Re: [Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline
Linus Heckemannwrites: > On 09/03/17 10:26, Oliver Charles wrote: >> sudo: /run/current-system/sw/bin/sudo must be owned by uid 0 and have >> the setuid bit set > > Are you just adding sudo to systemPackages rather than using the option > security.sudo.enable? Nope, I'm using security.sudo.enable = true; - ocharles ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline
On 09/03/17 10:26, Oliver Charles wrote: > sudo: /run/current-system/sw/bin/sudo must be owned by uid 0 and have > the setuid bit set Are you just adding sudo to systemPackages rather than using the option security.sudo.enable? ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline
https://github.com/NixOS/nixpkgs/issues/19862#issuecomment-283732486 On Wed, Mar 8, 2017 at 10:16 AM, Thomas Hungerwrote: > Hi Graham, > > I tried reproducing the nixos-rebuild switch issue for setuid wrappers > without success: Can you point me to an issue, or give a hint for what you > mean by "break setuid binaries"? I'd like to fix this but don't yet > understand what's going on. > > ~ > > On 5 March 2017 at 15:25, Graham Christensen wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> >> Hello, >> >> In my most recent roundup email, I included information about 17.03, >> 16.09, and the security support timeline. It was somewhat buried in the >> otherwise very standard message, so I'm sending just that information. >> >> NixOS 17.03 has entered Beta. This means we now have 3 versions of NixOS >> being developed: >> >> - 16.09 (stable) >> - 17.03 (beta) >> - unstable >> >> 17.03 will become stable at the end of March. >> >> Due to the size of the NixOS community and the available resources we >> have, we typically only support one stable version of NixOS at a time. >> >> In order to ease the transition, I have decided to continue providing >> security patches to the 16.09 channel for one month after 17.03 is >> released, ending on May 3rd, 2017. >> >> You can switch from 16.09 to 17.03-beta via: >> >> $ sudo nix-channel --add https://nixos.org/channels/nixos-17.03 nixos >> $ sudo nix-channel --update >> $ sudo nixos-rebuild boot >> $ reboot >> >> Note: Don't use nixos-rebuild switch. The path to setuid wrappers has >> changed, and using switch will break setuid binaries (like sudo, ping, >> etc.) until you reboot. >> >> Thank you very much, >> Graham Christensen >> NixOS Security Team >> https://github.com/nixos/security >> -BEGIN PGP SIGNATURE- >> >> iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAli8LdAACgkQBhIdNm/p >> Q1ygjA//U16fikL8uHxAjh4vM26U5rsztpXjDcMSMIv5wWi7omWWnwQ0b9nf/WPH >> Tzh/nPA5L+DMrYBardPWF3PEriuuCW2oCBLhQpVIuYSl1vUmEL6R+GlBmHw6yD+G >> DWFuxrJWwQLxNAjSrMwP0bID3ZYtFyQQZKvsrzpFSh+ThCu1tkvOUt8A9t43SBIJ >> a0TTF6zFPez4GDrn7W702m4PMN0PEe0dyIg/UfpjmwEaxzgM8gZKcx/FLPh4IkVs >> WN0RoPavLb5UhBeHGoV7kXWohJ26Wx4R8/5rX2kEQWl+5dP2fHuhGs6oEtRC5EHx >> hiQmcwR+BCsQIZ6SzzveO2wOESiejjZnVuzqKoJ85NFfP39PRJqWD/GgHCsKCzwb >> YQX8U5zKVmHNr0pbjtYFmkmyfMNisvJ217L1X758BylOSwMcaKCxPOxfO/A/Lra5 >> 3MMRJQDs983sBuqBen4INPPcn/43GwwpMwlhxVdutCP9iyiH87hRSoX/Vf9l6fNa >> vui2N00t8tn/biQKC0bFGBr5IPQiPmxBIVXRCP/Wiju+9vX5LUtk8y7pTr3lvkvr >> M30W0/Q+1XK1IkTLsDDyvuG6NHqek5peIA7K4SKi5w6jI8quzdCqYkflGrgbXQOV >> tyEEmmV8BMVPrpo7pmOQgHCh5ZlCU46hbqmHJxOjI2AJomwfLQo= >> =eVJJ >> -END PGP SIGNATURE- >> ___ >> nix-dev mailing list >> nix-dev@lists.science.uu.nl >> http://lists.science.uu.nl/mailman/listinfo/nix-dev >> > > > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline
