subject:"\[Nix\-dev\] NixOS 17.03 Beta, 16.09 Security Support Timeline"

Re: [Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline

2017-03-14 Thread Oliver Charles

Linus Heckemann  writes:

> On 09/03/17 10:26, Oliver Charles wrote:
>> sudo: /run/current-system/sw/bin/sudo must be owned by uid 0 and have
>> the setuid bit set
>
> Are you just adding sudo to systemPackages rather than using the option
> security.sudo.enable?

Nope, I'm using security.sudo.enable = true;

- ocharles
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline

2017-03-09 Thread Linus Heckemann

On 09/03/17 10:26, Oliver Charles wrote:
> sudo: /run/current-system/sw/bin/sudo must be owned by uid 0 and have
> the setuid bit set

Are you just adding sudo to systemPackages rather than using the option
security.sudo.enable?

___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline

2017-03-08 Thread Domen Kožar

https://github.com/NixOS/nixpkgs/issues/19862#issuecomment-283732486

On Wed, Mar 8, 2017 at 10:16 AM, Thomas Hunger  wrote:

> Hi Graham,
>
> I tried reproducing the nixos-rebuild switch issue for setuid wrappers
> without success: Can you point me to an issue, or give a hint for what you
> mean by "break setuid binaries"? I'd like to fix this but don't yet
> understand what's going on.
>
> ~
>
> On 5 March 2017 at 15:25, Graham Christensen  wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>>
>> Hello,
>>
>> In my most recent roundup email, I included information about 17.03,
>> 16.09, and the security support timeline. It was somewhat buried in the
>> otherwise very standard message, so I'm sending just that information.
>>
>> NixOS 17.03 has entered Beta. This means we now have 3 versions of NixOS
>> being developed:
>>
>>  - 16.09 (stable)
>>  - 17.03 (beta)
>>  - unstable
>>
>> 17.03 will become stable at the end of March.
>>
>> Due to the size of the NixOS community and the available resources we
>> have, we typically only support one stable version of NixOS at a time.
>>
>> In order to ease the transition, I have decided to continue providing
>> security patches to the 16.09 channel for one month after 17.03 is
>> released, ending on May 3rd, 2017.
>>
>> You can switch from 16.09 to 17.03-beta via:
>>
>> $ sudo nix-channel --add https://nixos.org/channels/nixos-17.03 nixos
>> $ sudo nix-channel --update
>> $ sudo nixos-rebuild boot
>> $ reboot
>>
>> Note: Don't use nixos-rebuild switch. The path to setuid wrappers has
>> changed, and using switch will break setuid binaries (like sudo, ping,
>> etc.) until you reboot.
>>
>> Thank you very much,
>> Graham Christensen
>> NixOS Security Team
>> https://github.com/nixos/security
>> -BEGIN PGP SIGNATURE-
>>
>> iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAli8LdAACgkQBhIdNm/p
>> Q1ygjA//U16fikL8uHxAjh4vM26U5rsztpXjDcMSMIv5wWi7omWWnwQ0b9nf/WPH
>> Tzh/nPA5L+DMrYBardPWF3PEriuuCW2oCBLhQpVIuYSl1vUmEL6R+GlBmHw6yD+G
>> DWFuxrJWwQLxNAjSrMwP0bID3ZYtFyQQZKvsrzpFSh+ThCu1tkvOUt8A9t43SBIJ
>> a0TTF6zFPez4GDrn7W702m4PMN0PEe0dyIg/UfpjmwEaxzgM8gZKcx/FLPh4IkVs
>> WN0RoPavLb5UhBeHGoV7kXWohJ26Wx4R8/5rX2kEQWl+5dP2fHuhGs6oEtRC5EHx
>> hiQmcwR+BCsQIZ6SzzveO2wOESiejjZnVuzqKoJ85NFfP39PRJqWD/GgHCsKCzwb
>> YQX8U5zKVmHNr0pbjtYFmkmyfMNisvJ217L1X758BylOSwMcaKCxPOxfO/A/Lra5
>> 3MMRJQDs983sBuqBen4INPPcn/43GwwpMwlhxVdutCP9iyiH87hRSoX/Vf9l6fNa
>> vui2N00t8tn/biQKC0bFGBr5IPQiPmxBIVXRCP/Wiju+9vX5LUtk8y7pTr3lvkvr
>> M30W0/Q+1XK1IkTLsDDyvuG6NHqek5peIA7K4SKi5w6jI8quzdCqYkflGrgbXQOV
>> tyEEmmV8BMVPrpo7pmOQgHCh5ZlCU46hbqmHJxOjI2AJomwfLQo=
>> =eVJJ
>> -END PGP SIGNATURE-
>> ___
>> nix-dev mailing list
>> nix-dev@lists.science.uu.nl
>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>
>
>
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline

