guix: build user takeover patch

guix has recently announced a security vulnerability that allows local users to gain priveleges of build users, and further manipulate output of any build (including with setguid). This commit fixes the issue by backporting the remediation commits pushed to guix main to 1.4.0 as a patch. Users will still have to reboot and follow other remediation steps as described in the guix blogpost. Refs: https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability/ Signed-off-by: Christina Sørensen <christina@cafkafk.com> (cherry picked from commit 633a3b8)
NixOS · Oct 28, 2024 · 0ab5170 · 0ab5170
1 parent 4fbe49d
commit 0ab5170
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 0 deletions.
diff --git a/pkgs/by-name/gu/guix/guix-build-user-takeover-fix.patch b/pkgs/by-name/gu/guix/guix-build-user-takeover-fix.patch
@@ -0,0 +1,42 @@
+diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
+index c5383bc..50d1abc 100644
+--- a/nix/libstore/build.cc
++++ b/nix/libstore/build.cc
+@@ -2312,15 +2312,6 @@ void DerivationGoal::registerOutputs()
+         Path actualPath = path;
+         if (useChroot) {
+             actualPath = chrootRootDir + path;
+-            if (pathExists(actualPath)) {
+-                /* Move output paths from the chroot to the store. */
+-                if (buildMode == bmRepair)
+-                    replaceValidPath(path, actualPath);
+-                else
+-                    if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)
+-                        throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
+-            }
+-            if (buildMode != bmCheck) actualPath = path;
+         } else {
+             Path redirected = redirectedOutputs[path];
+             if (buildMode == bmRepair
+@@ -2360,6 +2351,21 @@ void DerivationGoal::registerOutputs()
+                something like that. */
+             canonicalisePathMetaData(actualPath, buildUser.enabled() ? buildUser.getUID() : -1, inodesSeen);
+
++            if (useChroot) {
++                if (pathExists(actualPath)) {
++                    /* Now that output paths have been canonicalized (in particular
++                    there are no setuid files left), move them outside of the
++                    chroot and to the store. */
++                    if (buildMode == bmRepair)
++                        replaceValidPath(path, actualPath);
++                    else
++                        if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)
++                            throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
++                }
++                if (buildMode != bmCheck) actualPath = path;
++            }
++
++
+             /* FIXME: this is in-memory. */
+             StringSink sink;
+             dumpPath(actualPath, sink);
diff --git a/pkgs/by-name/gu/guix/package.nix b/pkgs/by-name/gu/guix/package.nix
@@ -56,6 +56,9 @@ stdenv.mkDerivation rec {
       url = "https://git.savannah.gnu.org/cgit/guix.git/patch/?id=ff1251de0bc327ec478fc66a562430fbf35aef42";
       hash = "sha256-f4KWDVrvO/oI+4SCUHU5GandkGtHrlaM1BWygM/Qlao=";
     })
+    # manual port of build user takeover remediation commit
+    # see https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability
+    ./guix-build-user-takeover-fix.patch
   ];
 
   postPatch = ''