From: Andy Wingo <wingo@pobox.com>
To: Rob Browning <rlb@defaultvalue.org>
Cc: 18477-done@debbugs.gnu.org, 758971@bugs.debian.org,
758971-forwarded@bugs.debian.org,
Rand Peters <rwpeters@yandex.com>
Subject: bug#18477: Bug#758971: byte-compiled files have wrong permissions
Date: Tue, 21 Jun 2016 18:06:00 +0200 [thread overview]
Message-ID: <87k2hiwmqf.fsf@pobox.com> (raw)
In-Reply-To: <87k355yjic.fsf@trouble.defaultvalue.org> (Rob Browning's message of "Sun, 14 Sep 2014 16:33:47 -0500")
Fixed in 2.0 and the 2.2 prerelease. Thanks!
Andy
On Sun 14 Sep 2014 23:33, Rob Browning <rlb@defaultvalue.org> writes:
> [If possible, please preserve the -forwarded address in any replies.]
>
> I suspect this should be fixed, if it hasn't been already.
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758971
>
> Thanks
>
> Rand Peters <rwpeters@yandex.com> writes:
>
>> Package: guile-2.0
>> Version: 2.0.11+1-1
>> Tags: security
>>
>> Guile automatically byte-compiles programs when they are run, and
>> places the byte-compiled file in a subdirectory of
>> $HOME/.cache/guile/.
>>
>> However, the permissions of the byte-compiled file are derived from
>> umask rather than the permissions of the source file. This means that
>> sensitive data (e.g. a hard-coded password) contained in a source file
>> with restrictive permissions will be copied into a byte-compiled file
>> that may be world-readable.
>>
>> Guile should ensure that the permissions of byte-compiled files match
>> those of the source.
>>
>> Example:
>>
>> $ touch myscript
>>
>> $ chmod 700 myscript # source file readable only to owner
>>
>> $ cat >> myscript <<'EOF'
>> #!/usr/bin/guile \
>> -e main -s
>> !#
>>
>> (define secret-password "DEADBEEFDEADBEEF")
>>
>> (define (main args)
>> (display "this program contains an embedded secret")
>> (newline))
>> EOF
>>
>> $ ./myscript
>> ;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0
>> ;;; or pass the --no-auto-compile argument to disable.
>> ;;; compiling /home/rwp/./myscript
>> ;;; compiled /home/rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
>> this program contains an embedded secret
>>
>> $ ls -l ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
>> -rw-r--r-- 1 rwp rwp 456 Jul 1 12:00 /home/[...]/myscript.go
>>
>> # ^^ Note that the byte-compiled file is world-readable
>>
>> $ strings ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
>> [...]
>> DEADBEEFDEADBEEF
>> secret-password
>> [...]
prev parent reply other threads:[~2016-06-21 16:06 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <8208031408792652@web8g.yandex.ru>
2014-09-14 21:33 ` bug#18477: Bug#758971: byte-compiled files have wrong permissions Rob Browning
2016-02-10 1:39 ` bug#18477: " Matt Wette
2016-06-21 16:06 ` Andy Wingo [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/guile/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87k2hiwmqf.fsf@pobox.com \
--to=wingo@pobox.com \
--cc=18477-done@debbugs.gnu.org \
--cc=758971-forwarded@bugs.debian.org \
--cc=758971@bugs.debian.org \
--cc=rlb@defaultvalue.org \
--cc=rwpeters@yandex.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).