GuixSD setuid-programs handling creates setuid binaries in the store

  • Done
  • quality assurance status badge
Details
2 participants
  • Leo Famulari
  • Ludovic Courtès
Owner
unassigned
Submitted by
Ludovic Courtès
Severity
important

Debbugs page

L
L
Ludovic Courtès wrote on 8 Oct 2017 12:25
(address . bug-guix@gnu.org)
87h8v9cuhw.fsf@gnu.org
On GuixSD, ‘activate-setuid-programs’ in (gnu build activation) would
create setuid-root binaries under /gnu/store for all the programs listed
under ‘setuid-programs’ in the ‘operating-system’ declaration.

‘activate-setuid-programs’ in (gnu build activation) does this:

(define (make-setuid-program prog)
(let ((target (string-append %setuid-directory
"/" (basename prog))))
(link-or-copy prog target)
(chown target 0 0)
(chmod target #o6555)))

which amounts to:

1. ln /gnu/store/…/bin/su /run/setuid-programs/su
2. chmod +s /run/setuid-programs/su

meaning that *both* ‘su’ files become setuid root.

This leads to setuid-root files in the store, which is a violation of a
fundamental assumption that setuid files cannot exist in the store.

Detailed announcement and fix coming.

Ludo’.
L
L
Ludovic Courtès wrote on 8 Oct 2017 12:32
control message for bug #28751
(address . control@debbugs.gnu.org)
87d15xcu6j.fsf@gnu.org
tags 28751 security
L
L
Ludovic Courtès wrote on 8 Oct 2017 12:32
(address . control@debbugs.gnu.org)
87bmlhcu6d.fsf@gnu.org
severity 28751 important
L
L
Ludovic Courtès wrote on 8 Oct 2017 12:32
Re: bug#28751: GuixSD setuid-programs handling creates setuid binaries in the store
(address . 28751@debbugs.gnu.org)
877ew5cu56.fsf@gnu.org
ludo@gnu.org (Ludovic Courtès) skribis:

Toggle quote (4 lines)
> On GuixSD, ‘activate-setuid-programs’ in (gnu build activation) would
> create setuid-root binaries under /gnu/store for all the programs listed
> under ‘setuid-programs’ in the ‘operating-system’ declaration.

L
L
Ludovic Courtès wrote on 8 Oct 2017 12:54
(address . 28751-done@debbugs.gnu.org)
87lgklbekx.fsf@gnu.org
ludo@gnu.org (Ludovic Courtès) skribis:

Toggle quote (9 lines)
> ludo@gnu.org (Ludovic Courtès) skribis:
>
>> On GuixSD, ‘activate-setuid-programs’ in (gnu build activation) would
>> create setuid-root binaries under /gnu/store for all the programs listed
>> under ‘setuid-programs’ in the ‘operating-system’ declaration.
>
> Fixed by
> <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5e66574a128937e7f2fcf146d146225703ccfd5d>.

Closed
L
L
Leo Famulari wrote on 29 Dec 2017 14:59
(no subject)
(address . control@debbugs.gnu.org)
20171229225901.GA30273@jasmine.lan
unarchive 28751
L
L
Leo Famulari wrote on 29 Dec 2017 15:09
Re: bug#28751: GuixSD setuid-programs handling creates setuid binaries in the store
(address . 28751@debbugs.gnu.org)
20171229230953.GA10185@jasmine.lan
On Sun, Oct 08, 2017 at 09:54:22PM +0200, Ludovic Courtès wrote:
Toggle quote (15 lines)
> ludo@gnu.org (Ludovic Courtès) skribis:
>
> > ludo@gnu.org (Ludovic Courtès) skribis:
> >
> >> On GuixSD, ‘activate-setuid-programs’ in (gnu build activation) would
> >> create setuid-root binaries under /gnu/store for all the programs listed
> >> under ‘setuid-programs’ in the ‘operating-system’ declaration.
> >
> > Fixed by
> > <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5e66574a128937e7f2fcf146d146225703ccfd5d>.
>
> Detailed announcement at:
>
> https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html

FYI, this was assigned CVE-2017-1000455.

I just received the attached JSON from the Distributed Weakness Filing
project (DWF) in response to my CVE application.

I assume it will show up in the regular places (MITRE etc) eventually.

