gchristensen changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh
andi- has quit [Remote host closed the connection]
stigo has joined #nixos-security
andi- has joined #nixos-security
hyperreal has joined #nixos-security
<hyperreal> Hello. I recently came across this article on macOS Homebrew security issues. Basically there is a huge attack vector from installing Homebrew into /usr/local. The attack vector is basically that someone could spoof the current user and place malicious software into the homebrew path (/usr/local) because Homebrew makes that path u+w.
<hyperreal> Someone also said Nix would be a more secure alternative to Homebrew on macOS. However, I'm curious how this particular attack vector is closed on Nix.
<hyperreal> a similar but larger attack vector would exist on other Linux distributions where users edit the sudoers file to give their user no passwd sudo privilege.
tilpner has quit [Ping timeout: 265 seconds]
hmpffff has joined #nixos-security
justanotheruser has quit [Read error: Connection reset by peer]
justanotheruser has joined #nixos-security
<qyliss> hyperreal: former Homebrew maintainer here, now working with Nix. That "attack" is bullshit, and was rightly dismissed as such when it came out.
<qyliss> /usr/local is u+w, meaning that to write into it, something malicious would need to be executing as your user
<qyliss> you know what else something running as your user could do? write to .bash_profile and change your PATH
<qyliss> so "fixing" this wouldn't improve security in any way
<hyperreal> qyliss: I see! Thank you
<qyliss> np :)
<qyliss> To expand a little further, the UNIX security model assumes that any code running as a user is just as trustworthy as all other code running as that user
<qyliss> I consider this archaic, but it's how most modern UNIX systems work
<qyliss> Apple is starting to move away from that a little by restricting what root can do
<qyliss> And restricting what executables the kernel will run
<qyliss> And sandboxing
<qyliss> But it's done in a way that most Unix-y programs (as opposed to Mac GUIs) take no notice, because it usually requires Apple Developer stuff, and isn't compatible with any other platform
<hyperreal> Ah I see
pie__ has quit [Ping timeout: 240 seconds]
xwvvvvwx- has joined #nixos-security
xwvvvvwx- has quit [Quit: ZNC 1.7.3 - https://znc.in]
xwvvvvwx- has joined #nixos-security
xwvvvvwx- has quit [Client Quit]
xwvvvvwx- has joined #nixos-security
pie_ has joined #nixos-security
xwvvvvwx- has left #nixos-security ["WeeChat 2.6"]
<pie_> qyliss: ne could say the sdame about linux containers and whatnot no?
<pie_> re compatibility
<qyliss> pie_: not sure what you mean
<pie_> "and isn't compatible with any other platform"
<pie_> or at least, no containerization / whatever thing that i know of is cross platform
<pie_> not that i mean to defend apple
<gchristensen> KVM is fairly cross-platform
edef_ has joined #nixos-security
edef has quit [Killed (wolfe.freenode.net (Nickname regained by services))]
edef_ is now known as edef
swapgs has quit [Ping timeout: 268 seconds]
<qyliss> pie_: very little needs to be specially ported to run _inside_ a container
<qyliss> unlike with the macOS sandbox, for examlpe
<gchristensen> macOS sandboxing can be applied to unix processes just like in Linux
<gchristensen> for it to happen by default is where the Apple Developer stuff comes in
<pie_> aha..
<pie_> (as you can see i dont have much of a clue)
LnL has quit [Ping timeout: 263 seconds]
kgz has quit [Ping timeout: 276 seconds]
LnL has joined #nixos-security
kgz has joined #nixos-security
<Foxboron> hyperreal: I think you got your answer on oss-security :)?
<qyliss> CVE-2019-17365: Nix per-user profile directory hijack
<gchristensen> ack
<gchristensen> shit
<gchristensen> I messed up badly on this one
<qyliss> gchristensen: Is there a fix?
