!ZRgXNaHrdpGqwUnGnj:nixos.org

NixOS Security Triage

749 Members
Coordination and triage of security issues in nixpkgs231 Servers

Load older messages

SenderMessageTime
1 Jul 2021
@synthetica:matrix.orgSyntheticaOr luck I guess11:29:48
@balsoft:balsoft.rubalsoft So, to paraphrase, kunrooted if you're worried about these sorts of things you should first worry about all the ez root vulneratilibies in Linux itself 11:30:11
@balsoft:balsoft.rubalsoftAnd maybe not give untrusted users access to your computer11:30:27
@balsoft:balsoft.rubalsoftOr at least put them in separate containers11:30:34
@synthetica:matrix.orgSynthetica Is it possible to deny "regular" users the -x flag on /nix/store so you can't do that? 11:31:08
@kunrooted:matrix.orgkunrootedCan we consider NixOS containers security concern? 11:31:23
@kunrooted:matrix.orgkunrooted
In reply to @balsoft:balsoft.ru
So, to paraphrase, kunrooted if you're worried about these sorts of things you should first worry about all the ez root vulneratilibies in Linux itself
okie, thanks 		11:31:35
@synthetica:matrix.orgSyntheticaAs in QEMU containers?11:31:37
@linus.heckemann:matrix.mayflower.deLinux Hackermanyeah I wouldn't rely on strong isolation in nixos containers.11:31:39
@balsoft:balsoft.rubalsoft
In reply to @kunrooted:matrix.org
Can we consider NixOS containers security concern?
Yes, they are explicitly not for security 		11:31:47
@kunrooted:matrix.orgkunrootedafaik they're not isolated at all11:31:57
@kunrooted:matrix.orgkunrootedroot in container = root on the host 11:32:10
@kunrooted:matrix.orgkunrootedOr had they changed that? 11:32:14
@balsoft:balsoft.rubalsoftNo11:32:19
@balsoft:balsoft.rubalsoftIt's still there11:32:23
@kunrooted:matrix.orgkunrootedlmfao11:32:44
@janne.hess:helsinki-systems.dedas_j
In reply to @synthetica:matrix.org
Is it possible to deny "regular" users the -x flag on /nix/store so you can't do that?
AppArmor works pretty well for this 		11:32:58
@kunrooted:matrix.orgkunrootedanything else which comes to your mind guys? 11:33:06
@balsoft:balsoft.rubalsoft
In reply to @synthetica:matrix.org
Is it possible to deny "regular" users the -x flag on /nix/store so you can't do that?
How would the system work? 		11:33:17
@balsoft:balsoft.rubalsoftOh, you mean non-recursively11:33:30
@balsoft:balsoft.rubalsoftWell11:33:56
@balsoft:balsoft.rubalsoftLet me try :P11:33:58
@balsoft:balsoft.rubalsoftOh no11:34:25
@balsoft:balsoft.rubalsoftBad idea11:34:26
@synthetica:matrix.orgSyntheticaWhat happens? :D11:34:38
@balsoft:balsoft.rubalsoftwell fuck11:34:46
@janne.hess:helsinki-systems.dedas_jPretty sure you can't access subdirectories11:34:57
@synthetica:matrix.orgSyntheticaoh, I thought you could only not list them11:35:11
@janne.hess:helsinki-systems.dedas_j that's r iirc 11:35:19
@balsoft:balsoft.rubalsoftUhhh11:35:33

Show newer messages

Back to Room ListRoom Version: 6