From: Rob Browning <rlb@defaultvalue.org>
To: 18477@debbugs.gnu.org
Cc: 758971@bugs.debian.org, 758971-forwarded@bugs.debian.org,
Rand Peters <rwpeters@yandex.com>
Subject: bug#18477: Bug#758971: byte-compiled files have wrong permissions
Date: Sun, 14 Sep 2014 16:33:47 -0500 [thread overview]
Message-ID: <87k355yjic.fsf@trouble.defaultvalue.org> (raw)
In-Reply-To: <8208031408792652@web8g.yandex.ru>
[If possible, please preserve the -forwarded address in any replies.]
I suspect this should be fixed, if it hasn't been already.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758971
Thanks
Rand Peters <rwpeters@yandex.com> writes:
> Package: guile-2.0
> Version: 2.0.11+1-1
> Tags: security
>
> Guile automatically byte-compiles programs when they are run, and
> places the byte-compiled file in a subdirectory of
> $HOME/.cache/guile/.
>
> However, the permissions of the byte-compiled file are derived from
> umask rather than the permissions of the source file. This means that
> sensitive data (e.g. a hard-coded password) contained in a source file
> with restrictive permissions will be copied into a byte-compiled file
> that may be world-readable.
>
> Guile should ensure that the permissions of byte-compiled files match
> those of the source.
>
> Example:
>
> $ touch myscript
>
> $ chmod 700 myscript # source file readable only to owner
>
> $ cat >> myscript <<'EOF'
> #!/usr/bin/guile \
> -e main -s
> !#
>
> (define secret-password "DEADBEEFDEADBEEF")
>
> (define (main args)
> (display "this program contains an embedded secret")
> (newline))
> EOF
>
> $ ./myscript
> ;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0
> ;;; or pass the --no-auto-compile argument to disable.
> ;;; compiling /home/rwp/./myscript
> ;;; compiled /home/rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> this program contains an embedded secret
>
> $ ls -l ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> -rw-r--r-- 1 rwp rwp 456 Jul 1 12:00 /home/[...]/myscript.go
>
> # ^^ Note that the byte-compiled file is world-readable
>
> $ strings ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> [...]
> DEADBEEFDEADBEEF
> secret-password
> [...]
--
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
next parent reply other threads:[~2014-09-14 21:33 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <8208031408792652@web8g.yandex.ru>
2014-09-14 21:33 ` Rob Browning [this message]
2016-02-10 1:39 ` bug#18477: byte-compiled files have wrong permissions Matt Wette
2016-06-21 16:06 ` bug#18477: Bug#758971: " Andy Wingo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/guile/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87k355yjic.fsf@trouble.defaultvalue.org \
--to=rlb@defaultvalue.org \
--cc=18477@debbugs.gnu.org \
--cc=758971-forwarded@bugs.debian.org \
--cc=758971@bugs.debian.org \
--cc=rwpeters@yandex.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).