2017-03-08 Thread Thomas Hunger

Hi Graham,

I tried reproducing the nixos-rebuild switch issue for setuid wrappers
without success: Can you point me to an issue, or give a hint for what you
mean by "break setuid binaries"? I'd like to fix this but don't yet
understand what's going on.

~

On 5 March 2017 at 15:25, Graham Christensen  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
>
> Hello,
>
> In my most recent roundup email, I included information about 17.03,
> 16.09, and the security support timeline. It was somewhat buried in the
> otherwise very standard message, so I'm sending just that information.
>
> NixOS 17.03 has entered Beta. This means we now have 3 versions of NixOS
> being developed:
>
>  - 16.09 (stable)
>  - 17.03 (beta)
>  - unstable
>
> 17.03 will become stable at the end of March.
>
> Due to the size of the NixOS community and the available resources we
> have, we typically only support one stable version of NixOS at a time.
>
> In order to ease the transition, I have decided to continue providing
> security patches to the 16.09 channel for one month after 17.03 is
> released, ending on May 3rd, 2017.
>
> You can switch from 16.09 to 17.03-beta via:
>
> $ sudo nix-channel --add https://nixos.org/channels/nixos-17.03 nixos
> $ sudo nix-channel --update
> $ sudo nixos-rebuild boot
> $ reboot
>
> Note: Don't use nixos-rebuild switch. The path to setuid wrappers has
> changed, and using switch will break setuid binaries (like sudo, ping,
> etc.) until you reboot.
>
> Thank you very much,
> Graham Christensen
> NixOS Security Team
> https://github.com/nixos/security
> -BEGIN PGP SIGNATURE-
>
> iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAli8LdAACgkQBhIdNm/p
> Q1ygjA//U16fikL8uHxAjh4vM26U5rsztpXjDcMSMIv5wWi7omWWnwQ0b9nf/WPH
> Tzh/nPA5L+DMrYBardPWF3PEriuuCW2oCBLhQpVIuYSl1vUmEL6R+GlBmHw6yD+G
> DWFuxrJWwQLxNAjSrMwP0bID3ZYtFyQQZKvsrzpFSh+ThCu1tkvOUt8A9t43SBIJ
> a0TTF6zFPez4GDrn7W702m4PMN0PEe0dyIg/UfpjmwEaxzgM8gZKcx/FLPh4IkVs
> WN0RoPavLb5UhBeHGoV7kXWohJ26Wx4R8/5rX2kEQWl+5dP2fHuhGs6oEtRC5EHx
> hiQmcwR+BCsQIZ6SzzveO2wOESiejjZnVuzqKoJ85NFfP39PRJqWD/GgHCsKCzwb
> YQX8U5zKVmHNr0pbjtYFmkmyfMNisvJ217L1X758BylOSwMcaKCxPOxfO/A/Lra5
> 3MMRJQDs983sBuqBen4INPPcn/43GwwpMwlhxVdutCP9iyiH87hRSoX/Vf9l6fNa
> vui2N00t8tn/biQKC0bFGBr5IPQiPmxBIVXRCP/Wiju+9vX5LUtk8y7pTr3lvkvr
> M30W0/Q+1XK1IkTLsDDyvuG6NHqek5peIA7K4SKi5w6jI8quzdCqYkflGrgbXQOV
> tyEEmmV8BMVPrpo7pmOQgHCh5ZlCU46hbqmHJxOjI2AJomwfLQo=
> =eVJJ
> -END PGP SIGNATURE-
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline

2017-03-06 Thread Nikolay Amiantov


Hi,

On 03/06/2017 04:03 PM, Eelco Dolstra wrote:

Hm, that seems like a pretty critical bug that we should fix before release.

