Security fix: Nix derivation sandbox escape

tl;dr: CVE-2024-38531 (see Sandbox escape · Advisory · NixOS/nix · GitHub if the CVE index doesn’t show it yet) was published earlier today. Please update your Nix installation.

Discovered by @lheckemann some time ago, and recently reported with a reproducer by @alois31, a security issue in Nix allowed allowed a build process to access and change the permissions of the build directory. After creating a setuid binary in a globally accessible location, a malicious local user could assume the permissions of a Nix daemon worker and hijack all future builds.

Concretely, this would happen when all the following conditions are met:

• The attacker has access to a local user
• The local user has access to the Nix daemon (but does not have to be a trusted user)
• seccomp is disabled (if the sandbox is disabled or filter-syscalls if set to false on Linux) or ineffective (fixed in #10501)

It has been patched in the following Nix versions:

• 2.23.1
• 2.22.2
• 2.21.3
• 2.20.7
• 2.19.5
• 2.18.4

How to update

• The fix will first land in nixos-unstable-small, and then nixpkgs-unstable.
• Backports to nixos-23.11 And nixos-24.05 are on the way, and are likely to land first on nixos-23.11-small and nixos-24.05-small.
• If you don’t, or if you can’t afford to wait, you can directly fetch the source from the patches above.

No, it is not there yet. It wasn’t even in cache.nixos.org at the moment of your post.

Yes, true, excuse the copypasta. I’m just a dog in a lab coat, never done this before.

Because I wasn’t able to find the PR that updated nixpkgs with a quick search for 2.23.1, I’m linking it here after doing a deeper search.

I have been using nosuid,nodev mounts for /nix and /tmp, doesn’t that also prevent this?

No, it doesn’t. But running an up-to-date Nix does.