diff options
Diffstat (limited to 'etc')
-rwxr-xr-x | etc/committer.scm.in | 152 | ||||
-rwxr-xr-x | etc/guix-install.sh | 9 | ||||
-rw-r--r-- | etc/news.scm | 94 |
3 files changed, 209 insertions, 46 deletions
diff --git a/etc/committer.scm.in b/etc/committer.scm.in index ebe6b96bcc..1f19ccfd6d 100755 --- a/etc/committer.scm.in +++ b/etc/committer.scm.in @@ -3,7 +3,7 @@ !# ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2020 Ricardo Wurmus <rekado@elephly.net> +;;; Copyright © 2020, 2021 Ricardo Wurmus <rekado@elephly.net> ;;; ;;; This file is part of GNU Guix. ;;; @@ -28,7 +28,10 @@ (import (sxml xpath) (srfi srfi-1) + (srfi srfi-2) (srfi srfi-9) + (srfi srfi-11) + (srfi srfi-26) (ice-9 format) (ice-9 popen) (ice-9 match) @@ -63,7 +66,8 @@ LINE-NO in PORT." (make-hunk file-name old-line-number new-line-number - diff) + diff-lines + definition?) hunk? (file-name hunk-file-name) ;; Line number before the change @@ -71,38 +75,45 @@ LINE-NO in PORT." ;; Line number after the change (new-line-number hunk-new-line-number) ;; The full diff to be used with "git apply --cached" - (diff hunk-diff)) + (diff-lines hunk-diff-lines) + ;; Does this hunk add a definition? + (definition? hunk-definition?)) (define* (hunk->patch hunk #:optional (port (current-output-port))) (let ((file-name (hunk-file-name hunk))) (format port "diff --git a/~a b/~a~%--- a/~a~%+++ b/~a~%~a" file-name file-name file-name file-name - (hunk-diff hunk)))) + (string-join (hunk-diff-lines hunk) "")))) (define (diff-info) "Read the diff and return a list of <hunk> values." (let ((port (open-pipe* OPEN_READ - "git" "diff" + "git" "diff-files" "--no-prefix" - ;; Do not include any context lines. This makes it - ;; easier to find the S-expression surrounding the - ;; change. - "--unified=0"))) + ;; Only include one context line to avoid lumping in + ;; new definitions with changes to existing + ;; definitions. + "--unified=1" + "gnu"))) (define (extract-line-number line-tag) (abs (string->number (car (string-split line-tag #\,))))) (define (read-hunk) - (reverse - (let loop ((lines '())) - (let ((line (read-line port 'concat))) - (cond - ((eof-object? line) lines) - ((or (string-prefix? "@@ " line) - (string-prefix? "diff --git" line)) - (unget-string port line) - lines) - (else (loop (cons line lines)))))))) + (let loop ((lines '()) + (definition? #false)) + (let ((line (read-line port 'concat))) + (cond + ((eof-object? line) + (values (reverse lines) definition?)) + ((or (string-prefix? "@@ " line) + (string-prefix? "diff --git" line)) + (unget-string port line) + (values (reverse lines) definition?)) + (else + (loop (cons line lines) + (or definition? + (string-prefix? "+(define" line)))))))) (define info (let loop ((acc '()) (file-name #f)) @@ -116,29 +127,42 @@ LINE-NO in PORT." ((string-prefix? "@@ " line) (match (string-split line #\space) ((_ old-start new-start . _) - (loop (cons (make-hunk file-name - (extract-line-number old-start) - (extract-line-number new-start) - (string-join (cons* line "\n" - (read-hunk)) "")) - acc) - file-name)))) + (let-values + (((diff-lines definition?) (read-hunk))) + (loop (cons (make-hunk file-name + (extract-line-number old-start) + (extract-line-number new-start) + (cons (string-append line "\n") + diff-lines) + definition?) acc) + file-name))))) (else (loop acc file-name)))))) (close-pipe port) info)) +(define (lines-to-first-change hunk) + "Return the number of diff lines until the first change." + (1- (count (lambda (line) + ((negate char-set-contains?) + (char-set #\+ #\-) + (string-ref line 0))) + (hunk-diff-lines hunk)))) + (define (old-sexp