Hi Maxime, Maxime Devos <[email protected]> skribis:
> On Mon, 2021-04-05 at 21:54 +0200, Ludovic Courtès wrote: >> [...] >> >> OK. It does mean that the bug is hardly exploitable in practice: you >> have to be able to log in at all, > Yes. > >> and if you’re able to log in, you have >> to log in precisely within the 1s (or less) that follows account >> creation, which sounds challenging (TCP + SSH connection establishment >> is likely to take as much time or more, > > Is logging in possible when the home directory doesn't exist? I think so. > An attacker could copy and paste, or have used a single-character password, > to save some time. Hmm yes. It’s a bit a far-fetched though: the attacker would have passed the sysadmin the output of the ‘crypt’ procedure, such that the sysadmin cannot know the password length. >> Does it warrant as strong messaging as for the recent daemon >> ‘--keep-failed’ vulnerability? > > As it is a one-time chance, with a limited window, and only under specific > circumstances (creating a new user account), I don't think so. But I would > still recommend to upgrade. Does the blog post have ‘too strong messaging’? The blog post and info-guix messages are the highest levels of visibility we can give, roughly. So I think we have to think twice before doing that or truly important issues will eventually go unnoticed. The risk with this issue seems much lower than that of the keep-failed issue, it even looks super low. WDYT? Ludo’.
