GNU bug report logs - #28751
GuixSD setuid-programs handling creates setuid binaries in the store

Previous Next

Package: guix;

Reported by: ludo <at> gnu.org (Ludovic Courtès)

Date: Sun, 8 Oct 2017 19:26:01 UTC

Severity: important

Tags: security

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 28751 in the body.
You can then email your comments to 28751 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#28751; Package guix. (Sun, 08 Oct 2017 19:26:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to ludo <at> gnu.org (Ludovic Courtès):
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Sun, 08 Oct 2017 19:26:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: bug-guix <at> gnu.org
Subject: GuixSD setuid-programs handling creates setuid binaries in the store
Date: Sun, 08 Oct 2017 21:25:15 +0200
On GuixSD, ‘activate-setuid-programs’ in (gnu build activation) would
create setuid-root binaries under /gnu/store for all the programs listed
under ‘setuid-programs’ in the ‘operating-system’ declaration.

‘activate-setuid-programs’ in (gnu build activation) does this:

  (define (make-setuid-program prog)
    (let ((target (string-append %setuid-directory
                                 "/" (basename prog))))
      (link-or-copy prog target)
      (chown target 0 0)
      (chmod target #o6555)))

which amounts to:

  1. ln /gnu/store/…/bin/su /run/setuid-programs/su
  2. chmod +s /run/setuid-programs/su

meaning that *both* ‘su’ files become setuid root.

This leads to setuid-root files in the store, which is a violation of a
fundamental assumption that setuid files cannot exist in the store.

Detailed announcement and fix coming.

Ludo’.




Added tag(s) security. Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Sun, 08 Oct 2017 19:33:02 GMT) Full text and rfc822 format available.

Severity set to 'important' from 'normal' Request was from ludo <at> gnu.org (Ludovic Courtès) to control <at> debbugs.gnu.org. (Sun, 08 Oct 2017 19:33:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#28751; Package guix. (Sun, 08 Oct 2017 19:34:01 GMT) Full text and rfc822 format available.

Message #12 received at 28751 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: 28751 <at> debbugs.gnu.org
Subject: Re: bug#28751: GuixSD setuid-programs handling creates setuid
 binaries in the store
Date: Sun, 08 Oct 2017 21:32:53 +0200
ludo <at> gnu.org (Ludovic Courtès) skribis:

> On GuixSD, ‘activate-setuid-programs’ in (gnu build activation) would
> create setuid-root binaries under /gnu/store for all the programs listed
> under ‘setuid-programs’ in the ‘operating-system’ declaration.

Fixed by
<https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5e66574a128937e7f2fcf146d146225703ccfd5d>.

Ludo’.




Reply sent to ludo <at> gnu.org (Ludovic Courtès):
You have taken responsibility. (Sun, 08 Oct 2017 19:55:02 GMT) Full text and rfc822 format available.

Notification sent to ludo <at> gnu.org (Ludovic Courtès):
bug acknowledged by developer. (Sun, 08 Oct 2017 19:55:02 GMT) Full text and rfc822 format available.

Message #17 received at 28751-done <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: 28751-done <at> debbugs.gnu.org
Subject: Re: bug#28751: GuixSD setuid-programs handling creates setuid
 binaries in the store
Date: Sun, 08 Oct 2017 21:54:22 +0200
ludo <at> gnu.org (Ludovic Courtès) skribis:

> ludo <at> gnu.org (Ludovic Courtès) skribis:
>
>> On GuixSD, ‘activate-setuid-programs’ in (gnu build activation) would
>> create setuid-root binaries under /gnu/store for all the programs listed
>> under ‘setuid-programs’ in the ‘operating-system’ declaration.
>
> Fixed by
> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5e66574a128937e7f2fcf146d146225703ccfd5d>.

Detailed announcement at:

  https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html

Ludo’.




