| 15 Jul 2025 |
 raitobezarius | Well, yeah. | 17:57:05 |
 aloisw | Of course fixing the arbitrary directory emptying is still good (and to my understanding it was actually done). | 17:57:34 |
| raitobezarius | Yeah, the methodology was to split all entrypoints / primitives into separate CVE, then coordination wrote generic blurb for them | 17:57:54 |
| raitobezarius | So that if in the future, they are reused as attack primitives, we can reference them again and mark them as insufficiently mitigated | 17:58:08 |
| raitobezarius | We tried to close all the primitives as much as possible | 17:58:30 |
| raitobezarius | But clearly, some work remains: dropping nix-daemon privileges, re-closing CVE-2025-52992, propagating pasta everywhere, etc. | 17:58:50 |
| raitobezarius | (adding ForbidAbstractSocket to systemd) | 17:58:58 |
| raitobezarius | But I'm unable to re-conclude with certainty that this specific _deletePath primitive was unlimited or contained in Nix build outputs | 17:59:30 |
| raitobezarius | If a parent directory is replaced with a symlink between the call to getdents and the call to openat, the next openat call will operate on the unexpected directory… | 18:00:14 |
| raitobezarius | So yeah, you could just symlink /tmp/SOMETHING | 18:00:37 |
| raitobezarius | But honestly, in the case of /nix/var/nix/builds | 18:00:58 |
| raitobezarius | What are you going to delete? | 18:01:07 |
| raitobezarius | /nix/var/nix ? | 18:01:10 |
| raitobezarius | or /nix/var/nix/builds ? | 18:01:16 |
| raitobezarius | doesn't matter that much? | 18:01:19 |
| raitobezarius | You cannot recreate because it's stronger security than living in /tmp, right? | 18:01:31 |
| aloisw | I'm talking about the fallback, where you can still empty /tmp and it's the same as before except you have to create two directories? | 18:01:51 |
| raitobezarius | Indeed, the fallback logic does that | 18:02:00 |
| raitobezarius | Maybe the takeaway is that fallback is a bad idea | 18:02:12 |
| aloisw | /nix/var/nix/builds is of course unaffected because no component is world writable. | 18:02:18 |
| raitobezarius | But we are running in an impossible tension when it comes to that logic | 18:02:19 |
| raitobezarius | The fallback logic exist when you run Nix as an unprivileged user that cannot mutate /nix/var/nix/builds | 18:02:37 |
| raitobezarius | What this points out to is probably that the build directory should live in the user private tmp? | 18:03:01 |
| raitobezarius | So, /run/user/$UID ? | 18:03:11 |
| raitobezarius | How about this? | 18:03:28 |
| raitobezarius | Fallback logic tries to go for /run/user/$UID first then fallback to /tmp | 18:03:38 |
| raitobezarius | The tmp fallback seems inevitable for… other platforms than Linux/systemd I suppose? | 18:03:48 |
| raitobezarius | In reply to @me:indeednotjames.com
uh sure, can look into this if jade is currently away/afk (go ahead) | 18:04:45 |
| raitobezarius | In reply to @raitobezarius:matrix.org
The fallback logic exist when you run Nix as an unprivileged user that cannot mutate /nix/var/nix/builds And to finish my reasoning: either you have a nice location that you know has no world writable component, but you need to find one that makes sense for the user and is writable for you, either you don't and the world writable locations are not too bad for that? | 18:05:24 |
| raitobezarius | The best is the former, the worse is the latter | 18:05:53 |
