ryan77627/guix
1
0
Fork 0
mirror of https://git.in.rschanz.org/ryan77627/guix.git synced 2025-01-12 14:16:55 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
guix/gnu/build
History
Maxime Devos 520bac7ed0
services: Prevent following symlinks during activation. 
This addresses a potential security issue, where a compromised
service could trick the activation code in changing the permissions,
owner and group of arbitrary files.  However, this patch is
currently only a partial fix, due to a TOCTTOU (time-of-check to
time-of-use) race, which can be fixed once guile has bindings
to openat and friends.

Fixes: <https://lists.gnu.org/archive/html/guix-devel/2021-01/msg00388.html>

* gnu/build/activation.scm: new procedure 'mkdir-p/perms'.
* gnu/services/authentication.scm
  (%nslcd-activation, nslcd-service-type): use new procedure.
* gnu/services/cups.scm (%cups-activation): likewise.
* gnu/services/dbus.scm (dbus-activation): likewise.
* gnu/services/dns.scm (knot-activation): likewise.

Signed-off-by: Ludovic Courtès <ludo@gnu.org>
2021-03-10 18:01:47 +01:00
..
accounts.scm
activation.scm services: Prevent following symlinks during activation. 2021-03-10 18:01:47 +01:00
bootloader.scm system: reconfigure: Use the disk-installer if provided. 2020-11-03 07:59:59 +01:00
chromium-extension.scm Add (gnu build chromium-extension). 2020-11-08 18:21:15 +01:00
cross-toolchain.scm
file-systems.scm file-systems: 'mount-file-system' preserves source flags for bind mounts. 2021-02-25 11:29:35 +01:00
hurd-boot.scm hurd-boot: Set /hurd/magic on /dev/fd. 2020-10-14 15:22:55 +02:00
image.scm database: Remove #:deduplicate? from 'register-items'. 2020-12-15 17:32:11 +01:00
install.scm store-copy: 'populate-store' can optionally deduplicate files. 2020-12-15 17:32:10 +01:00
linux-boot.scm linux-boot: Fix noresume argument parsing. 2020-12-17 23:01:23 +01:00
linux-container.scm Revert "linux-container: Correct test for unprivileged user namespace support." 2020-12-06 21:55:18 +01:00
linux-initrd.scm store-copy: 'populate-store' can optionally deduplicate files. 2020-12-15 17:32:10 +01:00
linux-modules.scm linux-libre: Support module compression. 2020-08-25 11:53:20 +02:00
locale.scm
marionette.scm
secret-service.scm secret-service: Add proper logging procedure and log to syslog. 2020-09-29 21:56:27 +02:00
shepherd.scm shepherd: Remove dependency on (guix utils). 2020-11-05 16:13:50 +01:00
svg.scm
vm.scm database: Remove #:deduplicate? from 'register-items'. 2020-12-15 17:32:11 +01:00