hunk) "Using the diff information in HUNK return the unmodified S-expression corresponding to the top-level definition containing the staged changes." ;; TODO: We can't seek with a pipe port... (let* ((port (open-pipe* OPEN_READ - "git" "show" (string-append "HEAD:" - (hunk-file-name hunk)))) + "git" "cat-file" "-p" (string-append + "HEAD:" + (hunk-file-name hunk)))) (contents (get-string-all port))) (close-pipe port) (call-with-input-string contents (lambda (port) - (surrounding-sexp port (hunk-old-line-number hunk)))))) + (surrounding-sexp port + (+ (lines-to-first-change hunk) + (hunk-old-line-number hunk))))))) (define (new-sexp hunk) "Using the diff information in HUNK return the modified S-expression @@ -146,9 +170,10 @@ corresponding to the top-level definition containing the staged changes." (call-with-input-file (hunk-file-name hunk) (lambda (port) (surrounding-sexp port - (hunk-new-line-number hunk))))) + (+ (lines-to-first-change hunk) + (hunk-new-line-number hunk)))))) -(define* (commit-message file-name old new #:optional (port (current-output-port))) +(define* (change-commit-message file-name old new #:optional (port (current-output-port))) "Print ChangeLog commit message for changes between OLD and NEW." (define (get-values expr field) (match ((sxpath `(// ,field quasiquote *)) expr) @@ -193,6 +218,12 @@ corresponding to the top-level definition containing the staged changes." (listify added))))))))) '(inputs propagated-inputs native-inputs))) +(define* (add-commit-message file-name variable-name #:optional (port (current-output-port))) + "Print ChangeLog commit message for a change to FILE-NAME adding a definition." + (format port + "gnu: Add ~a.~%~%* ~a (~a): New variable.~%" + variable-name file-name variable-name)) + (define (group-hunks-by-sexp hunks) "Return a list of pairs associating all hunks with the S-expression they are modifying." @@ -218,14 +249,45 @@ modifying." (cons* new (old-sexp (first hunks)) hunks))) (group-hunks-by-sexp hunks))) +(define %delay 1000) + (define (main . args) (match (diff-info) (() - (display "Nothing to be done." (current-error-port))) + (display "Nothing to be done.\n" (current-error-port))) (hunks - (for-each (match-lambda - ((new old . hunks) - (for-each (lambda (hunk) + (let-values + (((definitions changes) + (partition hunk-definition? hunks))) + + ;; Additions. + (for-each (lambda (hunk) + (and-let* + ((define-line (find (cut string-prefix? "+(define" <>) + (hunk-diff-lines hunk))) + (variable-name (and=> (string-tokenize define-line) second))) + (add-commit-message (hunk-file-name hunk) variable-name) + (let ((port (open-pipe* OPEN_WRITE + "git" "apply" + "--cached" + "--unidiff-zero"))) + (hunk->patch hunk port) + (unless (eqv? 0 (status:exit-val (close-pipe port))) + (error "Cannot apply"))) + + (let ((port (open-pipe* OPEN_WRITE "git" "commit" "-F" "-"))) + (add-commit-message (hunk-file-name hunk) + variable-name port) + (usleep %delay) + (unless (eqv? 0 (status:exit-val (close-pipe port))) + (error "Cannot commit")))) + (usleep %delay)) + definitions) + + ;; Changes. + (for-each (match-lambda + ((new old . hunks) + (for-each (lambda (hunk) (let ((port (open-pipe* OPEN_WRITE "git" "apply" "--cached" @@ -233,18 +295,20 @@ modifying." (hunk->patch hunk port) (unless (eqv? 0 (status:exit-val (close-pipe port))) (error "Cannot apply"))) - (sleep 1)) + (usleep %delay)) hunks) - (commit-message (hunk-file-name (first hunks)) - old new - (current-output-port)) + (change-commit-message (hunk-file-name (first hunks)) + old new + (current-output-port)) (let ((port (open-pipe* OPEN_WRITE "git" "commit" "-F" "-"))) - (commit-message (hunk-file-name (first hunks)) - old new - port) - (sleep 1) + (change-commit-message (hunk-file-name (first hunks)) + old new + port) + (usleep %delay) (unless (eqv? 0 (status:exit-val (close-pipe port))) (error "Cannot commit"))))) - (new+old+hunks hunks))))) + ;; XXX: we recompute the hunks here because previous + ;; insertions lead to offsets. + (new+old+hunks (diff-info))))))) (main) diff --git a/etc/guix-install.sh b/etc/guix-install.sh index c84e7b7577..949ef7719f 100755 --- a/etc/guix-install.sh +++ b/etc/guix-install.sh @@ -330,15 +330,20 @@ sys_create_build_user() _msg "${PAS}group <guixbuild> created" fi + if [ $(getent group kvm) ]; then + _msg "${INF}group kvm exists and build users will be added to it" + local KVMGROUP=,kvm + fi + for i in $(seq -w 1 10); do if id "guixbuilder${i}" &>/dev/null; then _msg "${INF}user is already in the system, reset" - usermod -g guixbuild -G guixbuild \ + usermod -g guixbuild -G guixbuild${KVMGROUP} \ -d /var/empty -s "$(which nologin)" \ -c "Guix build user $i" \ "guixbuilder${i}"; else - useradd -g guixbuild -G guixbuild \ + useradd -g guixbuild -G guixbuild${KVMGROUP} \ -d /var/empty -s "$(which nologin)" \ -c "Guix build user $i" --system \ "guixbuilder${i}"; diff --git a/etc/news.scm b/etc/news.scm index deedc69f6e..65d83061df 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -12,6 +12,8 @@ ;; Copyright © 2020, 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com> ;; Copyright © 2021 Leo Famulari <leo@famulari.name> ;; Copyright © 2021 Zhu Zihao <all_but_last@163.com> +;; Copyright © 2021 Chris Marusich <cmmarusich@gmail.com> +;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be> ;; ;; Copying and distribution of this file, with or without modification, are ;; permitted in any medium without royalty provided the copyright notice and @@ -20,6 +22,98 @@ (channel-news (version 0) + (entry (commit "2161820ebbbab62a5ce76c9101ebaec54dc61586") + (title + (en "Risk of local privilege escalation during user account creation") + (de "Risiko lokaler Rechteausweitung während der Erstellung von Benutzerkonten")) + (body + (en "A security vulnerability that can lead to local privilege +escalation has been found in the code that creates user accounts on Guix +System---Guix on other distros is unaffected. The system is only vulnerable +during the activation of user accounts that do not already exist. + +This bug is fixed and Guix System users are advised to upgrade their system, +with a command along the lines of: + +@example +guix system reconfigure /run/current-system/configuration.scm +@end example + +The attack can happen when @command{guix system reconfigure} is running. +Running @command{guix system reconfigure} can trigger the creation of new user +accounts if the configuration specifies new accounts. If a user whose account +is being created manages to log in after the account has been created but +before ``skeleton files'' copied to its home directory have the right +ownership, they may, by creating an appropriately-named symbolic link in the +home directory pointing to a sensitive file, such as @file{/etc/shadow}, get +root privileges. + +See @uref{https://issues.guix.gnu.org/47584} for more information on this +bug.") + (de "Eine Sicherheitslücke, die eine lokale Rechteausweitung zur +Folge haben kann, wurde in dem Code gefunden, mit dem Benutzerkonten auf Guix +System angelegt werden — Guix auf anderen Distributionen ist nicht betroffen. +Das System kann nur während der Aktivierung noch nicht existierender +Benutzerkonten angegriffen werden. + +Der Fehler