Hi, zimoun <zimon.touto...@gmail.com> skribis:
> On Sat, 20 Jun 2020 at 12:40, Ludovic Courtès <l...@gnu.org> wrote: >> zimoun <zimon.touto...@gmail.com> skribis: > >>> BTW, from a security perspective, it is easy to cheat by removing some >>> commits so the file ~/.cache/guix/authentication/channels/guix should be >>> protected: read-only and only writable by the daemon. >> >> It’s 600 of course. What we could do is ignore it if it’s not 600 when >> we open it. > > This could help. :-) Done in 41939c374a3ef421d2d4c6453c327a9cd7af4ce5. >> Crucially: we cannot and should not restrict what the user can do for >> the sake of security. Users can pass ‘--disable-authentication’, they >> can run binaries taken from the net, whatever; it’s their machine. > > Well, I have not thought deeply to an attack, but the point is to > protect the user when they runs "guix pull" alone i.e., they can trust > the server. An attack could be for example an email with an attachment, > click, then boum: tweak ~/.config/guix/channels.scm and > ~/.cache/guix/authentication/channels/guix, then the user runs "guix > pull" which the expectation that everything is checked and > authenticated and in fact no, they is talking to malicious server. I don’t really see how the attachment would modify a local file, but even if that’s a possibility, it’s beyond the scope of Guix: we cannot prevent users from shooting themselves in the foot. Ludo’.
