GNU bug report logs - #51833
SECURITY: Sanitize the permissions for guix daemon socket?

Previous Next

Package: guix;

Reported by: Jacob Hrbek <kreyren <at> rixotstudio.cz>

Date: Sun, 14 Nov 2021 09:20:01 UTC

Severity: normal

Done: Tobias Geerinckx-Rice <me <at> tobias.gr>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 51833 in the body.
You can then email your comments to 51833 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#51833; Package guix. (Sun, 14 Nov 2021 09:20:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jacob Hrbek <kreyren <at> rixotstudio.cz>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Sun, 14 Nov 2021 09:20:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Jacob Hrbek <kreyren <at> rixotstudio.cz>
To: "bug-guix <at> gnu.org" <bug-guix <at> gnu.org>
Subject: SECURITY: Sanitize the permissions for guix daemon socket?
Date: Sun, 14 Nov 2021 09:18:46 +0000
[Message part 1 (text/plain, inline)]
The /var/guix/daemon-socket/socket is by default set to be owned by root:root with chmod 0666 that allows **ALL** users on the system to interact with guix daemon to write in the store directory.

Proposing to define a group (or use guixbuild group?) to by default deny access to the socket to all users without the group as i see this being a security issue waiting to happen.

-- Jacob "Kreyren" Hrbek

Sent with ProtonMail Secure Email.
[Message part 2 (text/html, inline)]
[publickey - kreyren@rixotstudio.cz - 0x1677DB82.asc (application/pgp-keys, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to bug-guix <at> gnu.org:
bug#51833; Package guix. (Sun, 14 Nov 2021 09:50:03 GMT) Full text and rfc822 format available.

Message #8 received at 51833 <at> debbugs.gnu.org (full text, mbox):

From: Jacob Hrbek <kreyren <at> rixotstudio.cz>
To: "51833 <at> debbugs.gnu.org" <51833 <at> debbugs.gnu.org>
Subject: (No Subject)
Date: Sun, 14 Nov 2021 09:49:48 +0000
[Message part 1 (text/plain, inline)]
Discussed on IRC/Matrix https://matrix.to/#/!sHzxAiaYPGfEPSGCzf:libera.chat/$TNunZ_vCWYxNGw-XDyCgKyKobccakb2A9noppM8kkTo?via=libera.chat&via=matrix.org&via=tchncs.de concluded to not be a security issue.

My concern was malicious user caching a malicious derivation trying to force root user to invoke it to unleash the payload, but that is not possible due to the use of GPG with the guix repo to prevent injection of malicious DNS server through DHCP.

-- Jacob "Kreyren" Hrbek

Sent with ProtonMail Secure Email.
[Message part 2 (text/html, inline)]
[publickey - kreyren@rixotstudio.cz - 0x1677DB82.asc (application/pgp-keys, attachment)]
[signature.asc (application/pgp-signature, attachment)]

bug closed, send any further explanations to 51833 <at> debbugs.gnu.org and Jacob Hrbek <kreyren <at> rixotstudio.cz> Request was from Tobias Geerinckx-Rice <me <at> tobias.gr> to control <at> debbugs.gnu.org. (Sun, 14 Nov 2021 11:52:01 GMT) Full text and rfc822 format available.

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sun, 12 Dec 2021 12:24:08 GMT) Full text and rfc822 format available.

This bug report was last modified 2 years and 98 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.