From debbugs-submit-bounces@debbugs.gnu.org Sat Apr 03 16:46:04 2021 Received: (at 47584) by debbugs.gnu.org; 3 Apr 2021 20:46:04 +0000 Received: from localhost ([127.0.0.1]:34499 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSn9g-0006p7-71 for submit@debbugs.gnu.org; Sat, 03 Apr 2021 16:46:04 -0400 Received: from eggs.gnu.org ([209.51.188.92]:58360) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSn9a-0006oM-Pp for 47584@debbugs.gnu.org; Sat, 03 Apr 2021 16:46:03 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59400) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSn9U-0004wN-TZ; Sat, 03 Apr 2021 16:45:52 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=40702 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lSn9U-0006yr-F2; Sat, 03 Apr 2021 16:45:52 -0400 From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Maxime Devos Subject: Re: bug#47584: Race condition in =?utf-8?Q?=E2=80=98copy-account-?= =?utf-8?Q?skeletons=E2=80=99=3A?= possible privilege escalation. References: <1a6ed722dfdd96dc8d53f939aa8e440ca7c29213.camel@telenet.be> <9c0c5f5906e45e83ecae84ae8858ddaf4ea78569.camel@telenet.be> Date: Sat, 03 Apr 2021 22:45:51 +0200 In-Reply-To: <9c0c5f5906e45e83ecae84ae8858ddaf4ea78569.camel@telenet.be> (Maxime Devos's message of "Sat, 03 Apr 2021 18:26:53 +0200") Message-ID: <87czvbw0zk.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47584 Cc: 47584@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) Maxime Devos skribis: > From 7937b9f18085569e5d7cb8a3c4dc08e1088a94a9 Mon Sep 17 00:00:00 2001 > From: Maxime Devos > Date: Sat, 3 Apr 2021 18:02:05 +0200 > Subject: [PATCH] =3D?UTF-8?q?website:=3D20Add=3D20post=3D20about=3D20vuln= erability?=3D > =3D?UTF-8?q?=3D20in=3D20=3DE2=3D80=3D98copy-account-skeletons=3DE2=3D80= =3D99.?=3D > MIME-Version: 1.0 > Content-Type: text/plain; charset=3DUTF-8 > Content-Transfer-Encoding: 8bit > > * website/posts/home-symlink.md: New post. It=E2=80=99s unfortunate that this is going out during a week-end, and a three-day week-end on top of that in some regions of the world, with many people not seeing the message and not being able to act upon it for three days. > +title: Risk of local privilege escalation in account creation > +date: 2021-04-03 17:30 > +author: Maxime Devos > +tags: Security Advisory > +--- > + > +A security vulnerability that can lead to local privilege escalation > +has been found in the activation code of user accounts (excluding > +system accounts). It does not affect users on foreign distros > +and is only exploitable during system reconfiguration. How about this, taken from the news.scm entry I tweaked: A security vulnerability that can lead to local privilege escalation has been found in the code that creates user accounts on Guix System=E2=80=94Guix on other distros is unaffected. The system is only v= ulnerable during the activation of non-system user accounts that do not already exi= st. (This is more upfront about who=E2=80=99s affected and avoids the technical= term =E2=80=9Cactivation code=E2=80=9D which makes no sense outside the circle o= f Guix System and NixOS hackers.) > +This exploit is _not_ impossible on machines where the Linux [protected > +symlinks](https://sysctl-explorer.net/fs/protected_symlinks/) feature > +is enabled. It is believed the attack can also be performed using hard > +links. Please mention that protected symlinks are enabled by default on Guix System since a March 16th commit, with a link to . > +# Conclusions > + > +The activation code in Guix System originally was written with the > +assumption that no other code was running at the same time in mind. > +However, this is not a reasonable assumption in practice, as this > +vulnerability demonstrates. Thus, it may be worthwhile to look > +over other activation code for similar issues. That=E2=80=99s an interesting conclusion for us developers, but not necessa= rily for the users this is targeting. It also sounds unnecessarily scary and casual. > +While investigating how to fix the issue, it became apparent GNU Guile, > +the implementation of the Algorithmic Language Scheme GNU Guix is > +written in, is lacking in primitives that usually are used to avoid > +these kind of issues, such `openat` and `O_NOFOLLOW`. > + > +While these primitives turned out not to be necessary to fix the > +issue and a [patch series]() > +to GNU Guile has been submitted that adds these primitives, this does > +serve as a remainder that GNU Guile is a critical component of > +Guix System and working around missing primitives will not always be pos= sible. All this is true but also probably too detailed (or not enough, depending on the reader). How about just mentioning that work is ongoing to support the `openat` family of POSIX functions in Guile, which, when used, while help address this class of vulnerability? Otherwise LGTM, thanks! Ludo=E2=80=99.