wurde behoben und wir empfehlen Nutzern von Guix System, ihre +Systeme zu aktualisieren, mit einem Befehl wie: + +@example +guix system reconfigure /run/current-system/configuration.scm +@end example + +Der Angriff kann erfolgen, während @command{guix system reconfigure} läuft. +Wenn @command{guix system reconfigure} ausgeführt wird, kann das die Erzeugung +neuer Benutzerkonten auslösen, wenn in der Konfiguration neue Konten angegeben +wurden. Wenn ein Benutzer, dessen Konto gerade angelegt wird, es +fertigbringt, sich anzumelden, bevor „Skeleton-Dateien“ in seinem Persönlichen +Verzeichnis den richtigen Besitzer haben, kann er durch Anlegen einer gezielt +benannten symbolischen Verknüpfung in seinem Persönlichen Verzeichnis auf eine +sensible Datei wie @file{/etc/shadow} Administratorrechte erlangen. + +Siehe @uref{https://issues.guix.gnu.org/47584} für mehr Informationen zu +diesem Fehler."))) + + (entry (commit "e52ec6c64a17a99ae4bb6ff02309067499915b06") + (title + (en "New supported platform: powerpc64le-linux") + (de "Neue Plattform wird unterstützt: powerpc64le-linux") + (fr "Nouvelle plate-forme prise en charge : powerpc64le-linux")) + (body + (en "A new platform, powerpc64le-linux, has been added for +little-endian 64-bit Power ISA processors using the Linux-Libre kernel. This +includes POWER9 systems such as the +@uref{https://www.fsf.org/news/talos-ii-mainboard-and-talos-ii-lite-mainboard-now-fsf-certified-to-respect-your-freedom, +RYF Talos II mainboard}. This platform is available as a \"technology +preview\": although it is supported, substitutes are not yet available from +the build farm, and some packages may fail to build. In addition, Guix System +is not yet available on this platform. That said, the Guix community is +actively working on improving this support, and now is a great time to try it +and get involved!") + (de "Eine neue Plattform, powerpc64le-linux, wurde hinzugefügt. Mit +ihr können Prozessoren mit 64-Bit-Power-Befehlssatz, little-endian, mit dem +Linux-Libre-Kernel betrieben werden. Dazu gehören POWER9-Systeme wie die +@uref{https://www.fsf.org/news/talos-ii-mainboard-and-talos-ii-lite-mainboard-now-fsf-certified-to-respect-your-freedom, +RYF-zertifizierte Talos-II-Hauptplatine}. Bei der Plattform handelt es sich +um eine „Technologievorschau“; obwohl sie unterstützt wird, gibt es noch keine +Substitute von der Erstellungsfarm und bei manchen Paketen könnte die +Erstellung fehlschlagen. Des Weiteren ist Guix System auf dieser Plattform +noch nicht verfügbar. Dennoch arbeitet die Guix-Gemeinde aktiv daran, diese +Unterstützung auszubauen, und jetzt ist eine gute Gelegenheit, sie +auszuprobieren und mitzumachen!") + (fr "Une nouvelle plate-forme, powerpc64le-linux, a été ajoutée pour +les processeurs POWER 64-bits utilisant le noyau Linux-libre. Ça inclut les +systèmes POWER9 tels que les +@uref{https://www.fsf.org/news/talos-ii-mainboard-and-talos-ii-lite-mainboard-now-fsf-certified-to-respect-your-freedom, +cartes Talos II RYF}. Il s'agit pour le moment d'un « avant-goût » de la +technologie : bien que la plate-forme soit prise en charge, la ferme de +compilation ne fournit pas encore de substituts et certains paquets risquent +de ne pas compiler. En outre, Guix System n'est pas encore disponible sur +cette plate-forme. Ceci dit, la communauté Guix travaille activement pour +améliorer cette prise en charge et c'est maintenant un bon moment pour +l'essayer et pour s'impliquer !"))) + (entry (commit "9ade2b720af91acecf76278b4d9b99ace406781e") (title (en "Update on previous @command{guix-daemon} local privilege escalation") |