A security issue has been identified in
guix-daemon
which allows for a local user to gain the privileges of any of the build users
and subsequently use this to manipulate the output of any build. Your
are strongly advised to upgrade your daemon now (see instructions
below), especially on multi-user systems.This exploit requires the ability to start a derivation build and the ability to
run arbitrary code with access to the store in the root PID namespace on the
machine the build occurs on. As such, this represents an increased risk
primarily to multi-user systems and systems using dedicated privilege-separation
users for various daemons: without special sandboxing measures, any process of
theirs can take advantage of this vulnerability.VulnerabilityFor a very long time, guix-daemon has helpfully made…
External feed Read More at the Source: https://guix.gnu.org/blog/2024/build-user-takeover-vulnerability//