bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

Tue, 15 Oct 2019 07:50:41 -0700 

Ludo',

Thanks for your answer.

Ludovic Courtès 写道:
I need more cluebat please: say I'm an attacker and connect to your 
daemon (over TCP, why not), asking it to create an empty
‘per-user/ludo’.
You wouldn’t be able to do that because over TCP because the daemon 
can’t tell what user you are.


No, I ask it nicely: ‘hullo daemon, I'm, er, "ludo"’.
Of course the remote daemon doesn't trust me beyond pre-creating an empty per-user directory owned by the local "ludo" user only if such a user exists. It doesn't even report succes or failure to avoid leaking valid user names.
You already trust the network not to DoS you with webkitgtks, how does this new step decrease security? 

Sure, it bumps the protocol version; I'm aware of that.


It’s meant for cluster setups where you have one
head node that clients connect to from remote nodes.
And likely some kind of centralised user management so it's not unreasonable to handle this differently/manually. 

Kind regards,

T G-R

Attachment: signature.asc
Description: PGP signature

  • bug#37744: Per-user pro... Ludovic Courtès
    • bug#37744: Per-use... Ludovic Courtès
      • bug#37744: Per... Tobias Geerinckx-Rice via Bug reports for GNU Guix
        • bug#37744:... Maxim Cournoyer
        • bug#37744:... Ludovic Courtès
          • bug#37... Tobias Geerinckx-Rice via Bug reports for GNU Guix
            • b... Ludovic Courtès
              • ... Ludovic Courtès
                • ... Ludovic Courtès
                • ... pelzflorian (Florian Pelz)
                • ... Tobias Geerinckx-Rice via Bug reports for GNU Guix
                • ... pelzflorian (Florian Pelz)
                • ... Tobias Geerinckx-Rice via Bug reports for GNU Guix
                • ... Ludovic Courtès
                • ... Tobias Geerinckx-Rice via Bug reports for GNU Guix
                • ... Tobias Geerinckx-Rice via Bug reports for GNU Guix

Reply via email to