dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

guix: build user takeover patch

Browse Source 
guix has recently announced a security vulnerability that allows
local users to gain priveleges of build users, and further manipulate
output of any build (including with setguid).

This commit fixes the issue by backporting the remediation commits pushed to
guix main to 1.4.0 as a patch.

Users will still have to reboot and follow other remediation steps as
described in the guix blogpost.

Refs: https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability/
Signed-off-by: Christina Sørensen <christina@cafkafk.com>
This commit is contained in:
Christina Sørensen 2024-10-27 13:57:29 +01:00
parent 42fee36c0b
commit 633a3b8f19
No known key found for this signature in database
GPG Key ID: 26C542FD97F965CE
2 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
pkgs/by-name/gu/guix/guix-build-user-takeover-fix.patch Normal file
View File

@ -0,0 +1,42 @@
diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
index c5383bc..50d1abc 100644
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@@ -2312,15 +2312,6 @@ void DerivationGoal::registerOutputs()
Path actualPath = path;
if (useChroot) {
actualPath = chrootRootDir + path;
- if (pathExists(actualPath)) {
- /* Move output paths from the chroot to the store. */
- if (buildMode == bmRepair)
- replaceValidPath(path, actualPath);
- else
- if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)
- throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
- }
- if (buildMode != bmCheck) actualPath = path;
} else {
Path redirected = redirectedOutputs[path];
if (buildMode == bmRepair
@@ -2360,6 +2351,21 @@ void DerivationGoal::registerOutputs()
something like that. */
canonicalisePathMetaData(actualPath, buildUser.enabled() ? buildUser.getUID() : -1, inodesSeen);
+ if (useChroot) {
+ if (pathExists(actualPath)) {
+ /* Now that output paths have been canonicalized (in particular
+ there are no setuid files left), move them outside of the
+ chroot and to the store. */
+ if (buildMode == bmRepair)
+ replaceValidPath(path, actualPath);
+ else
+ if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)
+ throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
+ }
+ if (buildMode != bmCheck) actualPath = path;
+ }
+
+
/* FIXME: this is in-memory. */
StringSink sink;
dumpPath(actualPath, sink);

3
pkgs/by-name/gu/guix/package.nix
View File

@ -57,6 +57,9 @@ stdenv.mkDerivation rec {
url = "https://git.savannah.gnu.org/cgit/guix.git/patch/?id=ff1251de0bc327ec478fc66a562430fbf35aef42"; url = "https://git.savannah.gnu.org/cgit/guix.git/patch/?id=ff1251de0bc327ec478fc66a562430fbf35aef42";
hash = "sha256-f4KWDVrvO/oI+4SCUHU5GandkGtHrlaM1BWygM/Qlao="; hash = "sha256-f4KWDVrvO/oI+4SCUHU5GandkGtHrlaM1BWygM/Qlao=";
}) })
# manual port of build user takeover remediation commit
# see https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability
./guix-build-user-takeover-fix.patch
]; ];
postPatch = '' postPatch = ''