Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

guix: fix build user takeover patch #353533

Merged
merged 1 commit into from
Nov 4, 2024
Merged

guix: fix build user takeover patch #353533

merged 1 commit into from
Nov 4, 2024

Conversation

hpfr
Copy link
Contributor

@hpfr hpfr commented Nov 3, 2024

See commit message

Please label for backport to 24.05!

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@hpfr
Copy link
Contributor Author

hpfr commented Nov 3, 2024

Hmm, unfortunately I don’t think I’m passing the vulnerability check:

1 2024-11-03 17:41:09 lh@hal $ guix repl -- ~/setuid-exposure-vuln-check.scm
substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0%
substitute: updating substitutes from 'https://berlin.guix.gnu.org'... 100.0%
building path(s) `/gnu/store/fv70syklakafrnyy6l4kml4pffzij14i-maybe-setuid-file'
builder for `/gnu/store/k3qkjmimd77sk6aq233x5vic66mnjiik-maybe-setuid-file.drv' failed with exit code 1
/gnu/store/fv70syklakafrnyy6l4kml4pffzij14i-maybe-setuid-file is setuid: YOUR SYSTEM IS VULNERABLE.

Run 'guix gc' to remove that file and upgrade.

@nyabinary nyabinary requested a review from cafkafk November 4, 2024 00:05
@hpfr
Copy link
Contributor Author

hpfr commented Nov 4, 2024

Never mind, I forgot to remove my original patches override (#353471) from my NixOS config, which was removing the fixes. Confirmed the check passes now.

@hpfr
guix: fix build user takeover patch
e3c99d6 
The preceding fix only applies one of two patches, which breaks builds:

   error: getting attributes of path `/gnu/store/<item>': No such file
   or directory

The Debian package maintainer, Vagrant Cascadian, is a frequent Guix
committer, so the Debian package is a suitable upstream patch source
when Guix commits require backporting to the current release tarball.

Fixes: 633a3b8 ("guix: build user takeover patch")
@hpfr hpfr force-pushed the fix/guix-user-takeover-vuln branch from aec99f8 to e3c99d6 Compare November 4, 2024 00:14
cafkafk
cafkafk reviewed Nov 4, 2024
View reviewed changes
Copy link
Member

@cafkafk cafkafk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks alright, and I do prefer just getting the patch from debian, but I kinda want to add the check script to the VM tests, I may do that today...

@wegank wegank added the 12.approvals: 1 This PR was reviewed and approved by one reputable person label Nov 4, 2024
@wegank
Copy link
Member

wegank commented Nov 4, 2024

@ofborg test guix

@hpfr
Copy link
Contributor Author

hpfr commented Nov 4, 2024 via email

@wegank wegank merged commit 5e33351 into NixOS:master Nov 4, 2024
14 of 17 checks passed
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 4, 2024

Successfully created backport PR for release-24.05:

@github-actions github-actions bot mentioned this pull request Nov 4, 2024
Merged
1 task
@cafkafk
Copy link
Member

cafkafk commented Nov 4, 2024

Good idea. I think I left the box checked for maintainer modifications, so you should be able to apply it here if you like 👍

I'll follow up (hopefully), I think it's better to just get this fix merged first tbh

@hpfr hpfr deleted the fix/guix-user-takeover-vuln branch November 9, 2024 02:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cafkafk cafkafk cafkafk left review comments

@wegank wegank wegank approved these changes

Assignees
No one assigned
Labels
12.approvals: 1 This PR was reviewed and approved by one reputable person
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Backported user takeover fix breaks Guix
3 participants
@hpfr @wegank @cafkafk