<gchristensen> one minute
<{^_^}> nix#3134 (by grahamc, 13 seconds ago, open): Don't activate Nix if the user's profile is not owned by that user
<gchristensen> qyliss: may I PM?
<flokli> gchristensen: nix-profile.sh will get upgraded on a nix update in existing installations, will it?
<gchristensen> yes
<flokli> In that case, updating is simpler - I really worried we add too much logic into bashrc, and would need to patch that. Pooh
<gchristensen> aye
<qyliss> gchristensen: always
swapgs has joined #nixos-security
<gchristensen> FYI: I'm authoring a reply to that mail.
<zimbatm> btw, the script is assuming that $USER is the current user
<zimbatm> USER is set by the login shell and might be inherited when changing user
<qyliss> wow good catch
<gchristensen> under what circumstance can an attacker use that to their advantage?
<zimbatm> it's probably more of a usability issue
<zimbatm> you will get the bad ownership error when switching users
<zimbatm> for example when running `sudo -E`
<hyperreal> Foxboron: yep, that's the issue I was thinking of.
<zimbatm> gchristensen: I rewrote the file entirely: https://gist.github.com/zimbatm/0fb686073175ebdea6632adf9476fb0f
<zimbatm> it's now wrapped in a function to allow early-returns
<gchristensen> scary :P
<zimbatm> it will exit on the first failure
<zimbatm> renamed WARNING to FATAL in those cases
<zimbatm> renamed UPPER_CASE to lower_case for local variables
<zimbatm> used `local` variables instead of unsetting
<zimbatm> USER and HOME are derived from `id -u` and `id -un` so there won't be any issues with env inheritance
<gchristensen> I don't think we can assume bash
<zimbatm> hmm crap, `local` is not POSIX
<zimbatm> qyliss: do you know?
<gchristensen> shellcheck knows! :)
<gchristensen> also, niksnut I think is taking a crack at implementing this in Nix with C++
<zimbatm> but are you sure this is also loaded by other shells?
<gchristensen> pretty sure
<zimbatm> fish shell isn't even POSIX-compatible
<gchristensen> yeah, but sh is :P
<zimbatm> busybox and dash support `local`
<zimbatm> zsh for sure
hmpffff_ has joined #nixos-security
hmpffff has quit [Read error: Connection reset by peer]
hmpffff_ has quit [Quit: nchrrrr…]
<gchristensen> FYI https://github.com/NixOS/nix/pull/3136 (for {^_^}'s pleasure)
<{^_^}> nix#3136 (by edolstra, 1 minute ago, open): Remove world-writability from {profiles,gcroots}/per-user
justan0theruser has joined #nixos-security
<pie_> would putting stuff in a users home directory cause problems with using arbitrary $HOME values
<pie_> well maybe thats not for in here
justanotheruser has quit [Ping timeout: 240 seconds]
hmpffff has joined #nixos-security
justan0theruser has quit [Quit: WeeChat 2.4]
justanotheruser has joined #nixos-security
pie_ has quit [Ping timeout: 240 seconds]
hyperreal has left #nixos-security ["WeeChat 2.6"]
pie_ has joined #nixos-security
pie_ has quit [Ping timeout: 265 seconds]
pie_ has joined #nixos-security
justanotheruser has quit [Ping timeout: 268 seconds]
justanotheruser has joined #nixos-security
<gchristensen> qyliss: 'round?
<gchristensen> https://github.com/NixOS/nix/pull/3136 this PR is probabl yhow we're going to solve the CVE. anyone available to review?
<{^_^}> nix#3136 (by edolstra, 4 hours ago, open): Remove world-writability from {profiles,gcroots}/per-user
hmpffff has quit [Quit: nchrrrr…]
<qyliss> gchristensen: hello
<gchristensen> ok we're merging
<qyliss> rad
<qyliss> (did you see my comment about the CVE no?)
<gchristensen> not sure I did?
<gchristensen> I asked about that
hmpffff has joined #nixos-security
hmpffff has quit [Quit: nchrrrr…]