Impact
A build process has access to and can change the permissions of the build directory. After creating a setuid binary in a globally accessible location, a malicious local user can assume the permissions of a Nix daemon worker and hijack all future builds.
Concretely, this can happen when all the following conditions are met:
- The attacker has access to a local user
- The local user has access to the Nix daemon (but does not have to be a trusted user)
- seccomp is disabled (if the sandbox is disabled or
filter-syscalls if set to false on Linux) or ineffective (fixed in #10501)
Patches
The patch changes the location of the build process to occur in a sub-directory owned by and accessible only to the Nix daemon, which means that a derivation cannot alter the permissions to make it world-readable.
Workarounds
- If your Nix version is >= 2.22, set
build-dir to a location that is only accessible by root (added in #10312)
- Otherwise, run your Nix daemon with
$TMPDIR set to a location only accessible by root
lheckemann Finder
alois31 Reporter
Impact
A build process has access to and can change the permissions of the build directory. After creating a setuid binary in a globally accessible location, a malicious local user can assume the permissions of a Nix daemon worker and hijack all future builds.
Concretely, this can happen when all the following conditions are met:
filter-syscallsif set to false on Linux) or ineffective (fixed in #10501)Patches
The patch changes the location of the build process to occur in a sub-directory owned by and accessible only to the Nix daemon, which means that a derivation cannot alter the permissions to make it world-readable.
Workarounds
build-dirto a location that is only accessible byroot(added in #10312)$TMPDIRset to a location only accessible byroot