Nix, Lix, and Guix Package Managers Race Condition Vulnerability Allowing Arbitrary File Ownership Changes

A race condition vulnerability has been identified in the Nix, Lix, and Guix package managers, allowing for the unauthorized change of file ownership to the user ID and group ID of the build user (such as 'nixbld*' or 'guixbuild*'). This vulnerability affects multiple versions of Nix (prior to 2.24.15, 2.26.4, 2.28.4, and 2.29.1), Lix (prior to 2.91.2, 2.92.2, and 2.93.1), and Guix (prior to 1.4.0-38.0e79d5b). The issue arises from how these package managers handle temporary directories and file descriptors during the build process, creating a window of opportunity for privilege escalation.

Impact

Exploitation of this vulnerability allows for local privilege escalation to the build user, with the potential for further escalation to root or the daemon user, depending on the context.

Reproduction

The vulnerability can be reproduced by initiating a build process with a user that has access to the Nix or Guix daemon. During the build, the process can predict the temporary directory path and use malicious derivations to smuggle out file descriptors. This can be done by exploiting the 'abstract Unix-domain socket hole', a Linux-specific feature that allows processes in the same network namespace to communicate via Unix-domain sockets, bypassing normal file system restrictions. Once the file descriptors are exfiltrated, they can be used to manipulate the build process and change file ownerships.

Remediation

Users are advised to upgrade to Nix versions 2.24.15, 2.26.4, 2.28.4, or 2.29.1; Lix versions 2.91.2, 2.92.2, or 2.93.1; and Guix version 1.4.0-38.0e79d5b. Instructions for upgrading are available on the Nix, Lix, and Guix blogs.