Re: TOCTTOU race

2021-03-10 Thread Ludovic Courtès
Hi Maxime, Maxime Devos skribis: > On Tue, 2021-02-23 at 16:30 +0100, Ludovic Courtès wrote: >> Hi, >> >> Maxime Devos skribis: >> >> > Is all addressed now? (Aside from the TOCTTOU.) >> >> Yes, thank you! > > If all is addressed now, could you apply the patch? > I don't see it in master

Re: TOCTTOU race

2021-02-26 Thread Maxime Devos
On Tue, 2021-02-23 at 16:30 +0100, Ludovic Courtès wrote: > Hi, > > Maxime Devos skribis: > > > Is all addressed now? (Aside from the TOCTTOU.) > > Yes, thank you! If all is addressed now, could you apply the patch? I don't see it in master yet and I don't have commit access. Greetings,

Re: TOCTTOU race

2021-02-23 Thread Ludovic Courtès
Hi, Maxime Devos skribis: > Is all addressed now? (Aside from the TOCTTOU.) Yes, thank you! Ludo’.

Re: TOCTTOU race

2021-02-22 Thread Maxime Devos
> Perhaps add a couple of lines explaining that this fixes a potential > security issue, with a link to this thread. Done. But since > > Currently, there's a TOCTTOU race. This can be addressed > > once guile has bindings for fstatat, openat and friends. ... I only

Re: TOCTTOU race

2021-02-22 Thread Ludovic Courtès
evos > Date: Sun, 14 Feb 2021 12:57:32 +0100 > Subject: [PATCH] services: prevent following symlinks during activation ^ Nitpick: we usually capitalize here and in the commit log. Perhaps add a couple of lines explaining that this fixes a potential security iss

Re: TOCTTOU race

2021-02-19 Thread Maxime Devos
From 2c3968f658ada27d2062a960d229f3db9cfe208c Mon Sep 17 00:00:00 2001 From: Maxime Devos Date: Sun, 14 Feb 2021 12:57:32 +0100 Subject: [PATCH] services: prevent following symlinks during activation Currently, there's a TOCTTOU race. This can be addressed once guile has bindings for fstatat, o

Re: TOCTTOU race

2021-02-18 Thread Ludovic Courtès
Hi Maxime, Maxime Devos skribis: > From ad10c577eb1f13b9b66ea387648671df33b869d7 Mon Sep 17 00:00:00 2001 > From: Maxime Devos > Date: Sun, 14 Feb 2021 12:57:32 +0100 > Subject: [PATCH] services: prevent following symlinks during activation > > Currently, there's a TOCTT

Re: TOCTTOU race (was: Potential security weakness in Guix services)

2021-02-14 Thread Bengt Richter
Hi, On +2021-02-14 13:29:29 +0100, Maxime Devos wrote: > On Sat, 2021-02-06 at 22:26 +0100, Ludovic Courtès wrote: > > > > [...] > > I understand the TOCTTOU race. However, activation code runs in two > > situations: when booting the system (before shepherd takes

TOCTTOU race (was: Potential security weakness in Guix services)

2021-02-14 Thread Maxime Devos
On Sat, 2021-02-06 at 22:26 +0100, Ludovic Courtès wrote: > > [...] > I understand the TOCTTOU race. However, activation code runs in two > situations: when booting the system (before shepherd takes over), and > upon ‘guix system reconfigure’ completion. > > When bootin