[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
01/02: website: Add post about guix-daemon keep-failed vulnerability.
|
From: |
Ludovic Courtès |
|
Subject: |
01/02: website: Add post about guix-daemon keep-failed vulnerability. |
|
Date: |
Thu, 18 Mar 2021 07:49:00 -0400 (EDT) |
civodul pushed a commit to branch master
in repository guix-artwork.
commit 0eb0c14335982e02f6871b4af09a568e852de54c
Author: Leo Famulari <leo@famulari.name>
AuthorDate: Thu Mar 18 01:24:08 2021 -0400
website: Add post about guix-daemon keep-failed vulnerability.
* website/posts/keep-failed.md: New file.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
---
website/posts/keep-failed.md | 110 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 110 insertions(+)
diff --git a/website/posts/keep-failed.md b/website/posts/keep-failed.md
new file mode 100644
index 0000000..b795556
--- /dev/null
+++ b/website/posts/keep-failed.md
@@ -0,0 +1,110 @@
+title: Risk of local privilege escalation via guix-daemon
+date: 2021-03-18 08:00
+author: Ludovic Courtès and Leo Famulari
+tags: Security Advisory
+---
+
+A security vulnerability that can lead to local privilege escalation has been
+found in the
+[guix-daemon](https://guix.gnu.org/manual/en/html_node/Invoking-guix_002ddaemon.html).
+It affects multi-user setups in which `guix-daemon` runs locally.
+
+It does not affect multi-user setups where `guix-daemon` runs on a separate
+machine and is accessed over the network via `GUIX_DAEMON_SOCKET`, as is
+customary on cluster setups. Machines where the Linux [protected
+hardlinks](https://sysctl-explorer.net/fs/protected_hardlinks/) feature is
+enabled, which is common, are also unaffected — this is the case when the
+contents of `/proc/sys/fs/protected_hardlinks` are `1`.
+
+# Vulnerability
+
+The attack consists in having an unprivileged user spawn a build process, for
+instance with `guix build`, that makes its build directory world-writable. The
+user then creates a hardlink to a root-owned file such as `/etc/shadow` in that
+build directory. If the user passed the `--keep-failed` option and the build
+eventually fails, the daemon changes ownership of the whole build tree,
+including the hardlink, to the user. At that point, the user has write access
+to the target file.
+
+# Fix
+
+This [bug](https://issues.guix.gnu.org/XXX) has been
+[fixed](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=XXX).
+
+The fix consists in adding a root-owned "wrapper" directory in which the build
+directory itself is located. If the user passed the `--keep-failed` option and
+the build fails, the `guix-daemon` first changes ownership of the build
+directory, and then, in two stages, moves the build directory into the location
+where users expect to find failed builds, roughly like this:
+
+1. chown -R USER /tmp/guix-build-foo.drv-0/top
+2. mv /tmp/guix-build-foo.drv-0{,.pivot}
+3. mv /tmp/guix-build-foo.drv-0.pivot/top /tmp/guix-build-foo.drv-0
+
+In step #1, `/tmp/guix-build-foo.drv-0` remains root-owned, with permissions of
+`#o700`. Thus, only root can change dir into it or into "top". Likewise in
+step #2.
+
+The build tree becomes accessible to the user once step #3 has succeeded, not
+before. These steps are performed after the package build scripts have stopped
+running.
+
+# Upgrading
+
+On multi-user systems, we recommend upgrading the `guix-daemon` now.
+
+To upgrade the daemon on Guix System, run:
+
+```
+guix pull
+sudo guix system reconfigure /run/current-system/configuration.scm
+sudo herd restart guix-daemon
+```
+
+On other distros, use something like this:
+
+```
+sudo --login guix pull
+sudo systemctl restart guix-daemon.service
+
+```
+# Conclusions
+
+One of the flagship features of GNU Guix is enable unprivileged package
+management, which includes building packages. Building occurs in an [isolated
+build
environment](https://guix.gnu.org/manual/en/html_node/Build-Environment-Setup.html).
+This environment is isolated from the rest of the system not only to control
the
+build process to implement the [functional packaging
+model](https://guix.gnu.org/manual/en/html_node/Managing-Software-the-Guix-Way.html),
+but also to protect the system from package build scripts.
+
+Despite our best efforts, there is always the possibility that we have
+overlooked something, as in this case.
+
+This issue is tracked as [bug#XXX](https://issues.guix.gnu.org/XXX); you can
+read the thread for more information.
+
+We are grateful to Nathan Nye of WhiteBeam Security for reporting this bug.
+
+Please report any issues you may have to
+[`guix-devel@gnu.org`](https://guix.gnu.org/en/contact/). See the
+[security web page](https://guix.gnu.org/en/security/) for information
+on how to report security issues.
+
+#### About GNU Guix
+
+[GNU Guix](https://guix.gnu.org) is a transactional package manager and
+an advanced distribution of the GNU system that [respects user
+freedom](https://www.gnu.org/distros/free-system-distribution-guidelines.html).
+Guix can be used on top of any system running the Hurd or the Linux
+kernel, or it can be used as a standalone operating system distribution
+for i686, x86_64, ARMv7, and AArch64 machines.
+
+In addition to standard package management features, Guix supports
+transactional upgrades and roll-backs, unprivileged package management,
+per-user profiles, and garbage collection. When used as a standalone
+GNU/Linux distribution, Guix offers a declarative, stateless approach to
+operating system configuration management. Guix is highly customizable
+and hackable through [Guile](https://www.gnu.org/software/guile)
+programming interfaces and extensions to the
+[Scheme](http://schemers.org) language.