[Nix-dev] NIX-2017-0002: users can modify builds by other users

Thu Jun 15 22:47:28 CEST 2017

Please take my apologies, I incorrectly spelled *Linus Heckemann*'s name
wrong by accidentally sending a different version to nix-dev than I sent
to nix-security announce. Below is the correct advisory.

Thank you again, Linus.

In multi-user Nix installations, to ensure that builds by unprivileged
users cannot interfere with each other, Nix performs builds under
so-called "build users" (nixbld1, nixbld2, ...) on behalf of the user.
Only one build can run under a given build user at a time, and all
processes running under that build user are killed before and after the
build. However, the invariant that no other processes run under a given
build user can be violated through the creation of setuid executables.

The Nix store does not permit setuid executables, and Nix removes
setuid/setgid bits after builds complete. This protection, however, does
not prevent setuid binaries from being created or existing during a
build.

These setuid binaries are owned by a Nix build user (nixbld1, nixbld2,
...).

Nix build directories are world readable during a build, and it is
possible for a malicious user to execute the setuid binary before the
build completes.

Additionally, if --keep-failed is used the setuid binary is allowed to
remain in the directory of the retained failed build.

Impact
======

A malicious user can create setuid binaries owned by a Nix build user,
allowing the attacker to to interfere with subsequent builds by the same
UID.

Interference may include causing failures, or injecting impurities, or
completely replace a build with malicious output.

Vulnerable Systems
==================

All Nix 1.11 versions before 1.11.10 are vulnerable.
All Nix 1.12 versions before 1.12pre5413_b4b1f452 are vulnerable.

  Channel                 First Non-Vulnerable Version
  -------                 ----------------------------
  nixos-17.03             nixos-17.03.1316.412b0a17aa
  nixos-17.03-small       nixos-17.03.1303.74a1ea1f89
  nixos-unstable-small    nixos-17.09pre108957.0bffe03828
  nixos-unstable          not yet released
  nixpkgs-unstable        not yet released

Mitigation
==========

Upgrade Nix Stable to 1.11.10 or Nix Unstable to 1.12pre5413_b4b1f452 or
later.

Resolution
==========

Nix now prevents builders from creating setuid and setgid binaries.

On Linux, this is done using a seccomp BPF filter. Using seccomp, we now
also prevent the creation of extended attributes and POSIX ACLs since
these cannot be represented in the NAR format and (in the case of POSIX
ACLs) allow bypassing regular Nix store permissions.

On macOS, the restriction is implemented using the existing sandbox
mechanism, which now uses a  minimal "allow all except the creation of
setuid/setgid binaries" profile when regular sandboxing is disabled.

On other platforms, the "build user" mechanism is now disabled.

Thank You
=========

This issue was discovered and appropriately reported by Linus
Heckemann on 2017-05-27 through the NixOS Security Team -
https://nixos.org/nixos/security.html.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAllC8EMACgkQBhIdNm/p
Q1yV0BAAkBrRar1sHVkpJ/ybJLXUUEt2SPDXrGKxiVGhm0EpGS8ZDXPZ13GFFmOf
dDMFBlLx/KUCKidmaiti9mJnMkS8KmmTSMTKDe9/tKEXdHH7BcPaKXhfkNNVlqxj
2jpLsROOz4A6WMzGYBQaY1PsnTOYmG53qZyFRK8PF752dmGc9UpNFPWnyBjTrCdl
9h6vgluAA5e/9EtWYfE3FKnKzLFuT2kI8xeIUf/fJR4hGtl+rPXItdK97WkU8FEl
YKTWNfkdeeNlZTAYj4ylbhPjl2RgNLa10fa9MuzRIqeHtJA699xq7rVa9RBhaS9S
KQ0vj2Y0GzLC+vU0Xn/SAW5BPLMay9ZU46f4CGdc13FzGs5DXOZ2EGrAbP4XXWa9
CqayMINdAJX0kOpRtt7oehtykdIq29dRjrYU5PrsuhonzYctFkTRZizMZ510CuP3
RghjpFbw1rrtb2ZxlQCiy7b5Xm5CC8cRAywQ8SCklYZjJzs+pNsPD8nPXMtFWYN9
Y2MY5PlxuECAhQX6tr0WuSJa5FbdvSefdI59UljsuAHbG0tu8FoMDxjRdUsTLgql
wj+F9ljcK9BQ+nw7ilCk0G8kTrnaykRH8GjgKaNupkmZ3GEEKGoY+jlzhonVo2Bh
gRg3f4oUyqW0yRk++jbzCLpPGzX1/YQwyNfzJ6gSchrxDhuXD+E=
=/ddK
-----END PGP SIGNATURE-----