| 28 Jun 2021 |
|  julm joined the room. | 00:06:40 |
| julm left the room. | 19:28:18 |
| julm joined the room. | 19:28:21 |
| julm left the room. | 20:03:35 |
| julm joined the room. | 22:09:53 |
| 29 Jun 2021 |
| julm left the room. | 03:50:40 |
| julm joined the room. | 05:52:08 |
 hexa | https://github.com/NixOS/nixpkgs/pull/127172 | 21:09:38 |
| hexa | fixes a long-standing exiv2 security issue, but needs backporting. I tried adapting the patches once and failed, I don't want to try again, so I slapped the backport label on it. | 21:10:12 |
| hexa | 0.27.3 is also what we have in 20.09, so in theory we could bump it there as well | 21:10:33 |
| hexa | in other news: 25h support for 20.09 left on my clock (CEST) | 21:10:57 |
| 30 Jun 2021 |
|  mingovanburne joined the room. | 03:53:18 |
| 1 Jul 2021 |
 kunrooted | asked on FP Slack, will ask in here as well | 11:18:33 |
| kunrooted | okay so let's assume we have Situation like this:
we have two users, Adam and Eve, while Adam has root access/is root himself. Can Eve 'infect' his /nix/store with malicious Code? Also, how one can tell which packages in /nix/store belong to who? I think that replacing a binary is indeed possible, but it requires root access, so it would def. be a Post exploitation thing. What other security nightmares can we face except the atomic Upgrades and possibilities of supply chain attacks when it comes to /nix/store itself? Really, how one can tell which user can use which package? Is there a way to do so? Can Eve in given Situation 'inject' malicious Code into Adam's /nix/store? | 11:18:36 |
 Synthetica | If you have root you can basically do anything, so... | 11:19:23 |
| kunrooted | And how can I tell which user has an Access to certain packages? | 11:20:02 |
 balsoft | Nix store is a large cache | 11:20:11 |
 Roos | The nix store is world readable. | 11:20:20 |
| balsoft | Everybody has write access | 11:20:23 |
| balsoft | * Everybody has read access | 11:20:26 |
| Synthetica | I suppose that if you have a SHA collision you can build an evil package that has the same derivation hash as a good package | 11:20:27 |
| balsoft | allowedUsers have write access to new packages | 11:20:36 |
| balsoft | trustedUsers basically have root so it doesn't matter | 11:20:45 |
| balsoft | In reply to @synthetica:matrix.org
I suppose that if you have a SHA collision you can build an evil package that has the same derivation hash as a good package Yes | 11:20:57 |
| balsoft | In reply to @kunrooted:matrix.org
okay so let's assume we have Situation like this:
we have two users, Adam and Eve, while Adam has root access/is root himself. Can Eve 'infect' his /nix/store with malicious Code? Also, how one can tell which packages in /nix/store belong to who? I think that replacing a binary is indeed possible, but it requires root access, so it would def. be a Post exploitation thing. What other security nightmares can we face except the atomic Upgrades and possibilities of supply chain attacks when it comes to /nix/store itself? Really, how one can tell which user can use which package? Is there a way to do so? Can Eve in given Situation 'inject' malicious Code into Adam's /nix/store? So, yes, anybody can put (almost) anything in the nix store, but it doesn't matter | 11:21:26 |
| kunrooted | okay, great | 11:21:27 |
| Roos | You can always ask the nix daemon to build a derivation for you, but since it's hashed, you cannot replace a legitimate derivation unless you also happen to find a sha256 collision. | 11:21:41 |
| balsoft | Another slight issue is if you have a sufficiently controlled and influential nondeterminism source in your dependency tree, another kind of attack is possible | 11:22:27 |
| kunrooted | okay, and any other security risks related to /nix/store itself? | 11:22:31 |
| kunrooted | ah, you type faster haha | 11:22:43 |
