aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMaxime Devos <maximedevos@telenet.be>2021-02-14 12:57:32 +0100
committerLudovic Courtès <ludo@gnu.org>2021-03-10 18:01:47 +0100
commit520bac7ed00a949a0391ad680de65a1498105c2b (patch)
tree15d2267b31ca62c0ef8b201aa700726aa310fa34
parent1a1d0fe505da18c1f43996fb7eb3652e42250d0a (diff)
downloadguix-520bac7ed00a949a0391ad680de65a1498105c2b.tar
guix-520bac7ed00a949a0391ad680de65a1498105c2b.tar.gz
services: Prevent following symlinks during activation.
This addresses a potential security issue, where a compromised service could trick the activation code in changing the permissions, owner and group of arbitrary files. However, this patch is currently only a partial fix, due to a TOCTTOU (time-of-check to time-of-use) race, which can be fixed once guile has bindings to openat and friends. Fixes: <https://lists.gnu.org/archive/html/guix-devel/2021-01/msg00388.html> * gnu/build/activation.scm: new procedure 'mkdir-p/perms'. * gnu/services/authentication.scm (%nslcd-activation, nslcd-service-type): use new procedure. * gnu/services/cups.scm (%cups-activation): likewise. * gnu/services/dbus.scm (dbus-activation): likewise. * gnu/services/dns.scm (knot-activation): likewise. Signed-off-by: Ludovic Courtès <ludo@gnu.org>
-rw-r--r--gnu/build/activation.scm53
-rw-r--r--gnu/services/authentication.scm22
-rw-r--r--gnu/services/cups.scm12
-rw-r--r--gnu/services/dbus.scm37
-rw-r--r--gnu/services/dns.scm21
5 files changed, 98 insertions, 47 deletions
diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm
index b458aee4ae..6cb6f8819b 100644
--- a/gnu/build/activation.scm
+++ b/gnu/build/activation.scm
@@ -1,6 +1,11 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès <ludo@gnu.org>
-;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2013 Nikita Karetnikov <nikita@karetnikov.org>
+;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
+;;; Copyright © 2015, 2018 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2018 Arun Isaac <arunisaac@systemreboot.net>
+;;; Copyright © 2018, 2019 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -37,7 +42,8 @@
activate-modprobe
activate-firmware
activate-ptrace-attach
- activate-current-system))
+ activate-current-system
+ mkdir-p/perms))
;;; Commentary:
;;;
@@ -55,6 +61,47 @@
(define (dot-or-dot-dot? file)
(member file '("." "..")))
+;; Based upon mkdir-p from (guix build utils)
+(define (verify-not-symbolic dir)
+ "Verify DIR or its ancestors aren't symbolic links."
+ (define absolute?
+ (string-prefix? "/" dir))
+
+ (define not-slash
+ (char-set-complement (char-set #\/)))
+
+ (define (verify-component file)
+ (unless (eq? 'directory (stat:type (lstat file)))
+ (error "file name component is not a directory" dir)))
+
+ (let loop ((components (string-tokenize dir not-slash))
+ (root (if absolute?
+ ""
+ ".")))
+ (match components
+ ((head tail ...)
+ (let ((file (string-append root "/" head)))
+ (catch 'system-error
+ (lambda ()
+ (verify-component file)
+ (loop tail file))
+ (lambda args
+ (if (= ENOENT (system-error-errno args))
+ #t
+ (apply throw args))))))
+ (() #t))))
+
+;; TODO: the TOCTTOU race can be addressed once guile has bindings
+;; for fstatat, openat and friends.
+(define (mkdir-p/perms directory owner bits)
+ "Create the directory DIRECTORY and all its ancestors.
+Verify no component of DIRECTORY is a symbolic link.
+Warning: this is currently suspect to a TOCTTOU race!"
+ (verify-not-symbolic directory)
+ (mkdir-p directory)
+ (chown directory (passwd:uid owner) (passwd:gid owner))
+ (chmod directory bits))
+
(define* (copy-account-skeletons home
#:key
(directory %skeleton-directory)
diff --git a/gnu/services/authentication.scm b/gnu/services/authentication.scm
index 73969a5a6d..d7efc48cd0 100644
--- a/gnu/services/authentication.scm
+++ b/gnu/services/authentication.scm
@@ -1,6 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2018 Danny Milosavljevic <dannym@scratchpost.org>
;;; Copyright © 2018, 2019 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -31,6 +32,7 @@
#:use-module (guix gexp)
#:use-module (guix records)
#:use-module (guix packages)
+ #:use-module (guix modules)
#:use-module (ice-9 match)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-26)
@@ -521,6 +523,16 @@ password.")
(define (pam-ldap-pam-services config)
(list (pam-ldap-pam-service config)))
+(define %nslcd-activation
+ (with-imported-modules (source-module-closure '((gnu build activation)))
+ #~(begin
+ (use-modules (gnu build activation))
+ (let ((rundir "/var/run/nslcd")
+ (user (getpwnam "nslcd")))
+ (mkdir-p/perms rundir user #o755)
+ (when (file-exists? "/etc/nslcd.conf")
+ (chmod "/etc/nslcd.conf" #o400))))))
+
(define nslcd-service-type
(service-type
(name 'nslcd)
@@ -531,15 +543,7 @@ password.")
(service-extension etc-service-type
nslcd-etc-service)
(service-extension activation-service-type
- (const #~(begin
- (use-modules (guix build utils))
- (let ((rundir "/var/run/nslcd")
- (user (getpwnam "nslcd")))
- (mkdir-p rundir)
- (chown rundir (passwd:uid user) (passwd:gid user))
- (chmod rundir #o755)
- (when (file-exists? "/etc/nslcd.conf")
- (chmod "/etc/nslcd.conf" #o400))))))
+ (const %nslcd-activation))
(service-extension pam-root-service-type
pam-ldap-pam-services)
(service-extension nscd-service-type
diff --git a/gnu/services/cups.scm b/gnu/services/cups.scm
index 17ed04e58b..20e3917b93 100644
--- a/gnu/services/cups.scm
+++ b/gnu/services/cups.scm
@@ -4,6 +4,7 @@
;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2019 Alex Griffin <a@ajgrf.com>
;;; Copyright © 2019 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -31,6 +32,7 @@
#:use-module (guix packages)
#:use-module (guix records)
#:use-module (guix gexp)
+ #:use-module (guix modules)
#:use-module (ice-9 match)
#:use-module ((srfi srfi-1) #:select (append-map find))
#:export (cups-service-type
@@ -871,13 +873,11 @@ IPP specifications.")
(define %cups-activation
;; Activation gexp.
- (with-imported-modules '((guix build utils))
+ (with-imported-modules (source-module-closure '((gnu build activation)
+ (guix build utils)))
#~(begin
- (use-modules (guix build utils))
- (define (mkdir-p/perms directory owner perms)
- (mkdir-p directory)
- (chown directory (passwd:uid owner) (passwd:gid owner))
- (chmod directory perms))
+ (use-modules (gnu build activation)
+ (guix build utils))
(define (build-subject parameters)
(string-concatenate
(map (lambda (pair)
diff --git a/gnu/services/dbus.scm b/gnu/services/dbus.scm
index e015d3f68d..af1a1e4c3a 100644
--- a/gnu/services/dbus.scm
+++ b/gnu/services/dbus.scm
@@ -1,6 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
+;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -28,6 +29,7 @@
#:use-module (guix gexp)
#:use-module ((guix packages) #:select (package-name))
#:use-module (guix records)
+ #:use-module (guix modules)
#:use-module (srfi srfi-1)
#:use-module (ice-9 match)
#:export (dbus-configuration
@@ -161,24 +163,23 @@ includes the @code{etc/dbus-1/system.d} directories of each package listed in
(define (dbus-activation config)
"Return an activation gexp for D-Bus using @var{config}."
- #~(begin
- (use-modules (guix build utils))
-
- (mkdir-p "/var/run/dbus")
-
- (let ((user (getpwnam "messagebus")))
- (chown "/var/run/dbus"
- (passwd:uid user) (passwd:gid user))
-
- ;; This directory contains the daemon's socket so it must be
- ;; world-readable.
- (chmod "/var/run/dbus" #o755))
-
- (unless (file-exists? "/etc/machine-id")
- (format #t "creating /etc/machine-id...~%")
- (invoke (string-append #$(dbus-configuration-dbus config)
- "/bin/dbus-uuidgen")
- "--ensure=/etc/machine-id"))))
+ (with-imported-modules (source-module-closure
+ '((gnu build activation)
+ (guix build utils)))
+ #~(begin
+ (use-modules (gnu build activation)
+ (guix build utils))
+
+ (let ((user (getpwnam "messagebus")))
+ ;; This directory contains the daemon's socket so it must be
+ ;; world-readable.
+ (mkdir-p/perms "/var/run/dbus" user #o755))
+
+ (unless (file-exists? "/etc/machine-id")
+ (format #t "creating /etc/machine-id...~%")
+ (invoke (string-append #$(dbus-configuration-dbus config)
+ "/bin/dbus-uuidgen")
+ "--ensure=/etc/machine-id")))))
(define dbus-shepherd-service
(match-lambda
diff --git a/gnu/services/dns.scm b/gnu/services/dns.scm
index d4aefe6285..55211cb08f 100644
--- a/gnu/services/dns.scm
+++ b/gnu/services/dns.scm
@@ -2,6 +2,7 @@
;;; Copyright © 2017 Julien Lepiller <julien@lepiller.eu>
;;; Copyright © 2018 Oleg Pykhalov <go.wigust@gmail.com>
;;; Copyright © 2020 Pierre Langlois <pierre.langlois@gmx.com>
+;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -28,6 +29,7 @@
#:use-module (guix packages)
#:use-module (guix records)
#:use-module (guix gexp)
+ #:use-module (guix modules)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-26)
#:use-module (srfi srfi-34)
@@ -607,17 +609,14 @@
(shell (file-append shadow "/sbin/nologin")))))
(define (knot-activation config)
- #~(begin
- (use-modules (guix build utils))
- (define (mkdir-p/perms directory owner perms)
- (mkdir-p directory)
- (chown directory (passwd:uid owner) (passwd:gid owner))
- (chmod directory perms))
- (mkdir-p/perms #$(knot-configuration-run-directory config)
- (getpwnam "knot") #o755)
- (mkdir-p/perms "/var/lib/knot" (getpwnam "knot") #o755)
- (mkdir-p/perms "/var/lib/knot/keys" (getpwnam "knot") #o755)
- (mkdir-p/perms "/var/lib/knot/keys/keys" (getpwnam "knot") #o755)))
+ (with-imported-modules (source-module-closure '((gnu build activation)))
+ #~(begin
+ (use-modules (gnu build activation))
+ (mkdir-p/perms #$(knot-configuration-run-directory config)
+ (getpwnam "knot") #o755)
+ (mkdir-p/perms "/var/lib/knot" (getpwnam "knot") #o755)
+ (mkdir-p/perms "/var/lib/knot/keys" (getpwnam "knot") #o755)
+ (mkdir-p/perms "/var/lib/knot/keys/keys" (getpwnam "knot") #o755))))
(define (knot-shepherd-service config)
(let* ((config-file (knot-config-file config))