Please take my apologies, I incorrectly spelled *Linus Heckemann*'s name wrong by accidentally sending a different version to nix-dev than I sent to nix-security announce. Below is the correct advisory.
Thank you again, Linus. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Nix Security Advisory NIX-2017-0002 2017-06-15 --------------------- users can modify / interfere with builds by other users Description =========== In multi-user Nix installations, to ensure that builds by unprivileged users cannot interfere with each other, Nix performs builds under so-called "build users" (nixbld1, nixbld2, ...) on behalf of the user. Only one build can run under a given build user at a time, and all processes running under that build user are killed before and after the build. However, the invariant that no other processes run under a given build user can be violated through the creation of setuid executables. The Nix store does not permit setuid executables, and Nix removes setuid/setgid bits after builds complete. This protection, however, does not prevent setuid binaries from being created or existing during a build. These setuid binaries are owned by a Nix build user (nixbld1, nixbld2, ...). Nix build directories are world readable during a build, and it is possible for a malicious user to execute the setuid binary before the build completes. Additionally, if --keep-failed is used the setuid binary is allowed to remain in the directory of the retained failed build. Impact ====== A malicious user can create setuid binaries owned by a Nix build user, allowing the attacker to to interfere with subsequent builds by the same UID. Interference may include causing failures, or injecting impurities, or completely replace a build with malicious output. Vulnerable Systems ================== All Nix 1.11 versions before 1.11.10 are vulnerable. All Nix 1.12 versions before 1.12pre5413_b4b1f452 are vulnerable. Channel First Non-Vulnerable Version ------- ---------------------------- nixos-17.03 nixos-17.03.1316.412b0a17aa nixos-17.03-small nixos-17.03.1303.74a1ea1f89 nixos-unstable-small nixos-17.09pre108957.0bffe03828 nixos-unstable not yet released nixpkgs-unstable not yet released Mitigation ========== Upgrade Nix Stable to 1.11.10 or Nix Unstable to 1.12pre5413_b4b1f452 or later. Resolution ========== Nix now prevents builders from creating setuid and setgid binaries. On Linux, this is done using a seccomp BPF filter. Using seccomp, we now also prevent the creation of extended attributes and POSIX ACLs since these cannot be represented in the NAR format and (in the case of POSIX ACLs) allow bypassing regular Nix store permissions. On macOS, the restriction is implemented using the existing sandbox mechanism, which now uses a minimal "allow all except the creation of setuid/setgid binaries" profile when regular sandboxing is disabled. On other platforms, the "build user" mechanism is now disabled. Thank You ========= This issue was discovered and appropriately reported by Linus Heckemann on 2017-05-27 through the NixOS Security Team - https://nixos.org/nixos/security.html. -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAllC8EMACgkQBhIdNm/p Q1yV0BAAkBrRar1sHVkpJ/ybJLXUUEt2SPDXrGKxiVGhm0EpGS8ZDXPZ13GFFmOf dDMFBlLx/KUCKidmaiti9mJnMkS8KmmTSMTKDe9/tKEXdHH7BcPaKXhfkNNVlqxj 2jpLsROOz4A6WMzGYBQaY1PsnTOYmG53qZyFRK8PF752dmGc9UpNFPWnyBjTrCdl 9h6vgluAA5e/9EtWYfE3FKnKzLFuT2kI8xeIUf/fJR4hGtl+rPXItdK97WkU8FEl YKTWNfkdeeNlZTAYj4ylbhPjl2RgNLa10fa9MuzRIqeHtJA699xq7rVa9RBhaS9S KQ0vj2Y0GzLC+vU0Xn/SAW5BPLMay9ZU46f4CGdc13FzGs5DXOZ2EGrAbP4XXWa9 CqayMINdAJX0kOpRtt7oehtykdIq29dRjrYU5PrsuhonzYctFkTRZizMZ510CuP3 RghjpFbw1rrtb2ZxlQCiy7b5Xm5CC8cRAywQ8SCklYZjJzs+pNsPD8nPXMtFWYN9 Y2MY5PlxuECAhQX6tr0WuSJa5FbdvSefdI59UljsuAHbG0tu8FoMDxjRdUsTLgql wj+F9ljcK9BQ+nw7ilCk0G8kTrnaykRH8GjgKaNupkmZ3GEEKGoY+jlzhonVo2Bh gRg3f4oUyqW0yRk++jbzCLpPGzX1/YQwyNfzJ6gSchrxDhuXD+E= =/ddK -----END PGP SIGNATURE----- _______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl https://mailman.science.uu.nl/mailman/listinfo/nix-dev