2024 22:43:27 -0500
> Subject: [PATCH] services: guix-configuration: add access control to daemon
>  socket.
>
> * gnu/services/base.scm
>   (guix-configuration-socket-directory-{perms,group,user}): new fields.
>   (guix-shepherd-service): use them.
> * doc/guix.texi: document them.
>
> Change-Id: Ic228377b25a83692b0c637dafbd03c4609e332fc

That’s a welcome addition.

> +@item @code{socket-directory-perms} (default: @code{#o755})

s/perms/permissions/

> +Permissions to set for the directory @file{/var/guix/daemon-socket}.
> +This, together with @code{socket-directory-group} and
> +@code{socket-directory-user}, determines who can connect to the guix
> +daemon via its unix socket.  TCP socket operation is unaffected by
> +these.

s/guix daemon/build daemon/ and s/unix/Unix/

> +@item @code{socket-directory-group} (default: @code{#f})
> +Group to set for the directory @file{/var/guix/daemon-socket}, or
> +@code{#f} to keep its group as root.
> +
> +@item @code{socket-directory-user} (default: @code{#f})
> +User to set for the directory @file{/var/guix/daemon-socket}, or
> +@code{#f} to keep its user as root.

Maybe group them together:

  @item @code{socket-directory-user} (default: @code{#f})
  @itemx @code{socket-directory-group} (default: @code{#f})
  User and group owning the @file{/var/guix/daemon-socket} directory.
  …

> -    (guix build-group build-accounts authorize-key? authorized-keys
> -          use-substitutes? substitute-urls max-silent-time timeout
> -          log-compression discover? extra-options log-file
> -          http-proxy tmpdir chroot-directories environment)
> +                (guix build-group build-accounts authorize-key? authorized-keys

Please avoid reindenting.

> +                  ;; Ensure that a fresh directory is used, in case the old
> +                  ;; one was more permissive and processes have a file
> +                  ;; descriptor referencing it hanging around, ready to use
> +                  ;; with openat.
> +                  (false-if-exception
> +                   (delete-file-recursively "/var/guix/daemon-socket"))
> +                  (let ((perms #$(logand socket-directory-perms
> +                                         (lognot #o022))))
> +                    (mkdir "/var/guix/daemon-socket" perms)
> +                    ;; Override umask
> +                    (chmod "/var/guix/daemon-socket" perms))

Speaking of ‘openat’, maybe use ‘mkdir-p/perms’ instead of doing it in
two steps?

Apart from that it LGTM.

Could you send an updated patch?

Thanks,
Ludo’.

Message #11 received at 73925 <at> debbugs.gnu.org (full text, mbox):

From: Reepca Russelstein <reepca <at> russelstein.xyz>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 73925 <at> debbugs.gnu.org
Subject: Re: [bug#73925] [PATCH] add access control to daemon socket in
 shepherd service
Date: Fri, 25 Oct 2024 19:10:32 -0500

[Message part 1 (text/plain, inline)]

Ludovic Courtès <ludo <at> gnu.org> writes:

>> +                  ;; Ensure that a fresh directory is used, in case the old
>> +                  ;; one was more permissive and processes have a file
>> +                  ;; descriptor referencing it hanging around, ready to use
>> +                  ;; with openat.
>> +                  (false-if-exception
>> +                   (delete-file-recursively "/var/guix/daemon-socket"))
>> +                  (let ((perms #$(logand socket-directory-perms
>> +                                         (lognot #o022))))
>> +                    (mkdir "/var/guix/daemon-socket" perms)
>> +                    ;; Override umask
>> +                    (chmod "/var/guix/daemon-socket" perms))
>
> Speaking of ‘openat’, maybe use ‘mkdir-p/perms’ instead of doing it in
> two steps?

PERMS is passed directly to mkdir; the umask may cause the permissions
the directory is created with to be less permissive than those, but
never more.  The only reason I call chmod here is because the umask may
happen to be more strict than PERMS.  mkdir-p/perms creates the
directory with the permissions initially restricted only by the umask,
then later chmods it in a separate step, leaving a window during which
the directory is likely world-executable and world-readable.  So while
mkdir-p/perms would be an improvement on the "make sure no components
are symlinks" front, it would be a downgrade in restricting access to
the directory.

This behavior can be remedied by ensuring that the final call to
'mkdirat' passes in the specified permission bits.  I've submitted a
patch to do this in issue #74002.

There's also a minor annoyance in that the 'owner' argument that
mkdir-p/perms wants MUST be a passwd object.  This means that the uid
and gid to use can't be specified independently, nor can they be
specified as -1 or 0, you *have* to do (getpwnam "root") or something
similar.

For now I'm going to keep this part as-is, since currently using
mkdir-p/perms would neither make it more secure nor more concise.

The attached patch incorporates all the other changes you've mentioned.

- reepca

[0001-services-guix-configuration-add-access-control-to-da.patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #16 received at 73925-done <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Reepca Russelstein <reepca <at> russelstein.xyz>
Cc: 73925-done <at> debbugs.gnu.org
Subject: Re: [bug#73925] [PATCH] add access control to daemon socket in
 shepherd service
Date: Sun, 03 Nov 2024 23:05:46 +0100

Reepca Russelstein <reepca <at> russelstein.xyz> skribis:

> From b8ea0288a35c27912580bd7fe861dd6e497f4c33 Mon Sep 17 00:00:00 2001
> Message-ID: <b8ea0288a35c27912580bd7fe861dd6e497f4c33.1729840060.git.reepca <at> russelstein.xyz>
> From: Reepca Russelstein <reepca <at> russelstein.xyz>
> Date: Sat, 19 Oct 2024 22:43:27 -0500
> Subject: [PATCH] services: guix-configuration: add access control to daemon
>  socket.
>
> * gnu/services/base.scm
>   (guix-configuration-socket-directory-{permissions,group,user}): new fields.
>   (guix-shepherd-service): use them.
> * doc/guix.texi: document them.
>
> Change-Id: I8f4c2e20392ced47c09812e62903c87cc0f4a97a

Applied, thanks!

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.