[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#47584: Race condition in ‘copy-account-skeletons’: possible privileg
|
From: |
Ludovic Courtès |
|
Subject: |
bug#47584: Race condition in ‘copy-account-skeletons’: possible privilege escalation. |
|
Date: |
Sat, 03 Apr 2021 22:49:24 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Maxime Devos <maximedevos@telenet.be> skribis:
> +The attack consists of the user being logged in after the account
> +skeletons have been copied to the home directory, but before the
> +owner of the account skeletons have been set. The user then deletes
> +a copied account skeleton (e.g. `$HOME/.gdbinit`) and replaces
> +it with a symbolic link to a file not owned by the user, such as
> +`/etc/shadow`.
Also… in this paragraph, it’s not entirely clear which user we’re
talking about it. In news.scm, I reworded it like so:
The attack can happen when @command{guix system reconfigure} is running.
Running @command{guix system reconfigure} can trigger the creation of new user
accounts if the configuration specifies new accounts. If a user whose account
is being created manages to log in after the account has been created but
before ``skeleton files'' copied to its home directory have the right
ownership, they may, by creating an appropriately-named symbolic link in the
home directory pointing to a sensitive file, such as @file{/etc/shadow}, get
root privileges.
It may also be worth mentioning that the user is likely unable to log in
at all at that point, as I wrote here:
https://issues.guix.gnu.org/47584#6
WDYT?
Ludo’.