[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Insecure permissions on /var/guix/profiles/per-user (CVE-2019-18192)

From: Ludovic Courtès
Subject: Insecure permissions on /var/guix/profiles/per-user (CVE-2019-18192)
Date: Thu, 17 Oct 2019 23:29:14 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)


We have become aware of a security issue for Guix on multi-user systems
that we have just fixed (CVE-2019-18192).  Anyone running Guix on a
multi-user system is encouraged to upgrade ‘guix-daemon’—see below for

More information is available on the Guix blog:


The default user profile, ~/.guix-profile, points to
/var/guix/profiles/per-user/$USER.  Until now,
/var/guix/profiles/per-user was world-writable, allowing the ‘guix’
command to create the $USER sub-directory.

On a multi-user system, this allowed a malicious user to create and
populate that $USER sub-directory for another user that had not yet
logged in.  Since /var/…/$USER is in $PATH, the target user could end up
running attacker-provided code.


To upgrade the daemon On Guix System, run:

  guix pull
  sudo guix system reconfigure /etc/config.scm
  sudo herd restart guix-daemon

On other distros, run something along these lines:

  sudo guix pull
  sudo systemctl restart guix-daemon.service

Please report any issues you may have to address@hidden.

Ludo’, on behalf of the Guix team.

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]