02/02: website: keep-failed: Tweak and publish.

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

02/02: website: keep-failed: Tweak and publish.

From:	Ludovic Court�s
Subject:	02/02: website: keep-failed: Tweak and publish.
Date:	Thu, 18 Mar 2021 07:49:00 -0400 (EDT)

civodul pushed a commit to branch master
in repository guix-artwork.

commit d8b4bcaecb6620d8bb722b745b98baba27492669
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Thu Mar 18 12:48:33 2021 +0100

    website: keep-failed: Tweak and publish.
    
    * website/posts/keep-failed.md: Tweak and add links.
---
 website/posts/keep-failed.md | 42 +++++++++++++++++++++++-------------------
 1 file changed, 23 insertions(+), 19 deletions(-)

diff --git a/website/posts/keep-failed.md b/website/posts/keep-failed.md
index b795556..14d451b 100644
--- a/website/posts/keep-failed.md
+++ b/website/posts/keep-failed.md
@@ -1,5 +1,5 @@
 title: Risk of local privilege escalation via guix-daemon
-date: 2021-03-18 08:00
+date: 2021-03-18 13:00
 author: Ludovic Courtès and Leo Famulari
 tags: Security Advisory
 ---
@@ -9,12 +9,14 @@ found in the
 
[guix-daemon](https://guix.gnu.org/manual/en/html_node/Invoking-guix_002ddaemon.html).
 It affects multi-user setups in which `guix-daemon` runs locally.
 
-It does not affect multi-user setups where `guix-daemon` runs on a separate
-machine and is accessed over the network via `GUIX_DAEMON_SOCKET`, as is
-customary on cluster setups.  Machines where the Linux [protected
-hardlinks](https://sysctl-explorer.net/fs/protected_hardlinks/) feature is
-enabled, which is common, are also unaffected — this is the case when the
-contents of `/proc/sys/fs/protected_hardlinks` are `1`.
+It does _not_ affect multi-user setups where `guix-daemon` runs on a
+separate machine and is accessed over the network via
+`GUIX_DAEMON_SOCKET`, as is customary on [cluster
+setups](https://hpc.guix.info/blog/2017/11/installing-guix-on-a-cluster/).
+Machines where the Linux [protected
+hardlinks](https://sysctl-explorer.net/fs/protected_hardlinks/) feature
+is enabled, which is common, are also unaffected — this is the case when
+the contents of `/proc/sys/fs/protected_hardlinks` are `1`.
 
 # Vulnerability
 
@@ -28,21 +30,22 @@ to the target file.
 
 # Fix
 
-This [bug](https://issues.guix.gnu.org/XXX) has been
-[fixed](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=XXX).
+This [bug](https://issues.guix.gnu.org/47229) has been
+[fixed](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=ec7fb669945bfb47c5e1fdf7de3a5d07f7002ccf).
+See below for upgrade instructions.
 
-The fix consists in adding a root-owned "wrapper" directory in which the build
+The fix consists in adding a root-owned “wrapper” directory in which the build
 directory itself is located.  If the user passed the `--keep-failed` option and
 the build fails, the `guix-daemon` first changes ownership of the build
 directory, and then, in two stages, moves the build directory into the location
 where users expect to find failed builds, roughly like this:
 
-1. chown -R USER /tmp/guix-build-foo.drv-0/top
-2. mv /tmp/guix-build-foo.drv-0{,.pivot}
-3. mv /tmp/guix-build-foo.drv-0.pivot/top /tmp/guix-build-foo.drv-0
+1. `chown -R USER /tmp/guix-build-foo.drv-0/top`
+2. `mv /tmp/guix-build-foo.drv-0{,.pivot}`
+3. `mv /tmp/guix-build-foo.drv-0.pivot/top /tmp/guix-build-foo.drv-0`
 
 In step #1, `/tmp/guix-build-foo.drv-0` remains root-owned, with permissions of
-`#o700`.  Thus, only root can change dir into it or into "top".  Likewise in
+`#o700`.  Thus, only root can change directory into it or into `top`.  
Likewise in
 step #2.
 
 The build tree becomes accessible to the user once step #3 has succeeded, not
@@ -53,7 +56,7 @@ running.
 
 On multi-user systems, we recommend upgrading the `guix-daemon` now.
 
-To upgrade the daemon on Guix System, run:
+To upgrade the daemon on Guix System, run something like:
 
 ```
 guix pull
@@ -66,11 +69,11 @@ On other distros, use something like this:
 ```
 sudo --login guix pull
 sudo systemctl restart guix-daemon.service
-
 ```
+
 # Conclusions
 
-One of the flagship features of GNU Guix is enable unprivileged package
+One of the flagship features of GNU Guix is enable unprivileged package
 management, which includes building packages.  Building occurs in an [isolated
 build 
environment](https://guix.gnu.org/manual/en/html_node/Build-Environment-Setup.html).
 This environment is isolated from the rest of the system not only to control 
the
@@ -81,8 +84,9 @@ but also to protect the system from package build scripts.
 Despite our best efforts, there is always the possibility that we have
 overlooked something, as in this case.
 
-This issue is tracked as [bug#XXX](https://issues.guix.gnu.org/XXX); you can
-read the thread for more information.
+This issue is tracked as
+[bug #47229](https://issues.guix.gnu.org/47229); you can read the thread
+for more information.
 
 We are grateful to Nathan Nye of WhiteBeam Security for reporting this bug.

[Prev in Thread]

Current Thread

[Next in Thread]

branch master updated (1728466 -> d8b4bca), Ludovic Court�s, 2021/03/18
- 01/02: website: Add post about guix-daemon keep-failed vulnerability., Ludovic Court�s, 2021/03/18
- 02/02: website: keep-failed: Tweak and publish., Ludovic Court�s <=

Prev by Date: 01/02: website: Add post about guix-daemon keep-failed vulnerability.
Next by Date: branch master updated (1728466 -> d8b4bca)
Previous by thread: 01/02: website: Add post about guix-daemon keep-failed vulnerability.
Next by thread: branch master updated: website: keep-failed: Fix typo.
Index(es):
- Date
- Thread