bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

[Tobias Geerinckx-Rice]

Ludo',

Thanks for your report :-p

The 1777 is obviously very bad, no question.  However: question:

Ludovic Courtès 写道：
> I don’t see how to let the daemon create ‘per-user/$USER’ on 
> behalf of
> the client for clients connecting over TCP.  Or we’d need to add 
> a
> challenge mechanism or authentication.

I need more cluebat please: say I'm an attacker and connect to 
your daemon (over TCP, why not), asking it to create an empty 
‘per-user/ludo’.

Assuming the daemon creates it with sane permissions (say 0755) & 
without any race conditions, what's my evil plan now?

Kind regards,

T G-R

signature.asc
Description: PGP signature