2017-06-15 20:40:59 UTC
users can modify / interfere with builds by other users
In multi-user Nix installations, to ensure that builds by unprivileged
users cannot interfere with each other, Nix performs builds under
so-called "build users" (nixbld1, nixbld2, ...) on behalf of the user.
Only one build can run under a given build user at a time, and all
processes running under that build user are killed before and after the
build. However, the invariant that no other processes run under a given
build user can be violated through the creation of setuid executables.
The Nix store does not permit setuid executables, and Nix removes
setuid/setgid bits after builds complete. This protection, however, does
not prevent setuid binaries from being created or existing during a
These setuid binaries are owned by a Nix build user (nixbld1, nixbld2,
Nix build directories are world readable during a build, and it is
possible for a malicious user to execute the setuid binary before the
Additionally, if --keep-failed is used the setuid binary is allowed to
remain in the directory of the retained failed build.
A malicious user can create setuid binaries owned by a Nix build user,
allowing the attacker to to interfere with subsequent builds by the same
Interference may include causing failures, or injecting impurities, or
completely replace a build with malicious output.
All Nix 1.11 versions before 1.11.10 are vulnerable.
All Nix 1.12 versions before 1.12pre5413_b4b1f452 are vulnerable.
Channel First Non-Vulnerable Version
nixos-unstable not yet released
nixpkgs-unstable not yet released
Upgrade Nix Stable to 1.11.10 or Nix Unstable to 1.12pre5413_b4b1f452 or
Nix now prevents builders from creating setuid and setgid binaries.
On Linux, this is done using a seccomp BPF filter. Using seccomp, we now
also prevent the creation of extended attributes and POSIX ACLs since
these cannot be represented in the NAR format and (in the case of POSIX
ACLs) allow bypassing regular Nix store permissions.
On macOS, the restriction is implemented using the existing sandbox
mechanism, which now uses a minimal "allow all except the creation of
setuid/setgid binaries" profile when regular sandboxing is disabled.
On other platforms, the "build user" mechanism is now disabled.
This issue was discovered and appropriately reported by Linus Heckman on
2017-05-27 through the NixOS Security Team -