Re: Why is /gnu/store writable by the guixbuild group?

[Steven Allen]

On 01-22-16, Ludovic Courtès wrote:
> What’s TPE (sorry for asking) and how does it complain exactly?

Nevermind. This is a false positive and I've reported it to the
grsecurity people (although they may not fix it...).

FYI...

TPE is Trusted Path Execution. Basically, it means that unprivileged
users can only execute files that are not writable, or in directories
writable, by users other than the current user or root. This is to help
make it harder to trick users into executing files written by a
malicious user.

However, after thinking about it, I this case is a false positive
because:

1. The /gnu/store/xxx/ directories and all files under them are not
   group writable and are owned by root.
2. /gnu/store has the sticky bit set.

This means that any files in /gnu/store that are owned by root must have
"blessed" by root (either linked-in or chowned by root). Therefore, the
"no group/other writable parent directory" constraint is unnecessary.

> > Guix on Arch keeps on trying to build gcc on my poor laptop even
> > though I've enabled substitutes but that's another issue...)
> 
> That shouldn’t happen, unless you’re using an old version of Guix for
> which substitutes are no longer available at hydra.gnu.org.

I'm using guix from git and I'll look into it. In my build logs, it
appears that tar is complaining about an invalid flat ("--sort=name") so
I think guix is having trouble extracting the substitutes.

> That’s because initially build processes write to their chroot, but when
> the build completes, the build process moves the outputs (the results)
> back to the store. 
...
> If you look at ‘strace -f -p $(pidof guix-daemon)’ while running ‘guix
> build grue-hunter’, the above lines of code translate to:
> 
> --8<---------------cut here---------------start------------->8---
> 7519  --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=7544, 
> si_status=0, si_utime=0, si_stime=0} ---
> 7519  
> lstat("/gnu/store/660hdld3sc7laz8kw871pd3yyg9khs5m-grue-hunter-1.0.drv.chroot/gnu/store/h6sdfqzv4xbydwiafiqvrw0d5505l1l8-grue-hunter-1.0",
>  {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
> 7519  
> rename("/gnu/store/660hdld3sc7laz8kw871pd3yyg9khs5m-grue-hunter-1.0.drv.chroot/gnu/store/h6sdfqzv4xbydwiafiqvrw0d5505l1l8-grue-hunter-1.0",
>  "/gnu/store/h6sdfqzv4xbydwiafiqvrw0d5505l1l8-grue-hunter-1.0") = 0
> --8<---------------cut here---------------end--------------->8---

I just did a local experiment (running pstree alongside strace) and,
unless I'm mistaken, 7519 is running as root.

> >> > On a related note, why do all builders use guixbuild as their primary
> >> > group.
> >> In the long term, it would be cool to just use user namespaces...
> >
> > In the short term, is there any reason not to give each of these users
> > its own group?
> 
> Would it make a difference?

No. I was concerned that some files might end up group writable but the
ro bind mount of /gnu/store means that even world writable files are
read only (and nix will make sure that no files in the final build are
writable by users other than root.

-- 
Steven Allen
((Do Not Email <address@hidden>))

signature.asc
Description: PGP signature