Maybe we should simply revert the path of the setuid wrappers?
I'm interested in retaining those changes so if you are okay with that I 
can look into making transition painless in several days.


--
Nikolay.

___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline

2017-03-06 Thread Eelco Dolstra

Hi,

On 03/05/2017 04:25 PM, Graham Christensen wrote:

> Note: Don't use nixos-rebuild switch. The path to setuid wrappers has
> changed, and using switch will break setuid binaries (like sudo, ping,
> etc.) until you reboot.

Hm, that seems like a pretty critical bug that we should fix before release.

Maybe we should simply revert the path of the setuid wrappers?

-- 
Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline

2017-03-05 Thread Nikolay Amiantov


Hi,

On 03/05/2017 06:25 PM, Graham Christensen wrote:

Note: Don't use nixos-rebuild switch. The path to setuid wrappers has
changed, and using switch will break setuid binaries (like sudo, ping,
etc.) until you reboot.
I think one can also restart his/her shell to update environment 
variables -- this will do the job too. At least it helped me when I got 
caught into this.


--
Nikolay.
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

[Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline

2017-03-05 Thread Graham Christensen

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


Hello,

In my most recent roundup email, I included information about 17.03,
16.09, and the security support timeline. It was somewhat buried in the
otherwise very standard message, so I'm sending just that information.

NixOS 17.03 has entered Beta. This means we now have 3 versions of NixOS
being developed:

 - 16.09 (stable)
 - 17.03 (beta)
 - unstable

17.03 will become stable at the end of March.

Due to the size of the NixOS community and the available resources we
have, we typically only support one stable version of NixOS at a time.

In order to ease the transition, I have decided to continue providing
security patches to the 16.09 channel for one month after 17.03 is
released, ending on May 3rd, 2017.

You can switch from 16.09 to 17.03-beta via:

$ sudo nix-channel --add https://nixos.org/channels/nixos-17.03 nixos
$ sudo nix-channel --update
$ sudo nixos-rebuild boot
$ reboot

Note: Don't use nixos-rebuild switch. The path to setuid wrappers has
changed, and using switch will break setuid binaries (like sudo, ping,
etc.) until you reboot.

Thank you very much,
Graham Christensen
NixOS Security Team
https://github.com/nixos/security
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAli8LdAACgkQBhIdNm/p
Q1ygjA//U16fikL8uHxAjh4vM26U5rsztpXjDcMSMIv5wWi7omWWnwQ0b9nf/WPH
Tzh/nPA5L+DMrYBardPWF3PEriuuCW2oCBLhQpVIuYSl1vUmEL6R+GlBmHw6yD+G
DWFuxrJWwQLxNAjSrMwP0bID3ZYtFyQQZKvsrzpFSh+ThCu1tkvOUt8A9t43SBIJ
a0TTF6zFPez4GDrn7W702m4PMN0PEe0dyIg/UfpjmwEaxzgM8gZKcx/FLPh4IkVs
WN0RoPavLb5UhBeHGoV7kXWohJ26Wx4R8/5rX2kEQWl+5dP2fHuhGs6oEtRC5EHx
hiQmcwR+BCsQIZ6SzzveO2wOESiejjZnVuzqKoJ85NFfP39PRJqWD/GgHCsKCzwb
YQX8U5zKVmHNr0pbjtYFmkmyfMNisvJ217L1X758BylOSwMcaKCxPOxfO/A/Lra5
3MMRJQDs983sBuqBen4INPPcn/43GwwpMwlhxVdutCP9iyiH87hRSoX/Vf9l6fNa
vui2N00t8tn/biQKC0bFGBr5IPQiPmxBIVXRCP/Wiju+9vX5LUtk8y7pTr3lvkvr
M30W0/Q+1XK1IkTLsDDyvuG6NHqek5peIA7K4SKi5w6jI8quzdCqYkflGrgbXQOV
tyEEmmV8BMVPrpo7pmOQgHCh5ZlCU46hbqmHJxOjI2AJomwfLQo=
=eVJJ
-END PGP SIGNATURE-
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline

Re: [Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline

Re: [Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline

Re: [Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline

Re: [Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline

Re: [Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline

Re: [Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline

[Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline

8 matches

Site Navigation

Mail list logo

Footer information