[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

From: Tobias Geerinckx-Rice
Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)
Date: Mon, 14 Oct 2019 13:53:35 +0200


Thanks for your report :-p

The 1777 is obviously very bad, no question.  However: question:

Ludovic Courtès 写道:
I don’t see how to let the daemon create ‘per-user/$USER’ on behalf of the client for clients connecting over TCP. Or we’d need to add a
challenge mechanism or authentication.

I need more cluebat please: say I'm an attacker and connect to your daemon (over TCP, why not), asking it to create an empty ‘per-user/ludo’.

Assuming the daemon creates it with sane permissions (say 0755) & without any race conditions, what's my evil plan now?

Kind regards,


Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]