From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Andy Wingo <wingo@pobox.com>
Newsgroups: gmane.lisp.guile.bugs
Subject: bug#18477: Bug#758971: byte-compiled files have wrong permissions
Date: Tue, 21 Jun 2016 18:06:00 +0200
Message-ID: <87k2hiwmqf.fsf@pobox.com>
References: <8208031408792652@web8g.yandex.ru>
	<87k355yjic.fsf@trouble.defaultvalue.org>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: ger.gmane.org 1466525265 30547 80.91.229.3 (21 Jun 2016 16:07:45 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Tue, 21 Jun 2016 16:07:45 +0000 (UTC)
Cc: 18477-done@debbugs.gnu.org, 758971@bugs.debian.org,
	758971-forwarded@bugs.debian.org, Rand Peters <rwpeters@yandex.com>
To: Rob Browning <rlb@defaultvalue.org>
Original-X-From: bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org Tue Jun 21 18:07:30 2016
Return-path: <bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org>
Envelope-to: guile-bugs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org>)
	id 1bFOCz-0004UH-7L
	for guile-bugs@m.gmane.org; Tue, 21 Jun 2016 18:07:25 +0200
Original-Received: from localhost ([::1]:52856 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org>)
	id 1bFOCy-00033e-Ge
	for guile-bugs@m.gmane.org; Tue, 21 Jun 2016 12:07:24 -0400
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:37927)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1bFOCj-0002wI-He
	for bug-guile@gnu.org; Tue, 21 Jun 2016 12:07:10 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1bFOCd-0007bI-Br
	for bug-guile@gnu.org; Tue, 21 Jun 2016 12:07:08 -0400
Original-Received: from debbugs.gnu.org ([208.118.235.43]:37630)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1bFOCd-0007bD-5s
	for bug-guile@gnu.org; Tue, 21 Jun 2016 12:07:03 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1bFOCd-0007ih-2Z
	for bug-guile@gnu.org; Tue, 21 Jun 2016 12:07:03 -0400
Resent-From: Andy Wingo <wingo@pobox.com>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-To: bug-guile@gnu.org
Resent-Date: Tue, 21 Jun 2016 16:07:02 +0000
Resent-Message-ID: <handler.18477.D18477.146652517329586.done@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: cc-closed 18477
X-GNU-PR-Package: guile
X-GNU-PR-Keywords: 
Mail-Followup-To: 18477@debbugs.gnu.org, wingo@pobox.com, rlb@defaultvalue.org
Original-Received: via spool by 18477-done@debbugs.gnu.org id=D18477.146652517329586
	(code D ref 18477); Tue, 21 Jun 2016 16:07:02 +0000
Original-Received: (at 18477-done) by debbugs.gnu.org; 21 Jun 2016 16:06:13 +0000
Original-Received: from localhost ([127.0.0.1]:49963 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1bFOBp-0007h8-Bm
	for submit@debbugs.gnu.org; Tue, 21 Jun 2016 12:06:13 -0400
Original-Received: from pb-sasl2.pobox.com ([64.147.108.67]:53532
	helo=sasl.smtp.pobox.com) by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <wingo@pobox.com>) id 1bFOBm-0007gz-VP
	for 18477-done@debbugs.gnu.org; Tue, 21 Jun 2016 12:06:11 -0400
Original-Received: from sasl.smtp.pobox.com (unknown [127.0.0.1])
	by pb-sasl2.pobox.com (Postfix) with ESMTP id 5278424F9C;
	Tue, 21 Jun 2016 12:06:08 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=from:to:cc
	:subject:references:date:in-reply-to:message-id:mime-version
	:content-type; s=sasl; bh=nXzoNdttgBiDIRcElMFdid+wg5E=; b=KJQfak
	v0khsAA1P9F+g6bU4xbiui0F5jyz2+kS4mnKU5Hx8VIDsulO1nQsbIvlTA/OR8aA
	HxMOR+BbUgBTk1BP3cpQwEVQCgxglCCr7NVQVRLLGZ04HjURpE6efoUnbCpSJMJo
	tLCavDuUUfztt39wKm3AYQyb0Pkf7TzDUYqbM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=from:to:cc
	:subject:references:date:in-reply-to:message-id:mime-version
	:content-type; q=dns; s=sasl; b=nySx1FLNiYSarnb0j/9TKyBWRCHS/yC6
	JdJtaOLUKXPnt47E/iWRj/JDtaV1xKU9S1gHD9gUHQo/bvwPI0KZUTtmC6YWZcmw
	yT1RlwZZw/i4yvWNfETdLv28PVQb885SRJvID/YQwGIHRrX+46d4+0JWurdnZest
	OEH7/XI1/rI=
Original-Received: from pb-sasl2.nyi.icgroup.com (unknown [127.0.0.1])
	by pb-sasl2.pobox.com (Postfix) with ESMTP id 48D8924F9B;
	Tue, 21 Jun 2016 12:06:08 -0400 (EDT)
Original-Received: from clucks (unknown [88.160.190.192])
	(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pb-sasl2.pobox.com (Postfix) with ESMTPSA id 79CE124F9A;
	Tue, 21 Jun 2016 12:06:07 -0400 (EDT)
In-Reply-To: <87k355yjic.fsf@trouble.defaultvalue.org> (Rob Browning's message
	of "Sun, 14 Sep 2014 16:33:47 -0500")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
X-Pobox-Relay-ID: 10461F28-37CA-11E6-9BCF-28A6F1301B6D-02397024!pb-sasl2.pobox.com
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 208.118.235.43
X-BeenThere: bug-guile@gnu.org
List-Id: "Bug reports for GUILE,
	GNU's Ubiquitous Extension Language" <bug-guile.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guile>,
	<mailto:bug-guile-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guile/>
List-Post: <mailto:bug-guile@gnu.org>
List-Help: <mailto:bug-guile-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guile>,
	<mailto:bug-guile-request@gnu.org?subject=subscribe>
Errors-To: bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org
Original-Sender: "bug-guile" <bug-guile-bounces+guile-bugs=m.gmane.org@gnu.org>
Xref: news.gmane.org gmane.lisp.guile.bugs:8112
Archived-At: <http://permalink.gmane.org/gmane.lisp.guile.bugs/8112>

