[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Security Advisory] Risk of local privilege escalation via setuid progra

From: Ludovic Courtès
Subject: [Security Advisory] Risk of local privilege escalation via setuid programs
Date: Wed, 10 Feb 2021 12:00:37 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)

On Guix System, setuid programs were, until now, installed as
setuid-root _and_ setgid-root (in the /run/setuid-programs directory).
However, most of these programs are meant to run as setuid-root, but not
setgid-root.  Thus, this setting posed a risk of local privilege
escalation (users of Guix on a “foreign distro” are unaffected).

This bug has been fixed¹ and users are advised to upgrade their system,
with commands along the lines of:

  guix pull
  sudo guix system reconfigure /run/current-system/configuration.scm

This issue is tracked at <>; you can
read the thread for more information.  There is no known exploitation of
this issue to date.  Many thanks to Duncan Overbruck for reporting it.

Please report any issues you may have to <>.  See the
security web page² for information on how to report security issues.



Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]