| 1 Jul 2021 |
 balsoft | Imagine that somewhere in the build there's basically if some_nondeterministic_condition then echo "malicious stuff" >> $out/bin/foo | 11:24:24 |
 kunrooted | my best idea was to inject a derivation which would build something like gtfo bin | 11:24:31 |
| balsoft | Then Eve can figure out the dependency tree of the system, and build this nondeterministic derivation with the condition triggered before Adam does | 11:24:59 |
| balsoft | But it's such a low-possibility attack that a sha256 collision is more likely I think | 11:25:20 |
 philipp | Redacted or Malformed Event | 11:25:30 |
| balsoft | In reply to @kunrooted:matrix.org
my best idea was to inject a derivation which would build something like gtfo bin What do you mean | 11:25:46 |
| balsoft | You can put whatever in the nix store, but the path will be decided by the nix daemon based on the derivation, that's the point | 11:26:07 |
| balsoft | If you just put "something" malicious in the store, it will not be used by other users unless they explicitly do it | 11:26:33 |
| kunrooted | so how can I Force them to use it | 11:26:58 |
| balsoft | Social engineering at best | 11:27:06 |
| kunrooted | And by gtfo bins I meant things from this project: https://gtfobins.github.io/ | 11:27:13 |
| balsoft | Nah it doesn't matter | 11:27:20 |
| balsoft | If you can convince them to run a random script from a nix store, then yes | 11:27:40 |
| kunrooted | okay so I can build the thing with exactly the same hash? | 11:27:40 |
 Synthetica | I sometimes do ls /nix/store/*-*/bin/mybinary to grab a version of a binary I've used before but don't want to nix-shell? 🤷🏻 | 11:27:57 |
| balsoft | Theoretically yes, practically it's extremely unlikely | 11:28:03 |
| Synthetica | I suppose that could be a security risk | 11:28:14 |
| balsoft | In reply to @synthetica:matrix.org
I sometimes do ls /nix/store/*-*/bin/mybinary to grab a version of a binary I've used before but don't want to nix-shell? 🤷🏻 Ah, yes, that's a really good one | 11:28:18 |
| Synthetica | so if you get your derivation with a sufficiently low (in orthograpic order) hash you can make sure you're first on that list | 11:28:57 |
| Synthetica | And maybe trick a user into doing something dumb that way | 11:29:09 |
| balsoft | The point is that it still requires a bit of social engineering | 11:29:26 |
| Synthetica | Yes of course | 11:29:34 |
| Synthetica | Or luck I guess | 11:29:48 |
| balsoft | So, to paraphrase, kunrooted if you're worried about these sorts of things you should first worry about all the ez root vulneratilibies in Linux itself | 11:30:11 |
| balsoft | And maybe not give untrusted users access to your computer | 11:30:27 |
| balsoft | Or at least put them in separate containers | 11:30:34 |
| Synthetica | Is it possible to deny "regular" users the -x flag on /nix/store so you can't do that? | 11:31:08 |
| kunrooted | Can we consider NixOS containers security concern? | 11:31:23 |
| kunrooted | In reply to @balsoft:balsoft.ru
So, to paraphrase, kunrooted if you're worried about these sorts of things you should first worry about all the ez root vulneratilibies in Linux itself okie, thanks | 11:31:35 |
| Synthetica | As in QEMU containers? | 11:31:37 |
