!ZRgXNaHrdpGqwUnGnj:nixos.org

NixOS Security Triage

692 Members
Coordination and triage of security issues in nixpkgs215 Servers

Load older messages

SenderMessageTime
30 May 2021
@kunrooted:matrix.orgkunrootedboth I'd say 18:24:10
@andi:kack.itandi-ok18:24:25
@kunrooted:matrix.orgkunrootedI even tried making NixOS play nice in Bedrock but failed (for now only, I'll continue research in that matter)18:24:30
@andi:kack.itandi-So what I meant to say is: If we today encounter an issue with OpenSSL $version and we make a commit that bumps OpenSSL to $version+1 that is no longer affected by $heartbleed then we have a single git commit id that we can use to tell people: If you run anything >= $commit then you systems are not affected anymore.18:25:59
@andi:kack.itandi-And we can also say: If you run < $commit you are (very?) likely affected18:26:15
@kunrooted:matrix.orgkunrooted
In reply to @kunrooted:matrix.org
I even tried making NixOS play nice in Bedrock but failed (for now only, I'll continue research in that matter)
https://github.com/bedrocklinux/bedrocklinux-userland/issues/221
link related 		18:26:23
@kunrooted:matrix.orgkunrooted
In reply to @andi:kack.it
So what I meant to say is: If we today encounter an issue with OpenSSL $version and we make a commit that bumps OpenSSL to $version+1 that is no longer affected by $heartbleed then we have a single git commit id that we can use to tell people: If you run anything >= $commit then you systems are not affected anymore.
yeah, quite simple concept I think 		18:26:46
@andi:kack.itandi-Whilst with Debian, Ubuntu, RHEL, .. you'd have to stick to timestamps (uploaded to the repos) and package versions (that contain a fix)18:26:53
@andi:kack.itandi-And to make it worse tell everyone which of the many repos have been updated18:27:19
@andi:kack.itandi-Granted in practice that is slightly different but you get the picture.18:27:28
@andi:kack.itandi-You have a lot more moveable parts that have to be checked.18:27:38
@kunrooted:matrix.orgkunrootedyeah, on non-Nix packages you're forced to that and you have no ability to use specific commits of software 18:27:41
@kunrooted:matrix.orgkunrootedI liked that 18:28:08
@andi:kack.itandi-a) do I have the security repo? b) did I update the repo before installing upgrades/updates c) Was my mirror up2date?18:28:11
@kunrooted:matrix.orgkunrooted * I liked that in Nix and especially in flakes where I have more control over that18:28:22
@philipp:xndr.dephilipp andi-: My question on non nixos systems is usally "what version is that package", then list it via the package manager and check whether the version of that specific package is sufficient. 18:29:18
@kunrooted:matrix.orgkunrootedbtw, how well does single-user install of Nix work?18:29:44
@kunrooted:matrix.orgkunrooted because when all users have an access to /nix/store, it doesn't sound good, or maybe I'm not too experienced to block it in other way than just performing a single-user installation of Nix on non-NixOS 18:30:21
@kunrooted:matrix.orgkunrooted on NixOS all users have an access to /nix/store, am I right? 18:30:35
@andi:kack.itandi-Yeah, you can have old (vulnerable) paths in /nix/store even after upgrading your system.18:30:54
@andi:kack.itandi-but that is kind the point. You want the ability to go back or in Debian speech downgrade a package again if it turns out to be making trouble.18:31:30
@kunrooted:matrix.orgkunrooted afaik nix-collect-garbage should take care of old versions laying in /nix/store, right? 18:32:43
@sandro:supersandro.deSandroyou should be able to install the store into your home dir18:32:47
@andi:kack.itandi-One thing you could probably look into more: Time to rollout of fixes after they have been committed. How long does a rebuild of the closure take for an "average" user? Is that a huge downside? How much that this increase the risk of someone exploiting your systems?18:33:21
@andi:kack.itandi- kunrooted: yes, nix-collect-garbage will do that while still honoring generations/profiles. 18:33:52
@kunrooted:matrix.orgkunrooted
In reply to @andi:kack.it
One thing you could probably look into more: Time to rollout of fixes after they have been committed. How long does a rebuild of the closure take for an "average" user? Is that a huge downside? How much that this increase the risk of someone exploiting your systems?
okie 		18:34:57
@kunrooted:matrix.orgkunrooted

I also have a 'topic list' for now, maybe this will generate even more ideas if I share it:

okay so something about atomic Upgrades def.
The Potential of supply chain attacks
I thought about mentioning security of NixOS containers where root in container is root on the host
The problem with pre-compiled binaries
/nix/store paths and not /bin for software
I wanted to mention dependency confusion as well in the topic of sca in Nix/NixOS
i only use the original version of any software i have installed
I wanted to mention nixos-infect which can turn AWS instance into NixOS install
And maybe the state of security tools for Nixos
unpriviliged users can install packages

in the meantime, I made a PoC of interpreter/loader/library hijack, which I'll also try to cover

18:36:03
@kunrooted:matrix.orgkunrooted *

I also have a 'topic list' for now, maybe this will generate even more ideas if I share it:

okay so something about atomic Upgrades def.
The Potential of supply chain attacks
I thought about mentioning security of NixOS containers where root in container is root on the host
The problem with pre-compiled binaries
/nix/store paths and not /bin for software
I wanted to mention dependency confusion as well in the topic of sca in Nix/NixOS
i only use the original version of any software i have installed
I wanted to mention nixos-infect which can turn AWS instance into NixOS install
And maybe the state of security tools for Nixos
unpriviliged users can install packages

in the meantime, I made a PoC of interpreter/loader/library hijack, which I'll also try to cover as a topic in that paper of mine

18:36:19
@kunrooted:matrix.orgkunrooted *

I also have a 'topic list' for now, maybe this will generate even more ideas if I share it:

okay so something about atomic Upgrades def.
The Potential of supply chain attacks
I thought about mentioning security of NixOS containers where root in container is root on the host
The problem with pre-compiled binaries
/nix/store paths and not /bin for software
I wanted to mention dependency confusion as well in the topic of sca in Nix/NixOS
(lol, someone's other msg was in here, haven't noticed that before)
I wanted to mention nixos-infect which can turn AWS instance into NixOS install
And maybe the state of security tools for Nixos
unpriviliged users can install packages

in the meantime, I made a PoC of interpreter/loader/library hijack, which I'll also try to cover as a topic in that paper of mine

18:38:37
@philipp:xndr.dephilipp about unpriviliged users can install packages: That is true on any normal linux desktop/server. Even if the package manager doesn't help you, local users will be able to execute all the code they want to. 18:38:41

Show newer messages

Back to Room ListRoom Version: 6