Hi Graham, I tried reproducing the nixos-rebuild switch issue for setuid wrappers without success: Can you point me to an issue, or give a hint for what you mean by "break setuid binaries"? I'd like to fix this but don't yet understand what's going on. ~ On 5 March 2017 at 15:25, Graham Christensenwrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > > Hello, > > In my most recent roundup email, I included information about 17.03, > 16.09, and the security support timeline. It was somewhat buried in the > otherwise very standard message, so I'm sending just that information. > > NixOS 17.03 has entered Beta. This means we now have 3 versions of NixOS > being developed: > > - 16.09 (stable) > - 17.03 (beta) > - unstable > > 17.03 will become stable at the end of March. > > Due to the size of the NixOS community and the available resources we > have, we typically only support one stable version of NixOS at a time. > > In order to ease the transition, I have decided to continue providing > security patches to the 16.09 channel for one month after 17.03 is > released, ending on May 3rd, 2017. > > You can switch from 16.09 to 17.03-beta via: > > $ sudo nix-channel --add https://nixos.org/channels/nixos-17.03 nixos > $ sudo nix-channel --update > $ sudo nixos-rebuild boot > $ reboot > > Note: Don't use nixos-rebuild switch. The path to setuid wrappers has > changed, and using switch will break setuid binaries (like sudo, ping, > etc.) until you reboot. > > Thank you very much, > Graham Christensen > NixOS Security Team > https://github.com/nixos/security > -BEGIN PGP SIGNATURE- > > iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAli8LdAACgkQBhIdNm/p > Q1ygjA//U16fikL8uHxAjh4vM26U5rsztpXjDcMSMIv5wWi7omWWnwQ0b9nf/WPH > Tzh/nPA5L+DMrYBardPWF3PEriuuCW2oCBLhQpVIuYSl1vUmEL6R+GlBmHw6yD+G > DWFuxrJWwQLxNAjSrMwP0bID3ZYtFyQQZKvsrzpFSh+ThCu1tkvOUt8A9t43SBIJ > a0TTF6zFPez4GDrn7W702m4PMN0PEe0dyIg/UfpjmwEaxzgM8gZKcx/FLPh4IkVs > WN0RoPavLb5UhBeHGoV7kXWohJ26Wx4R8/5rX2kEQWl+5dP2fHuhGs6oEtRC5EHx > hiQmcwR+BCsQIZ6SzzveO2wOESiejjZnVuzqKoJ85NFfP39PRJqWD/GgHCsKCzwb > YQX8U5zKVmHNr0pbjtYFmkmyfMNisvJ217L1X758BylOSwMcaKCxPOxfO/A/Lra5 > 3MMRJQDs983sBuqBen4INPPcn/43GwwpMwlhxVdutCP9iyiH87hRSoX/Vf9l6fNa > vui2N00t8tn/biQKC0bFGBr5IPQiPmxBIVXRCP/Wiju+9vX5LUtk8y7pTr3lvkvr > M30W0/Q+1XK1IkTLsDDyvuG6NHqek5peIA7K4SKi5w6jI8quzdCqYkflGrgbXQOV > tyEEmmV8BMVPrpo7pmOQgHCh5ZlCU46hbqmHJxOjI2AJomwfLQo= > =eVJJ > -END PGP SIGNATURE- > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline
Hi, On 03/06/2017 04:03 PM, Eelco Dolstra wrote: Hm, that seems like a pretty critical bug that we should fix before release. Maybe we should simply revert the path of the setuid wrappers? I'm interested in retaining those changes so if you are okay with that I can look into making transition painless in several days. -- Nikolay. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline