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Mon, 06 Nov 2017 12:24:05 GMT) Full text and rfc822 format available.

bug unarchived. Request was from Leo Famulari <leo <at> famulari.name> to control <at> debbugs.gnu.org. (Fri, 29 Dec 2017 23:00:02 GMT) Full text and rfc822 format available.

Information forwarded to bug-guix <at> gnu.org:
bug#28751; Package guix. (Fri, 29 Dec 2017 23:10:01 GMT) Full text and rfc822 format available.

Message #24 received at 28751 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 28751 <at> debbugs.gnu.org
Subject: Re: bug#28751: GuixSD setuid-programs handling creates setuid
 binaries in the store
Date: Fri, 29 Dec 2017 18:09:53 -0500
[Message part 1 (text/plain, inline)]
On Sun, Oct 08, 2017 at 09:54:22PM +0200, Ludovic Courtès wrote:
> ludo <at> gnu.org (Ludovic Courtès) skribis:
> 
> > ludo <at> gnu.org (Ludovic Courtès) skribis:
> >
> >> On GuixSD, ‘activate-setuid-programs’ in (gnu build activation) would
> >> create setuid-root binaries under /gnu/store for all the programs listed
> >> under ‘setuid-programs’ in the ‘operating-system’ declaration.
> >
> > Fixed by
> > <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5e66574a128937e7f2fcf146d146225703ccfd5d>.
> 
> Detailed announcement at:
> 
>   https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html

FYI, this was assigned CVE-2017-1000455.

I just received the attached JSON from the Distributed Weakness Filing
project (DWF) in response to my CVE application.

I assume it will show up in the regular places (MITRE etc) eventually.

Having thought about this bug for a while, I think it was not too bad in
practice. The setuid executable files could be copied or preserved
somehow by an attacker whether they were in the store or in
/run/setuid-programs.
[CVE-2017-1000455.json (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix <at> gnu.org:
bug#28751; Package guix. (Sat, 30 Dec 2017 00:29:01 GMT) Full text and rfc822 format available.

Message #27 received at 28751 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Leo Famulari <leo <at> famulari.name>
Cc: 28751 <at> debbugs.gnu.org
Subject: Re: bug#28751: GuixSD setuid-programs handling creates setuid
 binaries in the store
Date: Sat, 30 Dec 2017 01:28:09 +0100
Leo Famulari <leo <at> famulari.name> skribis:

> On Sun, Oct 08, 2017 at 09:54:22PM +0200, Ludovic Courtès wrote:
>> ludo <at> gnu.org (Ludovic Courtès) skribis:
>> > ludo <at> gnu.org (Ludovic Courtès) skribis:
>> >
>> >> On GuixSD, ‘activate-setuid-programs’ in (gnu build activation) would
>> >> create setuid-root binaries under /gnu/store for all the programs listed
>> >> under ‘setuid-programs’ in the ‘operating-system’ declaration.
>> >
>> > Fixed by
>> > <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5e66574a128937e7f2fcf146d146225703ccfd5d>.
>> 
>> Detailed announcement at:
>> 
>>   https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html
>
> FYI, this was assigned CVE-2017-1000455.
>
> I just received this JSON from the Distributed Weakness Filing project
> (DWF) in response to my CVE application:
>
> {"data_version": "4.0","references": {"reference_data": [{"url": "https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html"}]},"description": {"description_data": [{"lang": "eng","value": "GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d used POSIX hard links incorrectly, leading the creation of setuid executables in \"the store\", violating a fundamental security assumption of GNU Guix."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "All versions of GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d"}]},"product_name": "GuixSD"}]},"vendor_name": "GNU Guix"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2017-12-29","ID": "CVE-2017-1000455","ASSIGNER": "kurt <at> seifried.org","REQUESTER": "leo <at> famulari.name"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "Insecure Permissions"}]}]}}
>
> I assume it will show up in the regular places (MITRE etc) eventually.

Great, thanks for following up!

Ludo’.




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sat, 27 Jan 2018 12:24:04 GMT) Full text and rfc822 format available.

This bug report was last modified 6 years and 61 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.