Nix security advisory: Privilege escalation via symlink following during FOD output registration

41 points by juliethefoxcoon

accelbread

This has nothing to do with Rust. Upstream Nix and Lix used different mechanisms to address an earlier issue, and Nix's had another bug. Rust does not magically solve symlink traversal issues or abstract socket leaks.

obsoleszenz

Good moment to switch to lix ;)

Cajunvoodoo

I'm considering it. Are there issues I'd run into as a fairly typical user of nix and nixos?
- ThinkChaos
  
  I've been using it for a while now and the only difference I actually noticed during use (besides improved speed) is the pipe operator features have a slightly different name between Nix & Lix, so you can't reuse the exact same config if you use that feature.
  I had to work around that to use nixd with the feature enabled: https://github.com/nix-community/nixd/issues/704#issuecomment-3688024705
  
  For UX improvements, I'd really recommend setting log-format = multiline-with-logs in the config (or using nix build --log-format multiline-with-logs). It's so much nicer!
  That'd be another Lix specific config value, though I'm not sure if Nix ignores unknown keys.
hexa

Already posted here: https://lobste.rs/s/lwdzn1/nix_security_advisory_privilege
accelbread

Is this mitigated by enabling fs.protected_symlinks?
- xokdvium
  
  It is not. The store directory inside the chroot is not world-writable.