[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
04/07: news: Add entry for security issue with /var/guix/profiles/per-us
|
From: |
guix-commits |
|
Subject: |
04/07: news: Add entry for security issue with /var/guix/profiles/per-user. |
|
Date: |
Wed, 16 Oct 2019 17:06:47 -0400 (EDT) |
civodul pushed a commit to branch master
in repository guix.
commit 5d800cb9310fa2ab7464a7ace5906570429713ea
Author: Ludovic Courtès <address@hidden>
Date: Wed Oct 16 12:16:20 2019 +0200
news: Add entry for security issue with /var/guix/profiles/per-user.
* etc/news.scm: Add entry for security issue in multi-user setups.
---
etc/news.scm | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/etc/news.scm b/etc/news.scm
index e19dec3..f165759 100644
--- a/etc/news.scm
+++ b/etc/news.scm
@@ -9,6 +9,28 @@
(channel-news
(version 0)
+ (entry (commit "81c580c8664bfeeb767e2c47ea343004e88223c7")
+ (title (en "Insecure @file{/var/guix/profiles/per-user} permissions"))
+ (body
+ (en "The default user profile, @file{~/.guix-profile}, points to
+@file{/var/guix/profiles/per-user/$USER}. Until now,
+@file{/var/guix/profiles/per-user} was world-writable, allowing the
+@command{guix} command to create the @code{$USER} sub-directory.
+
+On a multi-user system, this allowed a malicious user to create and populate
+that @code{$USER} sub-directory for another user that had not yet logged in.
+Since @code{/var/@dots{}/$USER} is in @code{$PATH}, the target user could end
+up running attacker-provided code. See
+@uref{https://issues.guix.gnu.org/issue/37744} for more information.
+
+This is now fixed by letting @command{guix-daemon} create these directories on
+behalf of users and removing the world-writable permissions on
+@code{per-user}. On multi-user systems, we recommend updating the daemon now.
+To do that, run @code{sudo guix pull} if you're on a foreign distro, or run
+@code{guix pull && sudo guix system reconfigure @dots{}} on Guix System. In
+both cases, make sure to restart the service afterwards, with @code{herd} or
+@code{systemctl}.")))
+
(entry (commit "5f3f70391809f8791c55c05bd1646bc58508fa2c")
(title (en "GNU C Library upgraded")
(de "GNU-C-Bibliothek aktualisiert")
- branch master updated (65ecf3a -> f63e493), guix-commits, 2019/10/16
- 02/07: build: Remove references to 'NIX_LOCALSTATE_DIR'., guix-commits, 2019/10/16
- 01/07: daemon: Remove traces of 'NIX_ROOT_FINDER'., guix-commits, 2019/10/16
- 03/07: daemon: Make 'profiles/per-user' non-world-writable., guix-commits, 2019/10/16
- 04/07: news: Add entry for security issue with /var/guix/profiles/per-user.,
guix-commits <=
- 06/07: news: Add 'fr' translation., guix-commits, 2019/10/16
- 07/07: news: Add 'de' translation., guix-commits, 2019/10/16
- 05/07: news: Add 'nl' translation., guix-commits, 2019/10/16