[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security questions around using Guix to package apps

From: Leo Famulari
Subject: Re: Security questions around using Guix to package apps
Date: Tue, 27 Jun 2017 10:29:45 -0400
User-agent: Mutt/1.8.3 (2017-05-23)


On Tue, Jun 27, 2017 at 11:19:24AM +0200, Divan Santana wrote:
> Though the customers/users require to ship applications. They normally do this
> with something like RPMs and a yum repository.
> The problem with this is:
> 1. yum/rpm requires root to install/upgrade/remove packages.
> 2. One can ship certain files in an RPM install it via yum and gain full root.
> 3. One can therefore use the RPMs/yum to gain full root.


> * Getting to the actual question
> Therefore can one ship files in a guix package and as nonroot install this
> package. Then use the files the package provided as a nonroot user to gain 
> root?
> Or written another way, if guix is installed on a system and configured to 
> point
> to substitutes that the same nonroot user has access to submit and approve
> packages in, can that nonroot user on the system gain root. Therefore would 
> one
> need to review the submitted packages to avoid the user gaining root.
> ** Some theoretical examples of doing this
> 1.
> One example to do this would be to create a shell script with =sudo su -= (or
> similar problematic) contents then byte compile it and ship that in the
> application with setuid permission bit set on it?
> If this was possible with Guix, putting =/gnu= on it's own FS with mount 
> option
> of =setuid=0= should solve this.

There are two ways to deploy Guix: Guix on another distro, or GuixSD.

On GuixSD, only privileged users can create setuid binaries.

For Guix on another distro, nobody can create setuid binaries from
Guix packages, at least not without root privileges, and not without
some hacks. As far as I know, while using Guix on a foreign distro,
setuid programs are not supported at all.

See the manual section Setuid Programs for more information:

> 2.
> Ship a sudo file and install it in =/etc/sudoers.d= though I'm not sure if
> that's possible with Guix since it's kind of it it's own chroot. Unless it
> supports post-scripts section and that gets executed as root (doubt it).

Guix packages don't touch the filesystem outside of /gnu/store and /tmp
(while building). And on GuixSD, only root can add users to the sudo
group. So, we don't need to worry about this scenario.

Of course, there may be bugs. But Guix has been designed to prevent
the sort of privilege escalation you describe.

Does that answer your questions? Does anyone else have anything to add?

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]