!ZRgXNaHrdpGqwUnGnj:nixos.org

NixOS Security Triage

691 Members
Coordination and triage of security issues in nixpkgs216 Servers

Load older messages


SenderMessageTime
1 Jul 2021
@balsoft:balsoft.rubalsoft Imagine that somewhere in the build there's basically if some_nondeterministic_condition then echo "malicious stuff" >> $out/bin/foo 11:24:24
@kunrooted:matrix.orgkunrootedmy best idea was to inject a derivation which would build something like gtfo bin11:24:31
@balsoft:balsoft.rubalsoftThen Eve can figure out the dependency tree of the system, and build this nondeterministic derivation with the condition triggered before Adam does11:24:59
@balsoft:balsoft.rubalsoftBut it's such a low-possibility attack that a sha256 collision is more likely I think11:25:20
@philipp:xndr.dephilippRedacted or Malformed Event11:25:30
@balsoft:balsoft.rubalsoft
In reply to @kunrooted:matrix.org
my best idea was to inject a derivation which would build something like gtfo bin
What do you mean
11:25:46
@balsoft:balsoft.rubalsoftYou can put whatever in the nix store, but the path will be decided by the nix daemon based on the derivation, that's the point11:26:07
@balsoft:balsoft.rubalsoftIf you just put "something" malicious in the store, it will not be used by other users unless they explicitly do it11:26:33
@kunrooted:matrix.orgkunrootedso how can I Force them to use it 11:26:58
@balsoft:balsoft.rubalsoftSocial engineering at best11:27:06
@kunrooted:matrix.orgkunrootedAnd by gtfo bins I meant things from this project: https://gtfobins.github.io/11:27:13
@balsoft:balsoft.rubalsoftNah it doesn't matter11:27:20
@balsoft:balsoft.rubalsoftIf you can convince them to run a random script from a nix store, then yes11:27:40
@kunrooted:matrix.orgkunrootedokay so I can build the thing with exactly the same hash? 11:27:40
@synthetica:matrix.orgSynthetica I sometimes do ls /nix/store/*-*/bin/mybinary to grab a version of a binary I've used before but don't want to nix-shell? 🤷🏻 11:27:57
@balsoft:balsoft.rubalsoftTheoretically yes, practically it's extremely unlikely11:28:03
@synthetica:matrix.orgSynthetica I suppose that could be a security risk 11:28:14
@balsoft:balsoft.rubalsoft
In reply to @synthetica:matrix.org
I sometimes do ls /nix/store/*-*/bin/mybinary to grab a version of a binary I've used before but don't want to nix-shell? 🤷🏻
Ah, yes, that's a really good one
11:28:18
@synthetica:matrix.orgSyntheticaso if you get your derivation with a sufficiently low (in orthograpic order) hash you can make sure you're first on that list11:28:57
@synthetica:matrix.orgSyntheticaAnd maybe trick a user into doing something dumb that way11:29:09
@balsoft:balsoft.rubalsoftThe point is that it still requires a bit of social engineering11:29:26
@synthetica:matrix.orgSyntheticaYes of course11:29:34
@synthetica:matrix.orgSyntheticaOr luck I guess11:29:48
@balsoft:balsoft.rubalsoft So, to paraphrase, kunrooted if you're worried about these sorts of things you should first worry about all the ez root vulneratilibies in Linux itself 11:30:11
@balsoft:balsoft.rubalsoftAnd maybe not give untrusted users access to your computer11:30:27
@balsoft:balsoft.rubalsoftOr at least put them in separate containers11:30:34
@synthetica:matrix.orgSynthetica Is it possible to deny "regular" users the -x flag on /nix/store so you can't do that? 11:31:08
@kunrooted:matrix.orgkunrootedCan we consider NixOS containers security concern? 11:31:23
@kunrooted:matrix.orgkunrooted
In reply to @balsoft:balsoft.ru
So, to paraphrase, kunrooted if you're worried about these sorts of things you should first worry about all the ez root vulneratilibies in Linux itself
okie, thanks
11:31:35
@synthetica:matrix.orgSyntheticaAs in QEMU containers?11:31:37

There are no newer messages yet.


Back to Room ListRoom Version: 6