Having thought about this bug for a while, I think it was not too bad in
practice. The setuid executable files could be copied or preserved
somehow by an attacker whether they were in the store or in
/run/setuid-programs.
{"data_version": "4.0","references": {"reference_data": [{"url": "https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html"}]},"description":{"description_data": [{"lang": "eng","value": "GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d used POSIX hard links incorrectly, leading the creation of setuid executables in \"the store\", violating a fundamental security assumption of GNU Guix."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "All versions of GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d"}]},"product_name": "GuixSD"}]},"vendor_name": "GNU Guix"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2017-12-29","ID": "CVE-2017-1000455","ASSIGNER": "kurt@seifried.org","REQUESTER": "leo@famulari.name"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "Insecure Permissions"}]}]}}
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlpGyz0ACgkQJkb6MLrK
fwhVSw//ZoHQVXfDHM7kTxA2gVksbS285t2C3C4GgvCNRlFTsgyOGcsZyAiyWvUP
Gf9J2MXon6v7G/k6fSBjRyNWy5zs9Dmxxyis+I+e8LWQayyodlsOctmo0qzeul4m
QJPsX9HNuOAf5Xt1M35Wurl45+sMpDMSybQzB/gBmUc6/uCEx91qeVPYW8LnCVBs
B4/MpGAcrPxbGa04lviqWUv+BxpTtbsu2xFBeOqgHkms4oq/X0R4N59cJ57t/mAO
GwF61xF3xkiO3oTbCd2DOpsF9xafhInHlapfL/WpwWPr9vNvhkG7cR7//5JimXQ7
DgYDz3EKBU67WXOrwJ5W9ndEM/zteoPELXaySqc6h7Ool8NZeK2wtE6vfRREO8fK
tzjwUr2hOjH3kTKsmtRSyRL8aveRQDQ7EFJSDy8XoE25Iknkbh4qtykH91hbr1Rj
yez7gmJ9dGHcLioOEYPyGUezUzldEzJDiDXLPGIfDikZd9wB1szdOna6Qv9aMvNl
PP7T2kjZWLhG+k9b7GrM90VMPPjIbQ4gCacOGYk9SvZSPec14/ue/Uaq6dpBImia
Sx1FxjA4eK4PyQ2MBFXaaF3XgjcMVEXNG+tomhY7sD6bagGkz3xieysaWY5aAUFP
vgHULhueAe8DNQ6rL7nx05qxny9BJHXogcKtwxWMejfFVtslsVk=
=mufO
-----END PGP SIGNATURE-----


L
L
Ludovic Courtès wrote on 29 Dec 2017 16:28
(name . Leo Famulari)(address . leo@famulari.name)(address . 28751@debbugs.gnu.org)
87o9mh2h5y.fsf@gnu.org
Leo Famulari <leo@famulari.name> skribis:

Toggle quote (24 lines)
> On Sun, Oct 08, 2017 at 09:54:22PM +0200, Ludovic Courtès wrote:
>> ludo@gnu.org (Ludovic Courtès) skribis:
>> > ludo@gnu.org (Ludovic Courtès) skribis:
>> >
>> >> On GuixSD, ‘activate-setuid-programs’ in (gnu build activation) would
>> >> create setuid-root binaries under /gnu/store for all the programs listed
>> >> under ‘setuid-programs’ in the ‘operating-system’ declaration.
>> >
>> > Fixed by
>> > <https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5e66574a128937e7f2fcf146d146225703ccfd5d>.
>>
>> Detailed announcement at:
>>
>> https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html
>
> FYI, this was assigned CVE-2017-1000455.
>
> I just received this JSON from the Distributed Weakness Filing project
> (DWF) in response to my CVE application:
>
> {"data_version": "4.0","references": {"reference_data": [{"url": "https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html"}]},"description": {"description_data": [{"lang": "eng","value": "GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d used POSIX hard links incorrectly, leading the creation of setuid executables in \"the store\", violating a fundamental security assumption of GNU Guix."}]},"data_type": "CVE","affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "All versions of GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d"}]},"product_name": "GuixSD"}]},"vendor_name": "GNU Guix"}]}},"CVE_data_meta": {"DATE_ASSIGNED": "2017-12-29","ID": "CVE-2017-1000455","ASSIGNER": "kurt@seifried.org","REQUESTER": "leo@famulari.name"},"data_format": "MITRE","problemtype": {"problemtype_data": [{"description": [{"lang": "eng","value": "Insecure Permissions"}]}]}}
>
> I assume it will show up in the regular places (MITRE etc) eventually.

Great, thanks for following up!

Ludo’.
?
Your comment

This issue is archived.

To comment on this conversation send an email to 28751@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 28751
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch