bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-18 Thread Bengt Richter
Hi Ludo, On +2019-10-18 16:36:30 +0200, Ludovic Courtès wrote: > Bengt Richter skribis: > > > On +2019-10-17 22:25:58 +0200, Ludovic Courtès wrote: > > [...] > > >> > Imperialist nitpick: why list the foreigners first? :-) > >> > > >> > Anti-imperialist nitpick: reversing the two allows

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-18 Thread Ludovic Courtès
Bengt Richter skribis: > On +2019-10-17 22:25:58 +0200, Ludovic Courtès wrote: [...] >> > Imperialist nitpick: why list the foreigners first? :-) >> > >> > Anti-imperialist nitpick: reversing the two allows using ‘other >> > distributions’ instead of ‘foreign’ which always sounds a bit >> >

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-17 Thread Bengt Richter
Hi Ludo, Tobias, On +2019-10-17 22:25:58 +0200, Ludovic Courtès wrote: > Hallo! > > Tobias Geerinckx-Rice skribis: > > > Ludovic Courtès 写道: > >> See https://issues.guix.gnu.org/issue/37744 > > > > Will this be automatically linkified? > > Yes, I think so. > > >> # Upgrading > >> > >> On

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-17 Thread Tobias Geerinckx-Rice via Bug reports for GNU Guix
Ludo', Ludovic Courtès 写道: See https://issues.guix.gnu.org/issue/37744 Will this be automatically linkified? This issue was initially [reported by Michael Orlitzky for Nix](https://www.openwall.com/lists/oss-security/2019/10/09/4)

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-17 Thread Ludovic Courtès
Hi! Ludovic Courtès skribis: > In addition to the news entry that ‘guix pull’ will display, we may want > to publicize the issue. In particular, should we: > > 1. Apply for a new CVE? > > 2. Post an article on the blog to explain in detail what happened? > That should probably include

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-16 Thread pelzflorian (Florian Pelz)
On Thu, Oct 17, 2019 at 04:58:19AM +0200, pelzflorian (Florian Pelz) wrote: > On Wed, Oct 16, 2019 at 11:39:37PM +0200, Ludovic Courtès wrote: > > I committed this with minor changes (removed “sudo”, etc.), but the > > translation corresponds to the first version of the entry. Please feel > >

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-16 Thread pelzflorian (Florian Pelz)
message did not get through. I should not have sent it off-list, how stupid of me. - Forwarded message from "pelzflorian (Florian Pelz)" - Date: Wed, 16 Oct 2019 21:00:57 +0200 From: "pelzflorian (Florian Pelz)" To: Ludovic Courtès Subject: Re: bug#37744: Per-user pr

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-16 Thread Ludovic Courtès
I pushed the fix as 81c580c8664bfeeb767e2c47ea343004e88223c7, followed by an updated of the ‘guix’ package in e63b31443b29b7793e73ab04798220edc6e564fc. Thanks everyone! Ludo’.

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-16 Thread Ludovic Courtès
Tobias Geerinckx-Rice skribis: > Let's try that again: Committed on your behalf, thanks! :-)

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-16 Thread Ludovic Courtès
Hi Florian, "pelzflorian (Florian Pelz)" skribis: >>From 14d4d176bae1e67c627a169c881720f3f9fb3904 Mon Sep 17 00:00:00 2001 > From: Florian Pelz > Date: Wed, 16 Oct 2019 16:37:27 +0200 > Subject: [PATCH] nls: Update 'de' translation of news entries. > > * etc/news.scm: Add new 'de' translation.

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-16 Thread Ludovic Courtès
Julien Lepiller skribis: > pour le français (n'hésite pas à reprendre le texte si tu trouves à > redire :)) : Pushed on your behalf, merci ! :-) Ludo'.

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-16 Thread Ludovic Courtès
Ludovic Courtès skribis: > In addition to the news entry that ‘guix pull’ will display, we may want > to publicize the issue. In particular, should we: > > 1. Apply for a new CVE? I went ahead and asked for a CVE ID via . Ludo’.

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-16 Thread Julien Lepiller
Le Wed, 16 Oct 2019 19:05:44 +0200, Ludovic Courtès a écrit : > Hi! > > Thanks for your feedback Tobias, Florian, and Julien! > > Taking that into account, I propose this (I’ve also changed the title > to make it hopefully clearer): > > --8<---cut

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-16 Thread Tobias Geerinckx-Rice via Bug reports for GNU Guix
Let's try that again: (nl "Onveilige @file{/var/guix/profiles/per-user}-rechten")) (nl "Het standaard gebruikersprofiel, @file{~/.guix-profile}, verwijst naar @file{/var/guix/profiles/per-user/$USER}. Tot op heden kon om het even wie in @file{/var/guix/profiles/per-user}

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-16 Thread Tobias Geerinckx-Rice via Bug reports for GNU Guix
Ludo', Ludovic Courtès 写道: Taking that into account, I propose this (I’ve also changed the title to make it hopefully clearer): Here's my NL translation: (nl "Onveilige @file{/var/guix/profiles/per-user}-rechten")) (nl "Het standaard gebruikersprofiel,

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-16 Thread Ludovic Courtès
Hi! Thanks for your feedback Tobias, Florian, and Julien! Taking that into account, I propose this (I’ve also changed the title to make it hopefully clearer): --8<---cut here---start->8--- (entry (commit "FIXME") (title (en "Insecure

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-16 Thread Julien Lepiller
Le 16 octobre 2019 12:22:33 GMT+02:00, "Ludovic Courtès" a écrit : >Hello! > >Here’s a patch that fixes the issue, partly based on what the Nix folks >did. > >For the client-connecting-over-TCP case, I added special handling: >‘set-build-options’ now passes a “user-name” property, potentially

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-16 Thread pelzflorian (Florian Pelz)
On Wed, Oct 16, 2019 at 04:22:21PM +0200, pelzflorian (Florian Pelz) wrote: > Why sudo guix pull? It should be without sudo, am I wrong? > The attached patch adds a German translation. Please remove the last sudo from the de translation too if you agree that it is wrong. Regards, Florian

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-16 Thread Tobias Geerinckx-Rice via Bug reports for GNU Guix
pelzflorian (Florian Pelz) 写道: On Wed, Oct 16, 2019 at 05:16:47PM +0200, Tobias Geerinckx-Rice wrote: blah blah blah Sorry for being imprecise. I meant on Guix System. Sorry for misreading, you're right that it shouldn't be needed (or recommended IMO). Kind regards, T G-R

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-16 Thread pelzflorian (Florian Pelz)
On Wed, Oct 16, 2019 at 05:16:47PM +0200, Tobias Geerinckx-Rice wrote: > pelzflorian (Florian Pelz) 写道: > > Why sudo guix pull? It should be without sudo, am I wrong? > > Guix on ‘foreign’ distributions uses the root profile for the daemon by > default (i.e. in guix-daemon.service). > Sorry

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-16 Thread Tobias Geerinckx-Rice via Bug reports for GNU Guix
pelzflorian, pelzflorian (Florian Pelz) 写道: Why sudo guix pull? It should be without sudo, am I wrong? Guix on ‘foreign’ distributions uses the root profile for the daemon by default (i.e. in guix-daemon.service). You could change this to a regular user's profile, but that amounts to

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-16 Thread pelzflorian (Florian Pelz)
Thank you for ensuring security issues are fixed. On Wed, Oct 16, 2019 at 12:22:33PM +0200, Ludovic Courtès wrote: > +This is now fixed by letting @command{guix-daemon} create these directories > on > +behalf of users and removing the world-writable permissions on > +@code{per-user}. On

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-16 Thread Tobias Geerinckx-Rice via Bug reports for GNU Guix
Ludo', That was swift, thanks! IANAC++. Ludovic Courtès 写道: diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc index 3b08492c64..3793382361 100644 --- a/nix/libstore/local-store.cc +++ b/nix/libstore/local-store.cc @@ -88,8 +88,9 @@ LocalStore::LocalStore(bool

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-16 Thread Ludovic Courtès
Hello! In addition to the news entry that ‘guix pull’ will display, we may want to publicize the issue. In particular, should we: 1. Apply for a new CVE? 2. Post an article on the blog to explain in detail what happened? That should probably include an analysis like that at

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-16 Thread Ludovic Courtès
Hi Tobias, Tobias Geerinckx-Rice skribis: > No, I ask it nicely: ‘hullo daemon, I'm, er, "ludo"’. > > Of course the remote daemon doesn't trust me beyond pre-creating an > empty per-user directory owned by the local "ludo" user only if such a > user exists. It doesn't even report succes or

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-15 Thread Tobias Geerinckx-Rice via Bug reports for GNU Guix
Ludo', Thanks for your answer. Ludovic Courtès 写道: I need more cluebat please: say I'm an attacker and connect to your daemon (over TCP, why not), asking it to create an empty ‘per-user/ludo’. You wouldn’t be able to do that because over TCP because the daemon can’t tell what user you

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-15 Thread Ludovic Courtès
Hi! Tobias Geerinckx-Rice skribis: > The 1777 is obviously very bad, no question. However: question: > > Ludovic Courtès 写道: >> I don’t see how to let the daemon create ‘per-user/$USER’ on behalf >> of >> the client for clients connecting over TCP. Or we’d need to add a >> challenge mechanism

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-14 Thread Maxim Cournoyer
Hello, Tobias Geerinckx-Rice writes: > Ludo', > > Thanks for your report :-p > > The 1777 is obviously very bad, no question. However: question: > > Ludovic Courtès 写道: >> I don’t see how to let the daemon create ‘per-user/$USER’ on behalf >> of >> the client for clients connecting over TCP.

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-14 Thread Tobias Geerinckx-Rice via Bug reports for GNU Guix
Ludo', Thanks for your report :-p The 1777 is obviously very bad, no question. However: question: Ludovic Courtès 写道: I don’t see how to let the daemon create ‘per-user/$USER’ on behalf of the client for clients connecting over TCP. Or we’d need to add a challenge mechanism or

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-14 Thread Ludovic Courtès
Ludovic Courtès skribis: > Looks like we’ll need to do something similar to: > . Compared to the Nix build daemon, our daemon can accept connections over TCP in addition to Unix-domain sockets, so the bit

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

2019-10-14 Thread Ludovic Courtès
Hello Guix, That the per-user profile directory is world-writable allows an attacker to hijack code run by other users, as has been reported in the context of Nix: https://www.openwall.com/lists/oss-security/2019/10/09/4 I believe it applies to Guix as well. Nix people are tracking it here: