bartronx7/guix
1
0
Fork 0
mirror of https://codeberg.org/guix/guix.git synced 2026-01-26 12:35:14 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions
guix/gnu
History
Maxime Devos 520bac7ed0
services: Prevent following symlinks during activation. 
This addresses a potential security issue, where a compromised
service could trick the activation code in changing the permissions,
owner and group of arbitrary files.  However, this patch is
currently only a partial fix, due to a TOCTTOU (time-of-check to
time-of-use) race, which can be fixed once guile has bindings
to openat and friends.

Fixes: <https://lists.gnu.org/archive/html/guix-devel/2021-01/msg00388.html>

* gnu/build/activation.scm: new procedure 'mkdir-p/perms'.
* gnu/services/authentication.scm
  (%nslcd-activation, nslcd-service-type): use new procedure.
* gnu/services/cups.scm (%cups-activation): likewise.
* gnu/services/dbus.scm (dbus-activation): likewise.
* gnu/services/dns.scm (knot-activation): likewise.

Signed-off-by: Ludovic Courtès <ludo@gnu.org>
2021-03-10 18:01:47 +01:00
..
bootloader
build services: Prevent following symlinks during activation. 2021-03-10 18:01:47 +01:00
installer
machine machine: ssh: Use 'formatted-message'. 2021-02-25 11:29:35 +01:00
packages gnu: hwloc: Update to 2.4.1. 2021-03-10 18:01:47 +01:00
services services: Prevent following symlinks during activation. 2021-03-10 18:01:47 +01:00
system system: vm: Use Guile 3.0 in Docker images. 2021-02-25 11:29:35 +01:00
tests tests: cuirass: Remove cuirass simple test. 2021-03-10 09:37:48 +01:00
artwork.scm
bootloader.scm
ci.scm ci: Remove hydra support. 2021-03-10 08:49:48 +01:00
image.scm image: Export image? procedure. 2021-02-17 10:55:36 +01:00
installer.scm
local.mk gnu: mongodb: Update to 3.4.24 [security fixes]. 2021-03-10 13:03:12 +01:00
machine.scm
packages.scm
services.scm gnu: services: Add activate script to the profile system directory. 2021-03-09 06:56:12 +01:00
system.scm
tests.scm tests: Export %simple-os. 2021-02-19 20:10:08 +01:00