Fixed in 2.0 and the 2.2 prerelease.  Thanks!

Andy

On Sun 14 Sep 2014 23:33, Rob Browning <rlb@defaultvalue.org> writes:

> [If possible, please preserve the -forwarded address in any replies.]
>
> I suspect this should be fixed, if it hasn't been already.
>
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758971
>
> Thanks
>
> Rand Peters <rwpeters@yandex.com> writes:
>
>> Package: guile-2.0
>> Version: 2.0.11+1-1
>> Tags: security
>>
>> Guile automatically byte-compiles programs when they are run, and
>> places the byte-compiled file in a subdirectory of
>> $HOME/.cache/guile/.
>>
>> However, the permissions of the byte-compiled file are derived from
>> umask rather than the permissions of the source file. This means that
>> sensitive data (e.g. a hard-coded password) contained in a source file
>> with restrictive permissions will be copied into a byte-compiled file
>> that may be world-readable.
>>
>> Guile should ensure that the permissions of byte-compiled files match
>> those of the source.
>>
>> Example:
>>
>> $ touch myscript
>>
>> $ chmod 700 myscript             # source file readable only to owner
>>
>> $ cat >> myscript <<'EOF'
>> #!/usr/bin/guile \
>> -e main -s
>> !#
>>
>> (define secret-password "DEADBEEFDEADBEEF")
>>
>> (define (main args)
>>   (display "this program contains an embedded secret")
>>   (newline))
>> EOF
>>
>> $ ./myscript
>> ;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0
>> ;;;       or pass the --no-auto-compile argument to disable.
>> ;;; compiling /home/rwp/./myscript
>> ;;; compiled /home/rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
>> this program contains an embedded secret
>>
>> $ ls -l ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
>> -rw-r--r-- 1 rwp rwp 456 Jul 1 12:00 /home/[...]/myscript.go
>>
>> # ^^ Note that the byte-compiled file is world-readable
>>
>> $ strings ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
>> [...]
>> DEADBEEFDEADBEEF
>> secret-password
>> [...]