[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Security Advisory] Risk of local privilege escalation via setuid progra
From: |
Ludovic Courtès |
Subject: |
[Security Advisory] Risk of local privilege escalation via setuid programs |
Date: |
Wed, 10 Feb 2021 12:00:37 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) |
On Guix System, setuid programs were, until now, installed as
setuid-root _and_ setgid-root (in the /run/setuid-programs directory).
However, most of these programs are meant to run as setuid-root, but not
setgid-root. Thus, this setting posed a risk of local privilege
escalation (users of Guix on a “foreign distro” are unaffected).
This bug has been fixed¹ and users are advised to upgrade their system,
with commands along the lines of:
guix pull
sudo guix system reconfigure /run/current-system/configuration.scm
This issue is tracked at <https://issues.guix.gnu.org/46395>; you can
read the thread for more information. There is no known exploitation of
this issue to date. Many thanks to Duncan Overbruck for reporting it.
Please report any issues you may have to <guix-devel@gnu.org>. See the
security web page² for information on how to report security issues.
Ludovic.
¹
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=aa8de806252e3835d57fab351b02d13db762deac
² https://guix.gnu.org/en/security/
signature.asc
Description: PGP signature
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Security Advisory] Risk of local privilege escalation via setuid programs,
Ludovic Courtès <=