TakeV
/
guix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

news: Clarify time window for account activation vulnerability. 

* etc/news.scm: Tweak wording about skeleton files.
This commit is contained in:
Ludovic Courtès 2021-04-03 22:19:28 +02:00
parent c9960ad67c
commit 3b6247ba6d
No known key found for this signature in database
GPG Key ID: 090B11993D9AEBB5
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
etc/news.scm
View File

@ -42,9 +42,10 @@ The attack can happen when @command{guix system reconfigure} is running.
Running @command{guix system reconfigure} can trigger the creation of new user
accounts if the configuration specifies new accounts. If a user whose account
is being created manages to log in after the account has been created but
before ``skeleton files'' have been copied to its home directory, they may, by
creating an appropriately-named symbolic link in the home directory pointing
to a sensitive file, such as @file{/etc/shadow}, get root privileges.
before ``skeleton files'' copied to its home directory have the right
ownership, they may, by creating an appropriately-named symbolic link in the
home directory pointing to a sensitive file, such as @file{/etc/shadow}, get
root privileges.
See @uref{https://issues.guix.gnu.org/47584} for more information on this
bug.")))