NixOS make-initrd-ng Local Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in the make-initrd-ng tool, which is used for copying binaries and their dependencies. This issue affects all NixOS users. The vulnerability arises when the systemd.shutdownRamfs.enable option is activated, which is the default setting. Under these conditions, a local user can create a program that is executed by the root user during the shutdown process.

Impact

Exploitation of this vulnerability allows for local privilege escalation, enabling a user to execute programs as the root user during system shutdown.

Reproduction

To reproduce this vulnerability, ensure that the systemd.shutdownRamfs.enable option is set to true, which is the default. A local user can then create a program that will be executed by root during the shutdown process. After the program is created, initiating a shutdown will trigger its execution with elevated privileges.

Remediation

Users can disable the vulnerable behavior by setting systemd.shutdownRamfs.enable to false. Patches are also available for NixOS versions 24.11 and 25.05/unstable.