New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix the nix-profile scripts to error on bad profile ownership/mode #1869
Conversation
Thank you for the report. I've started looking in to the issue and am working with the NixOS security team on getting this addressed. |
This is still incomplete. The permissions of /nix/var/nix/profiles/$USER also need to be 755 or less, and enforced as such. Without that enforcement, users can still modify other users profiles right underneath them. This is especially true in environments where all users share the same primary group. |
@edolstra Please don't release until this is fixed. |
Looks like we missed the release window sadly. |
scripts/nix-profile-daemon.sh.in
Outdated
# Set up the per-user profile. | ||
mkdir -m 0755 -p "$NIX_USER_PROFILE_DIR" | ||
if ! test -O "$NIX_USER_PROFILE_DIR"; then | ||
echo "ERROR: bad ownership on $NIX_USER_PROFILE_DIR" >&2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you give some more guidance to the user about why this might have happened and what they can do?
I think a better fix is to either
|
The useradd approach is a little inconvenient; in practice the subdirectories would still need to be created on first login, since in large multi-user deployments you don't want to create profile directories for every user on every host; there might be tens of thousands of users. Moving the per-user profiles to the user's home directory sounds good, but it would be a loss of capability compared to current Nix: Currently you can run nix-daemon unprivileged on systems with arbitrary setups and it mostly works. If the per-user profiles were in the user's home directory, the nix-daemon would either need to be root or the user's home directories would need to be globally traversable (have 001 set) so that the nix-daemon could find the roots. Also, if we moved the per-user profiles to the user's home directory by just making a symlink to that directory, we'd still need to do checks on the ownership and mode of the symlink. |
I think garbage collection already has to traverse home directories for indirect roots. If you have a multi-user system with non-privileged Nix daemon, you can allow access with |
I am less of a fan of moving these into user home directories, it also makes auditing harder. Again on systems that can have thousands of users on them, via LDAP or otherwise, only a handful are likely logging into any given machine. To figure out nix usage right now is fairly trivial, you can just look at /nix/var/nix/profiles/ and gcroots and understand who is using nix, and what they have. With this change, nix will likely have to enumerate all users, and then scan them, and similar behavior will have to be done to audit usage. Further more, it may be challenging to enumerate all users. SSSD has an option to disable it, which may be desirable for performance reasons. All attempts to get a full list of users that might run on the machine will only return entries in the local /etc/passwd file. SSSD plans to fully remove enumeration in their next major release. |
At the very least, if this is ultimately decided to move into home directories, a symlink in The only advantage we then gain over what we have today is that people can't use However because of backwards compatibility, all the checks @catern is suggesting would still be required. |
Bumping this, has any decisions or progress been made on closing this hole? |
@edolstra thoughts on this? |
We still need to fix this. |
This closes a security hole that has existed up to this moment on
multi-user systems: If users are configured to source nix-profile.sh
or nix-profile-daemon.sh on login, but have never logged in, some
other user would be able to create the NIX_USER_PROFILE_DIR for
them. The binaries inside would be added to the front of the user's
PATH, which would allow for an attacker to immediately run malicious
code as that user.