diff options
author | Christopher Baines <mail@cbaines.net> | 2019-11-03 11:54:24 +0000 |
---|---|---|
committer | Christopher Baines <mail@cbaines.net> | 2019-11-03 11:54:24 +0000 |
commit | 0d70c43a1691adf19188b50344046ee951565e96 (patch) | |
tree | 7ee2883c38d61b12fbc0f7e52050b1f7e5108d3a /posts/2019/42/en_US.md | |
parent | 132ed0d8cdef4dfc9e9eab0f4a1ac2569156b267 (diff) | |
download | weekly-news-0d70c43a1691adf19188b50344046ee951565e96.tar weekly-news-0d70c43a1691adf19188b50344046ee951565e96.tar.gz |
Customise a couple of the posts
Diffstat (limited to 'posts/2019/42/en_US.md')
-rw-r--r-- | posts/2019/42/en_US.md | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/posts/2019/42/en_US.md b/posts/2019/42/en_US.md index ed97d53..1037575 100644 --- a/posts/2019/42/en_US.md +++ b/posts/2019/42/en_US.md @@ -1 +1,12 @@ +synopsis: guix-daemon security issue --- + +### Highlights + +#### Insecure `/var/guix/profiles/per-user` permissions. + +On a multi-user system, this allowed a malicious user to create and +populate that `$USER` sub-directory for another user that had not yet +logged in. Since `/var/.../$USER` is in `$PATH`, the target user +could end up running attacker-provided code. See [issue +37744](https://issues.guix.gnu.org/issue/37744) for more information. |