GNU bug report logs -
#55361
[Installer] Extra unprivileged “root” account added
Previous Next
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Wed, 11 May 2022 09:37:01 UTC
Severity: important
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 55361 in the body.
You can then email your comments to 55361 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
othacehe <at> gnu.org, bug-guix <at> gnu.org
:
bug#55361
; Package
guix
.
(Wed, 11 May 2022 09:37:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Ludovic Courtès <ludo <at> gnu.org>
:
New bug report received and forwarded. Copy sent to
othacehe <at> gnu.org, bug-guix <at> gnu.org
.
(Wed, 11 May 2022 09:37:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
The installer built from:
--8<---------------cut here---------------start------------->8---
Generation 214 May 02 2022 21:44:14 (current)
guix 6b588da
repository URL: https://git.savannah.gnu.org/git/guix.git
branch: master
commit: 6b588da368c77cde82ea2f22ca315116228777ad
--8<---------------cut here---------------end--------------->8---
… adds an unprivileged “root” account to the ‘users’ section of the OS
config.
Ludo’.
Severity set to 'important' from 'normal'
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org
.
(Wed, 11 May 2022 13:43:01 GMT)
Full text and
rfc822 format available.
Added indication that bug 55361 blocks53214
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org
.
(Wed, 11 May 2022 13:44:01 GMT)
Full text and
rfc822 format available.
Reply sent
to
Ludovic Courtès <ludo <at> gnu.org>
:
You have taken responsibility.
(Fri, 20 May 2022 22:20:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Ludovic Courtès <ludo <at> gnu.org>
:
bug acknowledged by developer.
(Fri, 20 May 2022 22:20:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 55361-done <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès <ludo <at> gnu.org> skribis:
> The installer built from:
>
> Generation 214 May 02 2022 21:44:14 (current)
> guix 6b588da
> repository URL: https://git.savannah.gnu.org/git/guix.git
> branch: master
> commit: 6b588da368c77cde82ea2f22ca315116228777ad
>
> … adds an unprivileged “root” account to the ‘users’ section of the OS
> config.
Fixed in 48c748226e2a94d2dec9bfdf84601455f00d6f5e, which reverts
c2125e59d0774cda3e559adeb056459a5f23586b.
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#55361
; Package
guix
.
(Sat, 21 May 2022 12:55:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 55361 <at> debbugs.gnu.org (full text, mbox):
Hello,
On +2022-05-21 00:19:06 +0200, Ludovic Courtès wrote:
> Ludovic Courtès <ludo <at> gnu.org> skribis:
>
> > The installer built from:
> >
> > Generation 214 May 02 2022 21:44:14 (current)
> > guix 6b588da
> > repository URL: https://git.savannah.gnu.org/git/guix.git
> > branch: master
> > commit: 6b588da368c77cde82ea2f22ca315116228777ad
> >
> > … adds an unprivileged “root” account to the ‘users’ section of the OS
> > config.
>
> Fixed in 48c748226e2a94d2dec9bfdf84601455f00d6f5e, which reverts
> c2125e59d0774cda3e559adeb056459a5f23586b.
>
> Ludo’.
>
>
>
--8<---------------cut here---------------start------------->8---
commit c2125e59d0774cda3e559adeb056459a5f23586b
Author: Mathieu Othacehe <othacehe <at> gnu.org>
Date: Mon Apr 4 16:38:09 2022 +0200
installer: user: Remove useless filtering.
--8<---------------cut here---------------end--------------->8---
--8<---------------cut here---------------start------------->8---
commit 48c748226e2a94d2dec9bfdf84601455f00d6f5e
Author: Ludovic Courtès <ludo <at> gnu.org>
Date: Fri May 20 20:41:02 2022 +0200
Revert "installer: user: Remove useless filtering."
This reverts commit c2125e59d0774cda3e559adeb056459a5f23586b.
Fixes <https://issues.guix.gnu.org/55361>.
--8<---------------cut here---------------end--------------->8---
Assuming my date-diff hack worked:
--8<---------------cut here---------------start------------->8---
~/wb/guix]$ date-diff '2022-04-04 16:38:09' '2022-05-20 20:41:02'
46days 4hrs 2min 53sec
--8<---------------cut here---------------end--------------->8---
Is this like coming home from 46day vacation and noticing
that, oops, someone left the kitchen door open,
and hoping no ++ungoodniks noticed? Or meh?
Is. or should there be, a required signoff on an
exploitability assessment in the commit, when it
has that scent? (e.g. anything possibly opening
a door to root privilges).
Personally, I am happy to see "fixed," but I would be happier
seeing a signed exploitability assessment, esp if by someone
concentrating on that aspect of things.
Thoughts?
--
Regards,
Bengt Richter
Information forwarded
to
bug-guix <at> gnu.org
:
bug#55361
; Package
guix
.
(Sat, 21 May 2022 13:35:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 55361 <at> debbugs.gnu.org (full text, mbox):
Hi bokr,
What makes this commit special? If there's a security aspect here, what
is it?
> Personally, I am happy to see "fixed," but I would be happier
> seeing a signed exploitability assessment, esp if by someone
> concentrating on that aspect of things.
I don't think anyone is going to volunteer for that honour, unless you
are :-)
Kind regards,
T G-R
Sent from a Web browser. Excuse or enjoy my brevity.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#55361
; Package
guix
.
(Sat, 21 May 2022 16:52:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 55361 <at> debbugs.gnu.org (full text, mbox):
Hi,
bokr <at> bokr.com skribis:
> Assuming my date-diff hack worked:
>
> ~/wb/guix]$ date-diff '2022-04-04 16:38:09' '2022-05-20 20:41:02'
> 46days 4hrs 2min 53sec
>
> Is this like coming home from 46day vacation and noticing
> that, oops, someone left the kitchen door open,
> and hoping no ++ungoodniks noticed? Or meh?
Heh. It was a minor annoyance: the generated OS config would have an
unnecessary “root” user account (unnecessary because it’s included by
default), which ‘guix system init’ would warn about and ignore, and the
end result is unchanged.
IWBN to augment the installation tests with a check for that, but that’s
tricky. But like Tobias wrote, contributions are welcome. :-)
Thanks,
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Sun, 19 Jun 2022 11:24:08 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 283 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.