Hi, [CC'ing some Guile and Guix maintainers because this is important for the security of Guix System.] I want to explain why these patches (and the O_FLAGS (*) patch) should be included in Guile. Functions like "openat" are important to avoid TOCTTOU (time-of-check to time-of-use) vulnerabilities involving symbolic links. For example, suppose we have a web server implemented in Guile. Suppose the address is https://web.gnu. It allows a local user U (and some others) to define their own web pages to host at http://web.gnu/~U, by writing files to /home/U/www. As there are multiple users, the server has to run as root. Now suppose U is the malicious kind of user. Then $U could create a symlink at /home/U/www/maliciousity pointing to /home/other-user/.gnupg/private-keys-v1.d/FINGERPRINT.key. Now U could download other-user's gpg key, for example with "wget http://web.gnu/~U/maliciousity". Oops! How can this vulnerability be avoided? * Use O_NOFOLLOW to *not* follow the symbolic link. Patch for adding O_NOFOLLOW to guile: . And why do we need openat? Well, suppose the web server is not read-only, and supports (say) WebDAV or FTP for modifying files remotely (I mean U can remotely modify http://web.gnu/~U). Then U could create a symlink at /home/U/www/maliciousity pointing to /home/other-user. Now U can peek into other-user's home directory and overwrite files. Oops! How can the web server avoid this? * First open "/home/U" as usual, resulting in a port $1. Then use (openat $1 "maliciousity" O_NOFOLLOW), resulting in a port $2. Use (stat $2) to see if $2 is a directory or a regular file **and** to see if $2 is owned by $2! If necessary, recurse, etc. Display a directory listing or display the file, etc. How does this matter for Guix? Guix has a TOCTTOU race: . It has been partially fixed: . However, a complete fix requires bindings to "openat". I found another similar issue in Guix lately (not yet disclosed publicly). While I think the conditions for this other potential security issue to be exploitable don't ever happen in practice, I would still like to fix this issue, and to be able to prevent similar issues from appearing in the future. Greetings, Maxime.