 | NixOS Security Triage | 682 Members |
| Coordination and triage of security issues in nixpkgs | 214 Servers |
| NixOS Security Triage | 682 Members |
| Coordination and triage of security issues in nixpkgs | 214 Servers |
| Sender | Message | Time |
|---|---|---|
| 30 May 2021 | ||
 kunrooted | afaik nix-collect-garbage should take care of old versions laying in /nix/store, right? | 18:32:43 |
 Sandro | you should be able to install the store into your home dir | 18:32:47 |
 andi- | One thing you could probably look into more: Time to rollout of fixes after they have been committed. How long does a rebuild of the closure take for an "average" user? Is that a huge downside? How much that this increase the risk of someone exploiting your systems? | 18:33:21 |
| andi- | kunrooted: yes, nix-collect-garbage will do that while still honoring generations/profiles. | 18:33:52 |
| kunrooted | In reply to @andi:kack.itokie | 18:34:57 |
| kunrooted | I also have a 'topic list' for now, maybe this will generate even more ideas if I share it: in the meantime, I made a PoC of interpreter/loader/library hijack, which I'll also try to cover | 18:36:03 |
| kunrooted | * I also have a 'topic list' for now, maybe this will generate even more ideas if I share it: in the meantime, I made a PoC of interpreter/loader/library hijack, which I'll also try to cover as a topic in that paper of mine | 18:36:19 |
| kunrooted | * I also have a 'topic list' for now, maybe this will generate even more ideas if I share it: in the meantime, I made a PoC of interpreter/loader/library hijack, which I'll also try to cover as a topic in that paper of mine | 18:38:37 |
 philipp | about unpriviliged users can install packages: That is true on any normal linux desktop/server. Even if the package manager doesn't help you, local users will be able to execute all the code they want to. | 18:38:41 |
| andi- | I also have a few ideas for PoCs on how to demonstrate downsides of our current stuff and what the average NixOS contributor should be aware of... DM me (in a few days/weeks) if you feel like you need more :) | 18:38:44 |
| andi- | I thought about mentioning security of NixOS containers where root in container is root on the host | 18:39:07 |
| andi- | * I thought about mentioning security of NixOS containers where root in container is root on the host This was mitigated some time ago IRRC? | 18:39:11 |
| kunrooted | In reply to @philipp:xndr.deyou can limit them | 18:39:11 |
| andi- | *
This was mitigated some time ago IRRC? | 18:39:16 |
| kunrooted | afaik | 18:39:16 |
| kunrooted | you can make specific users having just write access to just specific things, it's really flexible af | 18:39:37 |
| andi- | You can set noexec on ~ | 18:39:39 |
| kunrooted | In reply to @andi:kack.itit won't be an issue anymore? | 18:39:55 |
| andi- | I vaguely recall someone talking about it months ago | 18:40:10 |
| kunrooted | I was writing a container a while ago and it was mentioned an issue then by some of my collegues | 18:40:14 |
| andi- | perhaps this? https://github.com/NixOS/nixpkgs/pull/67336 | 18:41:05 |
| kunrooted | ah, so it limits a root on the container? | 18:41:36 |
| kunrooted | I think that still not many people might know about this option | 18:42:19 |
| andi- | It wasn't merged yet so who knows what the actual state is :D | 18:42:43 |
| kunrooted | yeah, it's a 'draft', weird | 18:42:53 |
| 31 May 2021 | ||
 0x4A6F changed their display name from [0x4A6F] to 0x4A6F. | 08:23:41 | |
 ris_ | hah. i've heard of squash-merges before but this author squashes their entire releases https://github.com/pgpartman/pg_partman/commit/0b6565ad378c358f8a6cd1d48ddc482eb7f854d3 | 13:01:19 |
| ris_ | luckily the search_path changes are all i need and they are separable by file | 13:01:56 |
| ris_ | nothing fetchpatch can't handle | 13:02:09 |
| ris_ | still | 13:02:12 |