[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Potential security weakness in Guix services
From: |
Ludovic Courtès |
Subject: |
Re: Potential security weakness in Guix services |
Date: |
Tue, 02 Feb 2021 14:07:44 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) |
Hi,
Maxime Devos <maximedevos@telenet.be> skribis:
>> > I’m not sure I understand the threat model. If Knot has a RCE
>> > vulnerability, it can be exploited to run anything on behalf of the
>> > ‘knot’ user.
>> >
>> > At that point, all the state associated with Knot in /var/lib should be
>> > considered tainted; new keys should be generated, and so on.
>> >
>> > Why focus on the permissions on /var/lib/knot?
>>
>> My understanding is that, in case of an RCE in knot, the attacker can
>> replace /var/lib/knot/* with symlinks to arbitrary files in the FS. When
>> the activation procedure is run afterwards, the files being linked to
>> are chowned to the knot user, and the attacker can access them.
>
> That's exactly what I had in mind! Though I would like to stress that
> ‘access’ here is both reading and writing.
OK, I see. Roughly, this symlink chown story would be a local exploit
that the attacker can take advantage of after exploiting the RCE to
potentially get root access.
‘mkdir-p/perms’ could check that the directory is not a symlink, to
begin with. Is this what you had in mind, Maxime?
Thanks,
Ludo’.
- Re: Potential security weakness in Guix services, Ludovic Courtès, 2021/02/01
- Re: Potential security weakness in Guix services, Julien Lepiller, 2021/02/01
- Re: Potential security weakness in Guix services, Maxime Devos, 2021/02/01
- Re: Potential security weakness in Guix services,
Ludovic Courtès <=
- Re: Potential security weakness in Guix services, Maxime Devos, 2021/02/02
- Re: Potential security weakness in Guix services, Maxime Devos, 2021/02/02
- Re: Potential security weakness in Guix services, Ludovic Courtès, 2021/02/05
- Re: Potential security weakness in Guix services, Maxime Devos, 2021/02/05
- Re: Potential security weakness in Guix services, Maxime Devos, 2021/02/05
- Re: Potential security weakness in Guix services, Ludovic Courtès, 2021/02/06
- Re: Potential security weakness in Guix services, Maxime Devos, 2021/02/06
- Re: Potential security weakness in Guix services, Ludovic Courtès, 2021/02/10
- Re: Potential security weakness in Guix services, Ludovic Courtès, 2021/02/06
- TOCTTOU race (was: Potential security weakness in Guix services), Maxime Devos, 2021/02/14