From 1dcadadf745442e96db29eb652ed4e535b6352d6 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Mon, 12 Jun 2017 13:56:38 +0200 Subject: Add 1.11.10 release notes (cherry picked from commit 0fb60e4e0f66cc42c7c274acfcf00b51f6c829c4) --- doc/manual/release-notes/release-notes.xml | 1 + doc/manual/release-notes/rl-1.11.10.xml | 31 ++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 doc/manual/release-notes/rl-1.11.10.xml (limited to 'doc/manual') diff --git a/doc/manual/release-notes/release-notes.xml b/doc/manual/release-notes/release-notes.xml index 8c2deb394..c4b14bc54 100644 --- a/doc/manual/release-notes/release-notes.xml +++ b/doc/manual/release-notes/release-notes.xml @@ -13,6 +13,7 @@ --> + diff --git a/doc/manual/release-notes/rl-1.11.10.xml b/doc/manual/release-notes/rl-1.11.10.xml new file mode 100644 index 000000000..13cb497d9 --- /dev/null +++ b/doc/manual/release-notes/rl-1.11.10.xml @@ -0,0 +1,31 @@ +
+ +Release 1.11.10 (2017-06-12) + +This release fixes a security bug in Nix’s “build user” build +isolation mechanism. Previously, Nix builders had the ability to +create setuid binaries owned by a nixbld +user. Such a binary could then be used by an attacker to assume a +nixbld identity and interfere with subsequent +builds running under the same UID. + +To prevent this issue, Nix now disallows builders to create +setuid and setgid binaries. On Linux, this is done using a seccomp BPF +filter. Note that this imposes a small performance penalty (e.g. 1% +when building GNU Hello). Using seccomp, we now also prevent the +creation of extended attributes and POSIX ACLs since these cannot be +represented in the NAR format and (in the case of POSIX ACLs) allow +bypassing regular Nix store permissions. On OS X, the restriction is +implemented using the existing sandbox mechanism, which now uses a +minimal “allow all except the creation of setuid/setgid binaries” +profile when regular sandboxing is disabled. On other platforms, the +“build user” mechanism is now disabled. + +Thanks go to Linus Heckemann for discovering and reporting this +bug. + +
-- cgit v1.2.3