Maxime Devos <[email protected]> skribis:
> +The attack consists of the user being logged in after the account
> +skeletons have been copied to the home directory, but before the
> +owner of the account skeletons have been set. The user then deletes
> +a copied account skeleton (e.g. `$HOME/.gdbinit`) and replaces
> +it with a symbolic link to a file not owned by the user, such as
> +`/etc/shadow`.
Also… in this paragraph, it’s not entirely clear which user we’re
talking about it. In news.scm, I reworded it like so:
The attack can happen when @command{guix system reconfigure} is running.
Running @command{guix system reconfigure} can trigger the creation of new user
accounts if the configuration specifies new accounts. If a user whose account
is being created manages to log in after the account has been created but
before ``skeleton files'' copied to its home directory have the right
ownership, they may, by creating an appropriately-named symbolic link in the
home directory pointing to a sensitive file, such as @file{/etc/shadow}, get
root privileges.
It may also be worth mentioning that the user is likely unable to log in
at all at that point, as I wrote here:
https://issues.guix.gnu.org/47584#6
WDYT?
Ludo’.
