Nix privilege escalation security advisory

The NixOS project has announceda critical vulnerability in many versions of the Nix packagemanager's daemon. The flaw was introduced as part of a fix for aprior vulnerability in 2024. According to the advisory,all default configurations of NixOS and systems building untrusted derivationsare impacted.

A bug in the fix for CVE-2024-27297allowed for arbitrary overwrites of files writable by the Nix processorchestrating the builds (typically the Nix daemon running as root inmulti-user installations) by following symlinks during fixed-outputderivation output registration. This affects sandboxed Linux builds -sandboxed macOS builds are unaffected. The location of the temporaryoutput used for the output copy was located inside the build chroot. Asymlink, pointing to an arbitrary location in the filesystem, could becreated by the derivation builder at that path. During outputregistration, the Nix process (running in the host mount namespace)would follow that symlink and overwrite the destination with thederivation's output contents.

In multi-user installations, this allows all users able to submitbuilds to the Nix daemon (allowed-users - defaulting to all users) togain root privileges by modifying sensitive files.