[Installer] Extra unprivileged “root” account added

Ludovic Courtès wrote on 11 May 11:36 +0200

Recipients:(address . bug-guix@gnu.org)

Message-ID:87ee10o1g1.fsf@inria.fr

The installer built from:

Toggle snippet (7 lines)

Generation 214 May 02 2022 21:44:14 (current)

guix 6b588da

repository URL: https://git.savannah.gnu.org/git/guix.git

branch: master

commit: 6b588da368c77cde82ea2f22ca315116228777ad

… adds an unprivileged “root” account to the ‘users’ section of the OS

config.

Ludo’.

Ludovic Courtès wrote on 11 May 15:42 +0200

control message for bug #55361

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87czgknq26.fsf@gnu.org

severity 55361 important

quit

Ludovic Courtès wrote on 11 May 15:42 +0200

control message for bug #53214

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87bkw4nq1v.fsf@gnu.org

block 53214 by 55361

quit

Ludovic Courtès wrote 6 days ago

Re: bug#55361: [Installer] Extra unprivileged “roo t” account added

Recipients:(address . 55361-done@debbugs.gnu.org)(name . Mathieu Othacehe)(address . othacehe@gnu.org)

Message-ID:87h75jvodh.fsf@gnu.org

Ludovic Courtès <ludo@gnu.org> skribis:

Toggle quote (11 lines)> The installer built from:
>
> Generation 214	May 02 2022 21:44:14	(current)
>   guix 6b588da
>     repository URL: https://git.savannah.gnu.org/git/guix.git
>     branch: master
>     commit: 6b588da368c77cde82ea2f22ca315116228777ad
>
> … adds an unprivileged “root” account to the ‘users’ section of the OS
> config.

Fixed in 48c748226e2a94d2dec9bfdf84601455f00d6f5e, which reverts

c2125e59d0774cda3e559adeb056459a5f23586b.

Ludo’.

Closed

bokr wrote 5 days ago

Re: bug#55361: [Installer] Extra unprivileged “root” account added

Recipients:

Message-ID:20220521125434.GA2334@LionPure

Hello,

On +2022-05-21 00:19:06 +0200, Ludovic Courtès wrote:

Toggle quote (20 lines)> Ludovic Courtès <ludo@gnu.org> skribis:
> 
> > The installer built from:
> >
> > Generation 214      May 02 2022 21:44:14    (current)
> >   guix 6b588da
> >     repository URL: https://git.savannah.gnu.org/git/guix.git
> >     branch: master
> >     commit: 6b588da368c77cde82ea2f22ca315116228777ad
> >
> > … adds an unprivileged “root” account to the ‘users’ section of the OS
> > config.
> 
> Fixed in 48c748226e2a94d2dec9bfdf84601455f00d6f5e, which reverts
> c2125e59d0774cda3e559adeb056459a5f23586b.
> 
> Ludo’.
> 
> 
>

Toggle snippet (8 lines)

commit c2125e59d0774cda3e559adeb056459a5f23586b

Author: Mathieu Othacehe <othacehe@gnu.org>

Date: Mon Apr 4 16:38:09 2022 +0200

installer: user: Remove useless filtering.

Toggle snippet (11 lines)

commit 48c748226e2a94d2dec9bfdf84601455f00d6f5e

Author: Ludovic Courtès <ludo@gnu.org>

Date: Fri May 20 20:41:02 2022 +0200

Revert "installer: user: Remove useless filtering."

This reverts commit c2125e59d0774cda3e559adeb056459a5f23586b.

Fixes <https://issues.guix.gnu.org/55361>.

Assuming my date-diff hack worked:

Toggle snippet (4 lines)

~/wb/guix]$ date-diff '2022-04-04 16:38:09' '2022-05-20 20:41:02'

46days 4hrs 2min 53sec

Is this like coming home from 46day vacation and noticing

that, oops, someone left the kitchen door open,

and hoping no ++ungoodniks noticed? Or meh?

Is. or should there be, a required signoff on an

exploitability assessment in the commit, when it

has that scent? (e.g. anything possibly opening

a door to root privilges).

Personally, I am happy to see "fixed," but I would be happier

seeing a signed exploitability assessment, esp if by someone

concentrating on that aspect of things.

Thoughts?

Regards,

Bengt Richter

Tobias Geerinckx-Rice wrote 5 days ago

Re: bug#55361: [Installer] Extra unprivilege d “root” account added

Recipients:(address . bokr@bokr.com)

Message-ID:7245779f538e8f9ac6a19f5cc3efbe03@tobias.gr

Hi bokr,

What makes this commit special? If there's a security aspect here, what

is it?

Toggle quote (4 lines)

> Personally, I am happy to see "fixed," but I would be happier

> seeing a signed exploitability assessment, esp if by someone

> concentrating on that aspect of things.

I don't think anyone is going to volunteer for that honour, unless you

are :-)

Kind regards,

T G-R

Sent from a Web browser. Excuse or enjoy my brevity.

Ludovic Courtès wrote 5 days ago

Re: bug#55361: [Installer] Extra unprivileged “roo t” account added

Recipients:(address . bokr@bokr.com)(address . 55361@debbugs.gnu.org)

Message-ID:875ylyu8vq.fsf@gnu.org

Hi,

bokr@bokr.com skribis:

Toggle quote (9 lines)

> Assuming my date-diff hack worked:

> ~/wb/guix]$ date-diff '2022-04-04 16:38:09' '2022-05-20 20:41:02'

> 46days 4hrs 2min 53sec

> Is this like coming home from 46day vacation and noticing

> that, oops, someone left the kitchen door open,

> and hoping no ++ungoodniks noticed? Or meh?

Heh. It was a minor annoyance: the generated OS config would have an

unnecessary “root” user account (unnecessary because it’s included by

default), which ‘guix system init’ would warn about and ignore, and the

end result is unchanged.

IWBN to augment the installation tests with a check for that, but that’s

tricky. But like Tobias wrote, contributions are welcome. :-)

Thanks,

Ludo’.

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date