Hi, On 03/05/2017 04:25 PM, Graham Christensen wrote: > Note: Don't use nixos-rebuild switch. The path to setuid wrappers has > changed, and using switch will break setuid binaries (like sudo, ping, > etc.) until you reboot. Hm, that seems like a pretty critical bug that we should fix before release. Maybe we should simply revert the path of the setuid wrappers? -- Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline
Hi, On 03/05/2017 06:25 PM, Graham Christensen wrote: Note: Don't use nixos-rebuild switch. The path to setuid wrappers has changed, and using switch will break setuid binaries (like sudo, ping, etc.) until you reboot. I think one can also restart his/her shell to update environment variables -- this will do the job too. At least it helped me when I got caught into this. -- Nikolay. ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] NixOS 17.03 Beta, 16.09 Security Support Timeline
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello, In my most recent roundup email, I included information about 17.03, 16.09, and the security support timeline. It was somewhat buried in the otherwise very standard message, so I'm sending just that information. NixOS 17.03 has entered Beta. This means we now have 3 versions of NixOS being developed: - 16.09 (stable) - 17.03 (beta) - unstable 17.03 will become stable at the end of March. Due to the size of the NixOS community and the available resources we have, we typically only support one stable version of NixOS at a time. In order to ease the transition, I have decided to continue providing security patches to the 16.09 channel for one month after 17.03 is released, ending on May 3rd, 2017. You can switch from 16.09 to 17.03-beta via: $ sudo nix-channel --add https://nixos.org/channels/nixos-17.03 nixos $ sudo nix-channel --update $ sudo nixos-rebuild boot $ reboot Note: Don't use nixos-rebuild switch. The path to setuid wrappers has changed, and using switch will break setuid binaries (like sudo, ping, etc.) until you reboot. Thank you very much, Graham Christensen NixOS Security Team https://github.com/nixos/security -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAli8LdAACgkQBhIdNm/p Q1ygjA//U16fikL8uHxAjh4vM26U5rsztpXjDcMSMIv5wWi7omWWnwQ0b9nf/WPH Tzh/nPA5L+DMrYBardPWF3PEriuuCW2oCBLhQpVIuYSl1vUmEL6R+GlBmHw6yD+G DWFuxrJWwQLxNAjSrMwP0bID3ZYtFyQQZKvsrzpFSh+ThCu1tkvOUt8A9t43SBIJ a0TTF6zFPez4GDrn7W702m4PMN0PEe0dyIg/UfpjmwEaxzgM8gZKcx/FLPh4IkVs WN0RoPavLb5UhBeHGoV7kXWohJ26Wx4R8/5rX2kEQWl+5dP2fHuhGs6oEtRC5EHx hiQmcwR+BCsQIZ6SzzveO2wOESiejjZnVuzqKoJ85NFfP39PRJqWD/GgHCsKCzwb YQX8U5zKVmHNr0pbjtYFmkmyfMNisvJ217L1X758BylOSwMcaKCxPOxfO/A/Lra5 3MMRJQDs983sBuqBen4INPPcn/43GwwpMwlhxVdutCP9iyiH87hRSoX/Vf9l6fNa vui2N00t8tn/biQKC0bFGBr5IPQiPmxBIVXRCP/Wiju+9vX5LUtk8y7pTr3lvkvr M30W0/Q+1XK1IkTLsDDyvuG6NHqek5peIA7K4SKi5w6jI8quzdCqYkflGrgbXQOV tyEEmmV8BMVPrpo7pmOQgHCh5ZlCU46hbqmHJxOjI2AJomwfLQo= =eVJJ -END PGP SIGNATURE- ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev