Customise a couple of the posts

author: Christopher Baines <mail@cbaines.net> 2019-11-03 11:54:24 +0000
committer: Christopher Baines <mail@cbaines.net> 2019-11-03 11:54:24 +0000
commit: 0d70c43a1691adf19188b50344046ee951565e96 (patch)
tree: 7ee2883c38d61b12fbc0f7e52050b1f7e5108d3a /posts/2019/42/en_US.md
parent: 132ed0d8cdef4dfc9e9eab0f4a1ac2569156b267 (diff)
download: weekly-news-0d70c43a1691adf19188b50344046ee951565e96.tar
weekly-news-0d70c43a1691adf19188b50344046ee951565e96.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/posts/2019/42/en_US.md b/posts/2019/42/en_US.md
index ed97d53..1037575 100644
--- a/posts/2019/42/en_US.md
+++ b/posts/2019/42/en_US.md
@@ -1 +1,12 @@
+synopsis: guix-daemon security issue
 ---
+
+### Highlights
+
+#### Insecure `/var/guix/profiles/per-user` permissions.
+
+On a multi-user system, this allowed a malicious user to create and
+populate that `$USER` sub-directory for another user that had not yet
+logged in.  Since `/var/.../$USER` is in `$PATH`, the target user
+could end up running attacker-provided code.  See [issue
+37744](https://issues.guix.gnu.org/issue/37744) for more information.
author	Christopher Baines <mail@cbaines.net>	2019-11-03 11:54:24 +0000
committer	Christopher Baines <mail@cbaines.net>	2019-11-03 11:54:24 +0000
commit	0d70c43a1691adf19188b50344046ee951565e96 (patch)
tree	7ee2883c38d61b12fbc0f7e52050b1f7e5108d3a /posts/2019/42/en_US.md
parent	132ed0d8cdef4dfc9e9eab0f4a1ac2569156b267 (diff)
download	weekly-news-0d70c43a1691adf19188b50344046ee951565e96.tar weekly-news-0d70c43a1691adf19188b50344046ee951565e96.tar.gz