[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#41908: guix time-machine fails; XXXX is not related to introductory

From: Ludovic Courtès
Subject: bug#41908: guix time-machine fails; XXXX is not related to introductory commit of channel 'guix'
Date: Mon, 22 Jun 2020 10:01:29 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)


zimoun <zimon.toutoune@gmail.com> skribis:

> On Sat, 20 Jun 2020 at 12:40, Ludovic Courtès <ludo@gnu.org> wrote:
>> zimoun <zimon.toutoune@gmail.com> skribis:
>>> BTW, from a security perspective, it is easy to cheat by removing some
>>> commits so the file ~/.cache/guix/authentication/channels/guix should be
>>> protected: read-only and only writable by the daemon.
>> It’s 600 of course.  What we could do is ignore it if it’s not 600 when
>> we open it.
> This could help. :-)

Done in 41939c374a3ef421d2d4c6453c327a9cd7af4ce5.

>> Crucially: we cannot and should not restrict what the user can do for
>> the sake of security.  Users can pass ‘--disable-authentication’, they
>> can run binaries taken from the net, whatever; it’s their machine.
> Well, I have not thought deeply to an attack, but the point is to
> protect the user when they runs "guix pull" alone i.e., they can trust
> the server.  An attack could be for example an email with an attachment,
> click, then boum: tweak ~/.config/guix/channels.scm and
> ~/.cache/guix/authentication/channels/guix, then the user runs "guix
> pull" which the expectation that everything is checked and
> authenticated and in fact no, they is talking to malicious server.

I don’t really see how the attachment would modify a local file, but
even if that’s a possibility, it’s beyond the scope of Guix: we cannot
prevent users from shooting themselves in the foot.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]