* bug#18477: Bug#758971: byte-compiled files have wrong permissions
[not found] <8208031408792652@web8g.yandex.ru>
@ 2014-09-14 21:33 ` Rob Browning
2016-02-10 1:39 ` bug#18477: " Matt Wette
2016-06-21 16:06 ` bug#18477: Bug#758971: " Andy Wingo
0 siblings, 2 replies; 3+ messages in thread
From: Rob Browning @ 2014-09-14 21:33 UTC (permalink / raw)
To: 18477; +Cc: 758971, 758971-forwarded, Rand Peters
[If possible, please preserve the -forwarded address in any replies.]
I suspect this should be fixed, if it hasn't been already.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758971
Thanks
Rand Peters <rwpeters@yandex.com> writes:
> Package: guile-2.0
> Version: 2.0.11+1-1
> Tags: security
>
> Guile automatically byte-compiles programs when they are run, and
> places the byte-compiled file in a subdirectory of
> $HOME/.cache/guile/.
>
> However, the permissions of the byte-compiled file are derived from
> umask rather than the permissions of the source file. This means that
> sensitive data (e.g. a hard-coded password) contained in a source file
> with restrictive permissions will be copied into a byte-compiled file
> that may be world-readable.
>
> Guile should ensure that the permissions of byte-compiled files match
> those of the source.
>
> Example:
>
> $ touch myscript
>
> $ chmod 700 myscript # source file readable only to owner
>
> $ cat >> myscript <<'EOF'
> #!/usr/bin/guile \
> -e main -s
> !#
>
> (define secret-password "DEADBEEFDEADBEEF")
>
> (define (main args)
> (display "this program contains an embedded secret")
> (newline))
> EOF
>
> $ ./myscript
> ;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0
> ;;; or pass the --no-auto-compile argument to disable.
> ;;; compiling /home/rwp/./myscript
> ;;; compiled /home/rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> this program contains an embedded secret
>
> $ ls -l ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> -rw-r--r-- 1 rwp rwp 456 Jul 1 12:00 /home/[...]/myscript.go
>
> # ^^ Note that the byte-compiled file is world-readable
>
> $ strings ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> [...]
> DEADBEEFDEADBEEF
> secret-password
> [...]
--
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#18477: byte-compiled files have wrong permissions
2014-09-14 21:33 ` bug#18477: Bug#758971: byte-compiled files have wrong permissions Rob Browning
@ 2016-02-10 1:39 ` Matt Wette
2016-06-21 16:06 ` bug#18477: Bug#758971: " Andy Wingo
1 sibling, 0 replies; 3+ messages in thread
From: Matt Wette @ 2016-02-10 1:39 UTC (permalink / raw)
To: 18477
Comment:
Does a fix of this bug imply that permissions on each directory in the trail to compiled files should reflect the permissions on the trail to the source file?
^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#18477: Bug#758971: byte-compiled files have wrong permissions
2014-09-14 21:33 ` bug#18477: Bug#758971: byte-compiled files have wrong permissions Rob Browning
2016-02-10 1:39 ` bug#18477: " Matt Wette
@ 2016-06-21 16:06 ` Andy Wingo
1 sibling, 0 replies; 3+ messages in thread
From: Andy Wingo @ 2016-06-21 16:06 UTC (permalink / raw)
To: Rob Browning; +Cc: 18477-done, 758971, 758971-forwarded, Rand Peters
Fixed in 2.0 and the 2.2 prerelease. Thanks!
Andy
On Sun 14 Sep 2014 23:33, Rob Browning <rlb@defaultvalue.org> writes:
> [If possible, please preserve the -forwarded address in any replies.]
>
> I suspect this should be fixed, if it hasn't been already.
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758971
>
> Thanks
>
> Rand Peters <rwpeters@yandex.com> writes:
>
>> Package: guile-2.0
>> Version: 2.0.11+1-1
>> Tags: security
>>
>> Guile automatically byte-compiles programs when they are run, and
>> places the byte-compiled file in a subdirectory of
>> $HOME/.cache/guile/.
>>
>> However, the permissions of the byte-compiled file are derived from
>> umask rather than the permissions of the source file. This means that
>> sensitive data (e.g. a hard-coded password) contained in a source file
>> with restrictive permissions will be copied into a byte-compiled file
>> that may be world-readable.
>>
>> Guile should ensure that the permissions of byte-compiled files match
>> those of the source.
>>
>> Example:
>>
>> $ touch myscript
>>
>> $ chmod 700 myscript # source file readable only to owner
>>
>> $ cat >> myscript <<'EOF'
>> #!/usr/bin/guile \
>> -e main -s
>> !#
>>
>> (define secret-password "DEADBEEFDEADBEEF")
>>
>> (define (main args)
>> (display "this program contains an embedded secret")
>> (newline))
>> EOF
>>
>> $ ./myscript
>> ;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0
>> ;;; or pass the --no-auto-compile argument to disable.
>> ;;; compiling /home/rwp/./myscript
>> ;;; compiled /home/rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
>> this program contains an embedded secret
>>
>> $ ls -l ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
>> -rw-r--r-- 1 rwp rwp 456 Jul 1 12:00 /home/[...]/myscript.go
>>
>> # ^^ Note that the byte-compiled file is world-readable
>>
>> $ strings ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
>> [...]
>> DEADBEEFDEADBEEF
>> secret-password
>> [...]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-06-21 16:06 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <8208031408792652@web8g.yandex.ru>
2014-09-14 21:33 ` bug#18477: Bug#758971: byte-compiled files have wrong permissions Rob Browning
2016-02-10 1:39 ` bug#18477: " Matt Wette
2016-06-21 16:06 ` bug#18477: Bug#758971: " Andy Wingo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).