[Nix-dev] NIX-2017-0002: users can modify builds by other users
Graham Christensen
graham at grahamc.com
Thu Jun 15 22:40:59 CEST 2017
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Nix Security Advisory
NIX-2017-0002
---------------------
users can modify / interfere with builds by other users
Description
===========
In multi-user Nix installations, to ensure that builds by unprivileged
users cannot interfere with each other, Nix performs builds under
so-called "build users" (nixbld1, nixbld2, ...) on behalf of the user.
Only one build can run under a given build user at a time, and all
processes running under that build user are killed before and after the
build. However, the invariant that no other processes run under a given
build user can be violated through the creation of setuid executables.
The Nix store does not permit setuid executables, and Nix removes
setuid/setgid bits after builds complete. This protection, however, does
not prevent setuid binaries from being created or existing during a
build.
These setuid binaries are owned by a Nix build user (nixbld1, nixbld2,
...).
Nix build directories are world readable during a build, and it is
possible for a malicious user to execute the setuid binary before the
build completes.
Additionally, if --keep-failed is used the setuid binary is allowed to
remain in the directory of the retained failed build.
Impact
======
A malicious user can create setuid binaries owned by a Nix build user,
allowing the attacker to to interfere with subsequent builds by the same
UID.
Interference may include causing failures, or injecting impurities, or
completely replace a build with malicious output.
Vulnerable Systems
==================
All Nix 1.11 versions before 1.11.10 are vulnerable.
All Nix 1.12 versions before 1.12pre5413_b4b1f452 are vulnerable.
Channel First Non-Vulnerable Version
------- ----------------------------
nixos-17.03 nixos-17.03.1316.412b0a17aa
nixos-17.03-small nixos-17.03.1303.74a1ea1f89
nixos-unstable-small nixos-17.09pre108957.0bffe03828
nixos-unstable not yet released
nixpkgs-unstable not yet released
Mitigation
==========
Upgrade Nix Stable to 1.11.10 or Nix Unstable to 1.12pre5413_b4b1f452 or
later.
Resolution
==========
Nix now prevents builders from creating setuid and setgid binaries.
On Linux, this is done using a seccomp BPF filter. Using seccomp, we now
also prevent the creation of extended attributes and POSIX ACLs since
these cannot be represented in the NAR format and (in the case of POSIX
ACLs) allow bypassing regular Nix store permissions.
On macOS, the restriction is implemented using the existing sandbox
mechanism, which now uses a minimal "allow all except the creation of
setuid/setgid binaries" profile when regular sandboxing is disabled.
On other platforms, the "build user" mechanism is now disabled.
Thank You
=========
This issue was discovered and appropriately reported by Linus Heckman on
2017-05-27 through the NixOS Security Team -
https://nixos.org/nixos/security.html.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAllC71AACgkQBhIdNm/p
Q1xD/g//cvtlT2RkBFCiLs88Yarsox2pH013Z1r4yTtyzUkRprWG94ZsrZmyjrmK
k6QptZHpQjy2wSYMx769LKxiLSROjFz0Dh1QAMu23oDrKoVlLVB95EDsZM/N82UJ
Nbeyros87k1BXbESJcHd0fs38eMhNnKn+Ga6YSBNUchmqQeYm5Wql6cOHhYO8VT7
WMlR2jT069Iakj2Ei+JhPoiApT6Kx0hLrW/QE6N//XcvH/nyOeD5SoRSdhdBRDF/
96l6RY4b5b2KLss0eSiqUBylXXeY8qnbCKNr27pkb4G/Xd4svCUIjb7LCZqknElP
0U2bwH5r+vvW0IXGyXPNnBaRH/FV9wMhx7aAs1TP/cavoSQaRmUGWfIIgwhbRM74
5BsEt8/0A7OTzBAXfKfZ+5btgTeCUST7sBlpNSnaw/1CL2/P9CHM5++HsyizLk5H
5bVnv6ngbP6/2g1NIDgI3HTQ8zdIBn/GQ9/z3iO3jWXRc5pg3kOrB2igF5qq4iLV
l7SoXuqPk/q4hBN47Usp+rpTzKo+UgVUsndiNIOgt/ySRJCnV711ZpLexxWhv3Cg
0v9I/BlmLC0DLyhhnWUMy4809H7setKz8Nl2ZzcWa9+XKnUE+D+r+ocSdGkM56DA
ggBqOFvL0G48zHiTbZRat+WY9pwwyRnB4IPtItm5NbUNnu9t2Eo=
=og63
-----END PGP SIGNATURE-----
More information about the nix-dev
mailing list