Discussion:
NIX-2017-0002: users can modify builds by other users
(too old to reply)
Graham Christensen
2017-06-15 20:40:59 UTC
Permalink
Nix Security Advisory
NIX-2017-0002
---------------------
users can modify / interfere with builds by other users


Description
===========

In multi-user Nix installations, to ensure that builds by unprivileged
users cannot interfere with each other, Nix performs builds under
so-called "build users" (nixbld1, nixbld2, ...) on behalf of the user.
Only one build can run under a given build user at a time, and all
processes running under that build user are killed before and after the
build. However, the invariant that no other processes run under a given
build user can be violated through the creation of setuid executables.

The Nix store does not permit setuid executables, and Nix removes
setuid/setgid bits after builds complete. This protection, however, does
not prevent setuid binaries from being created or existing during a
build.

These setuid binaries are owned by a Nix build user (nixbld1, nixbld2,
...).

Nix build directories are world readable during a build, and it is
possible for a malicious user to execute the setuid binary before the
build completes.

Additionally, if --keep-failed is used the setuid binary is allowed to
remain in the directory of the retained failed build.


Impact
======

A malicious user can create setuid binaries owned by a Nix build user,
allowing the attacker to to interfere with subsequent builds by the same
UID.

Interference may include causing failures, or injecting impurities, or
completely replace a build with malicious output.


Vulnerable Systems
==================

All Nix 1.11 versions before 1.11.10 are vulnerable.
All Nix 1.12 versions before 1.12pre5413_b4b1f452 are vulnerable.

Channel First Non-Vulnerable Version
------- ----------------------------
nixos-17.03 nixos-17.03.1316.412b0a17aa
nixos-17.03-small nixos-17.03.1303.74a1ea1f89
nixos-unstable-small nixos-17.09pre108957.0bffe03828
nixos-unstable not yet released
nixpkgs-unstable not yet released


Mitigation
==========

Upgrade Nix Stable to 1.11.10 or Nix Unstable to 1.12pre5413_b4b1f452 or
later.


Resolution
==========

Nix now prevents builders from creating setuid and setgid binaries.

On Linux, this is done using a seccomp BPF filter. Using seccomp, we now
also prevent the creation of extended attributes and POSIX ACLs since
these cannot be represented in the NAR format and (in the case of POSIX
ACLs) allow bypassing regular Nix store permissions.

On macOS, the restriction is implemented using the existing sandbox
mechanism, which now uses a minimal "allow all except the creation of
setuid/setgid binaries" profile when regular sandboxing is disabled.

On other platforms, the "build user" mechanism is now disabled.


Thank You
=========

This issue was discovered and appropriately reported by Linus Heckman on
2017-05-27 through the NixOS Security Team -
https://nixos.org/nixos/security.html.
Graham Christensen
2017-06-15 20:47:28 UTC
Permalink
Please take my apologies, I incorrectly spelled *Linus Heckemann*'s name
wrong by accidentally sending a different version to nix-dev than I sent
to nix-security announce. Below is the correct advisory.

Thank you again, Linus.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Nix Security Advisory
NIX-2017-0002
2017-06-15
---------------------
users can modify / interfere with builds by other users


Description
===========

In multi-user Nix installations, to ensure that builds by unprivileged
users cannot interfere with each other, Nix performs builds under
so-called "build users" (nixbld1, nixbld2, ...) on behalf of the user.
Only one build can run under a given build user at a time, and all
processes running under that build user are killed before and after the
build. However, the invariant that no other processes run under a given
build user can be violated through the creation of setuid executables.

The Nix store does not permit setuid executables, and Nix removes
setuid/setgid bits after builds complete. This protection, however, does
not prevent setuid binaries from being created or existing during a
build.

These setuid binaries are owned by a Nix build user (nixbld1, nixbld2,
...).

Nix build directories are world readable during a build, and it is
possible for a malicious user to execute the setuid binary before the
build completes.

Additionally, if --keep-failed is used the setuid binary is allowed to
remain in the directory of the retained failed build.


Impact
======

A malicious user can create setuid binaries owned by a Nix build user,
allowing the attacker to to interfere with subsequent builds by the same
UID.

Interference may include causing failures, or injecting impurities, or
completely replace a build with malicious output.


Vulnerable Systems
==================

All Nix 1.11 versions before 1.11.10 are vulnerable.
All Nix 1.12 versions before 1.12pre5413_b4b1f452 are vulnerable.

Channel First Non-Vulnerable Version
------- ----------------------------
nixos-17.03 nixos-17.03.1316.412b0a17aa
nixos-17.03-small nixos-17.03.1303.74a1ea1f89
nixos-unstable-small nixos-17.09pre108957.0bffe03828
nixos-unstable not yet released
nixpkgs-unstable not yet released


Mitigation
==========

Upgrade Nix Stable to 1.11.10 or Nix Unstable to 1.12pre5413_b4b1f452 or
later.


Resolution
==========

Nix now prevents builders from creating setuid and setgid binaries.

On Linux, this is done using a seccomp BPF filter. Using seccomp, we now
also prevent the creation of extended attributes and POSIX ACLs since
these cannot be represented in the NAR format and (in the case of POSIX
ACLs) allow bypassing regular Nix store permissions.

On macOS, the restriction is implemented using the existing sandbox
mechanism, which now uses a minimal "allow all except the creation of
setuid/setgid binaries" profile when regular sandboxing is disabled.

On other platforms, the "build user" mechanism is now disabled.


Thank You
=========

This issue was discovered and appropriately reported by Linus
Heckemann on 2017-05-27 through the NixOS Security Team -
https://nixos.org/nixos/security.html.

Loading...