diff options
author | Ludovic Courtès <ludo@gnu.org> | 2021-04-03 22:19:28 +0200 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2021-04-03 22:19:28 +0200 |
commit | 3b6247ba6d531be61b85e8b0c02ff4d7118593f5 (patch) | |
tree | c4179cae3489625f83b9e76c3b75d2172c013ecf | |
parent | c9960ad67c7644225343e913d5fea620d97bb293 (diff) | |
download | guix-3b6247ba6d531be61b85e8b0c02ff4d7118593f5.tar.gz |
news: Clarify time window for account activation vulnerability.
* etc/news.scm: Tweak wording about skeleton files.
-rw-r--r-- | etc/news.scm | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/etc/news.scm b/etc/news.scm index adb81dd64b..3e5b2d7824 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -42,9 +42,10 @@ The attack can happen when @command{guix system reconfigure} is running. Running @command{guix system reconfigure} can trigger the creation of new user accounts if the configuration specifies new accounts. If a user whose account is being created manages to log in after the account has been created but -before ``skeleton files'' have been copied to its home directory, they may, by -creating an appropriately-named symbolic link in the home directory pointing -to a sensitive file, such as @file{/etc/shadow}, get root privileges. +before ``skeleton files'' copied to its home directory have the right +ownership, they may, by creating an appropriately-named symbolic link in the +home directory pointing to a sensitive file, such as @file{/etc/shadow}, get +root privileges. See @uref{https://issues.guix.gnu.org/47584} for more information on this bug."))) |