Perlless Activation - Tracking Issue

[nikstur]

This is a tracking issue for the perlless activation effort started at OceanSprint.

See this HedgeDoc for a general overview of the strategy for this.

See the Boot Security Meta Tracking Issue for the larger effort of which this work is a part.

Associated PRs:

• Replace simple activationScripts  #263203
• Rebuildable system & appliance #263462
• systemd: enable sysusers by default #264879
• nixos: replace activationScripts 2/x #267983
• nixos/switch-to-configuration: remove explicit tmpfiles invocation #269983
• nixos/switch-to-configuration: add sysinit-reactivation.target #271067
• Perlless Activation #270727

Bug Fixes:

• systemd domainname unit - use nix store path of net tools for domainname  #264082
• Revert "nixos/activation: remove specialfs activationScript" #264200
• nixos/nix-channel: fix subscribing to default channel #264608
• nixos/nix-channnel: fix setting up the default channel again #264831
• nixos/tests/systemd-timesyncd: tmpfiles.rules -> tmpfiles.settings #270000
• Revert "nixos/switch-to-configuration: remove explicit tmpfiles invocation" #270838

Please help me review open PRs, if you're passionate about this!

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nixpkgs-supply-chain-security-project/34345/8

[asymmetric]

@nikstur I don't know if this is the place to ask, but could you provide more details about the specific ways in which interpreters are an attack surface? The linked document only states that they are, without showing how.

I'm sure you've thought this through, but for the benefits of others who haven't (like me!), I think it would be good to document it.

[nikstur]

@asymmetric that's a good point. I'll expand on my motivation in that document.

[nikstur]

@asymmetric I added some more detail but most importantly a link to the Mitre attack technique T1059 which also lists how this technique has been used in the wild. Hope this helps/is enough to explain why this work is interesting.

[RaitoBezarius]

I will add:

https://lwn.net/Articles/832959/
https://github.com/clipos-archive/clipos4_doc
https://www.youtube.com/watch?v=chNjCRtPKQY&t=1035s

That is, no need for O_MAYEXEC or interpreter cooperation… if you don't have interpreters!

[ghost]

@nikstur I don't know if this is the place to ask, but could you provide more details about the specific ways in which interpreters are an attack surface? The linked document only states that they are, without showing how.

I'm interested in the same thing, and I don't feel like the question has really been answered. All the comments in this thread are just link dumps.

most importantly a link to the Mitre attack technique T1059

This is confused... just because Mitre lists something as having been used by BadGuys(tm) does not mean it is a good idea to get rid of it. For example, all of the following are "Mitre attack techniques":

• T1087 Local Accounts
• T1098 SSH Authorized Keys
• T1583 DNS servers

Are we going to remove local accounts, ssh keys, and dns servers from NixOS? SSH keys sure sound a lot scarier when you call them "MITRE Attack Technique T1098". I found these three "attack techniques" by skimming just the first 5% of Mitre's list.

I heard this rumor that hackers even use the ALU in your CPU. Ban all the ALUs! Get rid of the adders! Purge the multipliers! Burn the floating-point unit with fire! 🔥 🔥 🔥

Seriously.

The "all interpreters are bad" is really more of a cultural thing emanating from certain software companies that historically prefer a producer/consumer relationship rather than the collaborative kind of user-as-developer relationship that interpreters (like Nix!) engender. That's fine, that's their preference. But the campaign to spin it as a security matter borders on silliness.

All that being said, less perl in my life would be a great thing. But the problem isn't interpreters, it's just perl.

[nikstur]

Take from it what you will. You don't like Perl, I'm happy.