bug-guix
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#55361: [Installer] Extra unprivileged “root” account added

From: bokr
Subject: bug#55361: [Installer] Extra unprivileged “root” account added
Date: Sat, 21 May 2022 14:54:34 +0200
User-agent: Mutt/1.10.1 (2018-07-13) 
Hello,

On +2022-05-21 00:19:06 +0200, Ludovic Courtès wrote:
> Ludovic Courtès <ludo@gnu.org> skribis:
> 
> > The installer built from:
> >
> > Generation 214      May 02 2022 21:44:14    (current)
> >   guix 6b588da
> >     repository URL: https://git.savannah.gnu.org/git/guix.git
> >     branch: master
> >     commit: 6b588da368c77cde82ea2f22ca315116228777ad
> >
> > … adds an unprivileged “root” account to the ‘users’ section of the OS
> > config.
> 
> Fixed in 48c748226e2a94d2dec9bfdf84601455f00d6f5e, which reverts
> c2125e59d0774cda3e559adeb056459a5f23586b.
> 
> Ludo’.
> 
> 
>
--8<---------------cut here---------------start------------->8---
commit c2125e59d0774cda3e559adeb056459a5f23586b
Author: Mathieu Othacehe <othacehe@gnu.org>
Date:   Mon Apr 4 16:38:09 2022 +0200

    installer: user: Remove useless filtering.
--8<---------------cut here---------------end--------------->8---


--8<---------------cut here---------------start------------->8---
commit 48c748226e2a94d2dec9bfdf84601455f00d6f5e
Author: Ludovic Courtès <ludo@gnu.org>
Date:   Fri May 20 20:41:02 2022 +0200

    Revert "installer: user: Remove useless filtering."
    
    This reverts commit c2125e59d0774cda3e559adeb056459a5f23586b.
    
    Fixes <https://issues.guix.gnu.org/55361>.
--8<---------------cut here---------------end--------------->8---

Assuming my date-diff hack worked:
--8<---------------cut here---------------start------------->8---
~/wb/guix]$ date-diff '2022-04-04 16:38:09' '2022-05-20 20:41:02'
46days 4hrs 2min 53sec
--8<---------------cut here---------------end--------------->8---

Is this like coming home from 46day vacation and noticing
that, oops, someone left the kitchen door open,
and hoping no ++ungoodniks noticed? Or meh?

Is. or should there be, a required signoff on an
exploitability assessment in the commit, when it
has that scent? (e.g. anything possibly opening
a door to root privilges).

Personally, I am happy to see "fixed," but I would be happier
seeing a signed exploitability assessment, esp if by someone
concentrating on that aspect of things.

Thoughts?

--
Regards,
Bengt Richter
reply via email to
[Prev in Thread] Current Thread [Next in Thread]