!ZRgXNaHrdpGqwUnGnj:nixos.org

NixOS Security Triage

622 Members
Coordination and triage of security issues in nixpkgs197 Servers

Load older messages


SenderMessageTime
30 May 2021
@kunrooted:matrix.orgkunrooted afaik nix-collect-garbage should take care of old versions laying in /nix/store, right? 18:32:43
@sandro:supersandro.deSandroyou should be able to install the store into your home dir18:32:47
@andi:kack.itandi-One thing you could probably look into more: Time to rollout of fixes after they have been committed. How long does a rebuild of the closure take for an "average" user? Is that a huge downside? How much that this increase the risk of someone exploiting your systems?18:33:21
@andi:kack.itandi- kunrooted: yes, nix-collect-garbage will do that while still honoring generations/profiles. 18:33:52
@kunrooted:matrix.orgkunrooted
In reply to @andi:kack.it
One thing you could probably look into more: Time to rollout of fixes after they have been committed. How long does a rebuild of the closure take for an "average" user? Is that a huge downside? How much that this increase the risk of someone exploiting your systems?
okie
18:34:57
@kunrooted:matrix.orgkunrooted

I also have a 'topic list' for now, maybe this will generate even more ideas if I share it:

okay so something about atomic Upgrades def.
The Potential of supply chain attacks
I thought about mentioning security of NixOS containers where root in container is root on the host
The problem with pre-compiled binaries
/nix/store paths and not /bin for software
I wanted to mention dependency confusion as well in the topic of sca in Nix/NixOS
i only use the original version of any software i have installed
I wanted to mention nixos-infect which can turn AWS instance into NixOS install
And maybe the state of security tools for Nixos
unpriviliged users can install packages

in the meantime, I made a PoC of interpreter/loader/library hijack, which I'll also try to cover

18:36:03
@kunrooted:matrix.orgkunrooted *

I also have a 'topic list' for now, maybe this will generate even more ideas if I share it:

okay so something about atomic Upgrades def.
The Potential of supply chain attacks
I thought about mentioning security of NixOS containers where root in container is root on the host
The problem with pre-compiled binaries
/nix/store paths and not /bin for software
I wanted to mention dependency confusion as well in the topic of sca in Nix/NixOS
i only use the original version of any software i have installed
I wanted to mention nixos-infect which can turn AWS instance into NixOS install
And maybe the state of security tools for Nixos
unpriviliged users can install packages

in the meantime, I made a PoC of interpreter/loader/library hijack, which I'll also try to cover as a topic in that paper of mine

18:36:19
@kunrooted:matrix.orgkunrooted *

I also have a 'topic list' for now, maybe this will generate even more ideas if I share it:

okay so something about atomic Upgrades def.
The Potential of supply chain attacks
I thought about mentioning security of NixOS containers where root in container is root on the host
The problem with pre-compiled binaries
/nix/store paths and not /bin for software
I wanted to mention dependency confusion as well in the topic of sca in Nix/NixOS
(lol, someone's other msg was in here, haven't noticed that before)
I wanted to mention nixos-infect which can turn AWS instance into NixOS install
And maybe the state of security tools for Nixos
unpriviliged users can install packages

in the meantime, I made a PoC of interpreter/loader/library hijack, which I'll also try to cover as a topic in that paper of mine

18:38:37
@philipp:xndr.dephilipp about unpriviliged users can install packages: That is true on any normal linux desktop/server. Even if the package manager doesn't help you, local users will be able to execute all the code they want to. 18:38:41
@andi:kack.itandi-I also have a few ideas for PoCs on how to demonstrate downsides of our current stuff and what the average NixOS contributor should be aware of... DM me (in a few days/weeks) if you feel like you need more :)18:38:44
@andi:kack.itandi-
I thought about mentioning security of NixOS containers where root in container is root on the host
This was mitigated some time ago IRRC?
18:39:07
@andi:kack.itandi- *

I thought about mentioning security of NixOS containers where root in container is root on the host

This was mitigated some time ago IRRC?

18:39:11
@kunrooted:matrix.orgkunrooted
In reply to @philipp:xndr.de
about unpriviliged users can install packages: That is true on any normal linux desktop/server. Even if the package manager doesn't help you, local users will be able to execute all the code they want to.
you can limit them
18:39:11
@andi:kack.itandi- *

I thought about mentioning security of NixOS containers where root in container is root on the host

This was mitigated some time ago IRRC?

18:39:16
@kunrooted:matrix.orgkunrootedafaik 18:39:16
@kunrooted:matrix.orgkunrootedyou can make specific users having just write access to just specific things, it's really flexible af 18:39:37
@andi:kack.itandi-You can set noexec on ~18:39:39
@kunrooted:matrix.orgkunrooted
In reply to @andi:kack.it

I thought about mentioning security of NixOS containers where root in container is root on the host

This was mitigated some time ago IRRC?

it won't be an issue anymore?
18:39:55
@andi:kack.itandi-I vaguely recall someone talking about it months ago18:40:10
@kunrooted:matrix.orgkunrootedI was writing a container a while ago and it was mentioned an issue then by some of my collegues18:40:14
@andi:kack.itandi-perhaps this? https://github.com/NixOS/nixpkgs/pull/6733618:41:05
@kunrooted:matrix.orgkunrootedah, so it limits a root on the container?18:41:36
@kunrooted:matrix.orgkunrootedI think that still not many people might know about this option 18:42:19
@andi:kack.itandi-It wasn't merged yet so who knows what the actual state is :D18:42:43
@kunrooted:matrix.orgkunrootedyeah, it's a 'draft', weird 18:42:53
31 May 2021
@0x4a6f:matrix.org0x4A6F changed their display name from [0x4A6F] to 0x4A6F.08:23:41
@r_i_s:matrix.orgris_ hah. i've heard of squash-merges before but this author squashes their entire releases https://github.com/pgpartman/pg_partman/commit/0b6565ad378c358f8a6cd1d48ddc482eb7f854d3 13:01:19
@r_i_s:matrix.orgris_ luckily the search_path changes are all i need and they are separable by file 13:01:56
@r_i_s:matrix.orgris_ nothing fetchpatch can't handle 13:02:09
@r_i_s:matrix.orgris_still13:02:12

There are no newer messages yet.


Back to Room ListRoom Version: 6