GNU bug report logs - #55361
[Installer] Extra unprivileged “root” account added

Previous Next

Package: guix;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Wed, 11 May 2022 09:37:01 UTC

Severity: important

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 55361 in the body.
You can then email your comments to 55361 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to othacehe <at> gnu.org, bug-guix <at> gnu.org:
bug#55361; Package guix. (Wed, 11 May 2022 09:37:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ludovic Courtès <ludo <at> gnu.org>:
New bug report received and forwarded. Copy sent to othacehe <at> gnu.org, bug-guix <at> gnu.org. (Wed, 11 May 2022 09:37:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: bug-guix <at> gnu.org
Subject: [Installer] Extra unprivileged “root” account
 added
Date: Wed, 11 May 2022 11:36:46 +0200
The installer built from:

--8<---------------cut here---------------start------------->8---
Generation 214	May 02 2022 21:44:14	(current)
  guix 6b588da
    repository URL: https://git.savannah.gnu.org/git/guix.git
    branch: master
    commit: 6b588da368c77cde82ea2f22ca315116228777ad
--8<---------------cut here---------------end--------------->8---

… adds an unprivileged “root” account to the ‘users’ section of the OS
config.

Ludo’.




Severity set to 'important' from 'normal' Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Wed, 11 May 2022 13:43:01 GMT) Full text and rfc822 format available.

Added indication that bug 55361 blocks53214 Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Wed, 11 May 2022 13:44:01 GMT) Full text and rfc822 format available.

Reply sent to Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility. (Fri, 20 May 2022 22:20:02 GMT) Full text and rfc822 format available.

Notification sent to Ludovic Courtès <ludo <at> gnu.org>:
bug acknowledged by developer. (Fri, 20 May 2022 22:20:02 GMT) Full text and rfc822 format available.

Message #14 received at 55361-done <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: 55361-done <at> debbugs.gnu.org
Cc: Mathieu Othacehe <othacehe <at> gnu.org>
Subject: Re: bug#55361: [Installer] Extra unprivileged “root” account added
Date: Sat, 21 May 2022 00:19:06 +0200
Ludovic Courtès <ludo <at> gnu.org> skribis:

> The installer built from:
>
> Generation 214	May 02 2022 21:44:14	(current)
>   guix 6b588da
>     repository URL: https://git.savannah.gnu.org/git/guix.git
>     branch: master
>     commit: 6b588da368c77cde82ea2f22ca315116228777ad
>
> … adds an unprivileged “root” account to the ‘users’ section of the OS
> config.

Fixed in 48c748226e2a94d2dec9bfdf84601455f00d6f5e, which reverts
c2125e59d0774cda3e559adeb056459a5f23586b.

Ludo’.




Information forwarded to bug-guix <at> gnu.org:
bug#55361; Package guix. (Sat, 21 May 2022 12:55:01 GMT) Full text and rfc822 format available.

Message #17 received at 55361 <at> debbugs.gnu.org (full text, mbox):

From: bokr <at> bokr.com
To: 55361 <at> debbugs.gnu.org, ludo <at> gnu.org
Subject: Re: bug#55361: [Installer] Extra unprivileged “root” account added
Date: Sat, 21 May 2022 14:54:34 +0200
Hello,

On +2022-05-21 00:19:06 +0200, Ludovic Courtès wrote:
> Ludovic Courtès <ludo <at> gnu.org> skribis:
> 
> > The installer built from:
> >
> > Generation 214      May 02 2022 21:44:14    (current)
> >   guix 6b588da
> >     repository URL: https://git.savannah.gnu.org/git/guix.git
> >     branch: master
> >     commit: 6b588da368c77cde82ea2f22ca315116228777ad
> >
> > … adds an unprivileged “root” account to the ‘users’ section of the OS
> > config.
> 
> Fixed in 48c748226e2a94d2dec9bfdf84601455f00d6f5e, which reverts
> c2125e59d0774cda3e559adeb056459a5f23586b.
> 
> Ludo’.
> 
> 
>
--8<---------------cut here---------------start------------->8---
commit c2125e59d0774cda3e559adeb056459a5f23586b
Author: Mathieu Othacehe <othacehe <at> gnu.org>
Date:   Mon Apr 4 16:38:09 2022 +0200

    installer: user: Remove useless filtering.
--8<---------------cut here---------------end--------------->8---


