On Sat, 2021-04-03 at 18:26 +0200, Maxime Devos wrote: > A suggested blog post is attached. A revised blog post is attached.
The following points are currently _not_ addressed:
Ludovic Courtès wrote:
> Also… in this paragraph, it’s not entirely clear which user we’re
> talking about it. In news.scm, I reworded it like so:
> The attack can happen when @command{guix system reconfigure} is running.
> Running @command{guix system reconfigure} can trigger the creation of new
> user
> accounts if the configuration specifies new accounts. If a user whose
> account
> is being created manages to log in after the account has been created but
> before ``skeleton files'' copied to its home directory have the right
> ownership, they may, by creating an appropriately-named symbolic link in the
> home directory pointing to a sensitive file, such as @file{/etc/shadow}, get
> root privileges.
>
> It may also be worth mentioning that the user is likely unable to log in
> at all at that point, as I wrote here:
I can't think of something along these lines to write at the moment ...
Greetings,
Maxime.
From 10b4528aac6cd9c0c341634b9f163f0a38ec4c6b Mon Sep 17 00:00:00 2001 From: Maxime Devos <[email protected]> Date: Sat, 3 Apr 2021 18:02:05 +0200 Subject: [PATCH] =?UTF-8?q?website:=20Add=20post=20about=20vulnerability?= =?UTF-8?q?=20in=20=E2=80=98copy-account-skeletons=E2=80=99.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * website/posts/home-symlink.md: New post. Co-authored-by: Ludovic Courtès <[email protected]> --- website/posts/home-symlink.md | 86 +++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 website/posts/home-symlink.md diff --git a/website/posts/home-symlink.md b/website/posts/home-symlink.md new file mode 100644 index 0000000..67f3053 --- /dev/null +++ b/website/posts/home-symlink.md @@ -0,0 +1,86 @@ +title: Risk of local privilege escalation in account creation +date: 2021-04-04 15:30 +author: Maxime Devos, Ludovic Courtès +tags: Security Advisory +--- + +A security vulnerability that can lead to local privilege +escalation has been found in the code that creates user accounts on Guix +System—Guix on other distros is unaffected. The system is only vulnerable +during the activation of non-system user accounts that do not already exist. + +This exploit is _not_ prevented by the Linux [protected +symlinks](https://sysctl-explorer.net/fs/protected_symlinks/) feature. + +# Vulnerability + +The attack consists of the user being logged in after the account +skeletons have been copied to the home directory, but before the +owner of the account skeletons have been set. The user then deletes +a copied account skeleton (e.g. `$HOME/.gdbinit`) and replaces +it with a symbolic link to a file not owned by the user, such as +`/etc/shadow`. + +The activation code then changes the ownership of the file the symbolic +link points to instead of the symbolic link itself. At that point, the +user has read-write access to the target file. + +# Fix + +This [bug](https://issues.guix.gnu.org/47584) has been +[fixed](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=2161820ebbbab62a5ce76c9101ebaec54dc61586). +See below for upgrade instructions. + +The fix consist of initially creating the home directory root-owned and only +changing the owner of the home directory once all skeletons have been copied +and their owner has been set. + +# Upgrading + +To upgrade the Guix System, run something like: + +``` +guix pull +sudo guix system reconfigure /run/current-system/configuration.scm +sudo reboot +``` + +As the user account activation code is run as a shepherd service, +the last step is required to make sure the fixed activation code +is run in the future. + +To avoid the vulnerability while upgrading the system, only declare +new user accounts in the configuration file after the Guix System +has been upgraded. + +# Conclusions + +Work is ongoing to support the `openat` family of POSIX functions in +Guile, which, when used, help address this class of vulnerabilities. + +This issue is tracked as +[bug #47584](https://issues.guix.gnu.org/47584); you can read the thread +for more information. + +Please report any issues you may have to +[`[email protected]`](https://guix.gnu.org/en/contact/). See the +[security web page](https://guix.gnu.org/en/security/) for information +on how to report security issues. + +#### About GNU Guix + +[GNU Guix](https://guix.gnu.org) is a transactional package manager and +an advanced distribution of the GNU system that [respects user +freedom](https://www.gnu.org/distros/free-system-distribution-guidelines.html). +Guix can be used on top of any system running the Hurd or the Linux +kernel, or it can be used as a standalone operating system distribution +for i686, x86_64, ARMv7, and AArch64 machines. + +In addition to standard package management features, Guix supports +transactional upgrades and roll-backs, unprivileged package management, +per-user profiles, and garbage collection. When used as a standalone +GNU/Linux distribution, Guix offers a declarative, stateless approach to +operating system configuration management. Guix is highly customizable +and hackable through [Guile](https://www.gnu.org/software/guile) +programming interfaces and extensions to the +[Scheme](http://schemers.org) language. -- 2.31.1
signature.asc
Description: This is a digitally signed message part
