From 5d800cb9310fa2ab7464a7ace5906570429713ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Wed, 16 Oct 2019 12:16:20 +0200 Subject: [PATCH] news: Add entry for security issue with /var/guix/profiles/per-user. * etc/news.scm: Add entry for security issue in multi-user setups. --- etc/news.scm | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/etc/news.scm b/etc/news.scm index e19dec38dd..f165759aef 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -9,6 +9,28 @@ (channel-news (version 0) + (entry (commit "81c580c8664bfeeb767e2c47ea343004e88223c7") + (title (en "Insecure @file{/var/guix/profiles/per-user} permissions")) + (body + (en "The default user profile, @file{~/.guix-profile}, points to +@file{/var/guix/profiles/per-user/$USER}. Until now, +@file{/var/guix/profiles/per-user} was world-writable, allowing the +@command{guix} command to create the @code{$USER} sub-directory. + +On a multi-user system, this allowed a malicious user to create and populate +that @code{$USER} sub-directory for another user that had not yet logged in. +Since @code{/var/@dots{}/$USER} is in @code{$PATH}, the target user could end +up running attacker-provided code. See +@uref{https://issues.guix.gnu.org/issue/37744} for more information. + +This is now fixed by letting @command{guix-daemon} create these directories on +behalf of users and removing the world-writable permissions on +@code{per-user}. On multi-user systems, we recommend updating the daemon now. +To do that, run @code{sudo guix pull} if you're on a foreign distro, or run +@code{guix pull && sudo guix system reconfigure @dots{}} on Guix System. In +both cases, make sure to restart the service afterwards, with @code{herd} or +@code{systemctl}."))) + (entry (commit "5f3f70391809f8791c55c05bd1646bc58508fa2c") (title (en "GNU C Library upgraded") (de "GNU-C-Bibliothek aktualisiert")