--8<---------------cut here---------------start------------->8---
commit 48c748226e2a94d2dec9bfdf84601455f00d6f5e
Author: Ludovic Courtès <ludo <at> gnu.org>
Date:   Fri May 20 20:41:02 2022 +0200

    Revert "installer: user: Remove useless filtering."
    
    This reverts commit c2125e59d0774cda3e559adeb056459a5f23586b.
    
    Fixes <https://issues.guix.gnu.org/55361>.
--8<---------------cut here---------------end--------------->8---

Assuming my date-diff hack worked:
--8<---------------cut here---------------start------------->8---
~/wb/guix]$ date-diff '2022-04-04 16:38:09' '2022-05-20 20:41:02'
46days 4hrs 2min 53sec
--8<---------------cut here---------------end--------------->8---

Is this like coming home from 46day vacation and noticing
that, oops, someone left the kitchen door open,
and hoping no ++ungoodniks noticed? Or meh?

Is. or should there be, a required signoff on an
exploitability assessment in the commit, when it
has that scent? (e.g. anything possibly opening
a door to root privilges).

Personally, I am happy to see "fixed," but I would be happier
seeing a signed exploitability assessment, esp if by someone
concentrating on that aspect of things.

Thoughts?

--
Regards,
Bengt Richter




Information forwarded to bug-guix <at> gnu.org:
bug#55361; Package guix. (Sat, 21 May 2022 13:35:02 GMT) Full text and rfc822 format available.

Message #20 received at 55361 <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: bokr <at> bokr.com
Cc: ludo <at> gnu.org, 55361 <at> debbugs.gnu.org
Subject: Re: bug#55361: [Installer] Extra unprivileged “root” account added
Date: Sat, 21 May 2022 15:34:02 +0200
Hi bokr,

What makes this commit special?  If there's a security aspect here, what 
is it?

> Personally, I am happy to see "fixed," but I would be happier
> seeing a signed exploitability assessment, esp if by someone
> concentrating on that aspect of things.

I don't think anyone is going to volunteer for that honour, unless you 
are :-)

Kind regards,

T G-R

Sent from a Web browser.  Excuse or enjoy my brevity.




Information forwarded to bug-guix <at> gnu.org:
bug#55361; Package guix. (Sat, 21 May 2022 16:52:02 GMT) Full text and rfc822 format available.

Message #23 received at 55361 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: bokr <at> bokr.com
Cc: 55361 <at> debbugs.gnu.org
Subject: Re: bug#55361: [Installer] Extra unprivileged “root” account added
Date: Sat, 21 May 2022 18:51:21 +0200
Hi,

bokr <at> bokr.com skribis:

> Assuming my date-diff hack worked:
>
> ~/wb/guix]$ date-diff '2022-04-04 16:38:09' '2022-05-20 20:41:02'
> 46days 4hrs 2min 53sec
>
> Is this like coming home from 46day vacation and noticing
> that, oops, someone left the kitchen door open,
> and hoping no ++ungoodniks noticed? Or meh?

Heh.  It was a minor annoyance: the generated OS config would have an
unnecessary “root” user account (unnecessary because it’s included by
default), which ‘guix system init’ would warn about and ignore, and the
end result is unchanged.

IWBN to augment the installation tests with a check for that, but that’s
tricky.  But like Tobias wrote, contributions are welcome.  :-)

Thanks,
Ludo’.




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sun, 19 Jun 2022 11:24:08 GMT) Full text and rfc822 format available.

This bug report was last modified 1 year and 283 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.