[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)

From: Julien Lepiller
Subject: bug#37744: Per-user profile directory hijack (CVE-2019-17365 for Nix)
Date: Wed, 16 Oct 2019 18:28:08 +0200
User-agent: K-9 Mail for Android

Le 16 octobre 2019 12:22:33 GMT+02:00, "Ludovic Courtès" <address@hidden> a 
écrit :
>Here’s a patch that fixes the issue, partly based on what the Nix folks
>For the client-connecting-over-TCP case, I added special handling:
>‘set-build-options’ now passes a “user-name” property, potentially
>allowing to create ‘per-user/$USER’ at that point (like you suggested,
>In a cluster setup, it means that the machine that runs ‘guix-daemon’
>must see the same users as the machines where its clients run, but
>that’s basically already what we expect:
>There’s one case that won’t be correctly handled: in a cluster setup,
>old client talking to a new daemon won’t provide info to create
>‘per-user/$USER’, and thus ‘guix package’ & co. won’t be able to create
>the user’s profile it it doesn’t already exist.  I think that’s hard to
>avoid though.

We could advise people to restart the service too, with e.g. systemctl restart 

reply via email to

[Prev in Thread] Current Thread [Next in Thread]