From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 6PBkCOwwv2BrSQAAgWs5BA (envelope-from ) for ; Tue, 08 Jun 2021 10:57:16 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id 0FGyA+wwv2AYYAAA1q6Kng (envelope-from ) for ; Tue, 08 Jun 2021 08:57:16 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 84D9C137D6 for ; Tue, 8 Jun 2021 10:57:15 +0200 (CEST) Received: from localhost ([::1]:43466 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lqXXt-0002ST-Ps for larch@yhetil.org; Tue, 08 Jun 2021 04:57:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41162) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lqXXi-0002S3-Ml for bug-guix@gnu.org; Tue, 08 Jun 2021 04:57:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:45828) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lqXXi-00088u-GA for bug-guix@gnu.org; Tue, 08 Jun 2021 04:57:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lqXXi-00046e-7Q for bug-guix@gnu.org; Tue, 08 Jun 2021 04:57:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#48872: Guix services: =?UTF-8?Q?=E2=80=98chmod=E2=80=99?= leaves opportunity to leak secrets Resent-From: Maxime Devos Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 08 Jun 2021 08:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48872 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Xinglu Chen , 48872@debbugs.gnu.org Received: via spool by 48872-submit@debbugs.gnu.org id=B48872.162314261915776 (code B ref 48872); Tue, 08 Jun 2021 08:57:02 +0000 Received: (at 48872) by debbugs.gnu.org; 8 Jun 2021 08:56:59 +0000 Received: from localhost ([127.0.0.1]:57374 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lqXXe-00046N-Uq for submit@debbugs.gnu.org; Tue, 08 Jun 2021 04:56:59 -0400 Received: from baptiste.telenet-ops.be ([195.130.132.51]:42636) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lqXXc-00046C-JK for 48872@debbugs.gnu.org; Tue, 08 Jun 2021 04:56:57 -0400 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by baptiste.telenet-ops.be with bizsmtp id EYwu2501X0mfAB401Ywuyi; Tue, 08 Jun 2021 10:56:55 +0200 Message-ID: <74f0e45af9ab426a5105452f191cffad337ca7ce.camel@telenet.be> From: Maxime Devos Date: Tue, 08 Jun 2021 10:55:57 +0200 In-Reply-To: <87y2bn5f6v.fsf@yoctocell.xyz> References: <87y2bn5f6v.fsf@yoctocell.xyz> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-h0c5os5Br/nYubEHOe9j" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1623142615; bh=0bFQiKI9p5XSlJhmpW2YsCrScK6XFt69R79OSkHHJQs=; h=Subject:From:To:Date:In-Reply-To:References; b=u6FJ8RYCUSWft+6xak/YiTjtAMN4f7EVJ2Vm/QEghZ1sOHTX0YCUZx8vicejvHUgn 7z+snA0W3WR+JyA0UT0DWAx6jFDvjUcS44sUSxqY5/z8FeM+mEUNkPyOLXDWMCDBk0 UW8HR+R736NneslsdFYurK/JKsEuQE/VFXV1hWDXsgNDbMHHW53pDHGAAVGVAzOAaB 5nJPck7jRIpymC4QHgqaraONNMB7qvWCigBSD3uzCVUHl0nP7DBmeRdbHh7IifWbCG rZJE4p0GfK2vQ9xJcW36+vShjFyVJNUwYVEsWpZqPEVlHXtcXNoI2pdw/yTQtx1EYq OkhV9B47PGyVA== X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1623142635; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=0bFQiKI9p5XSlJhmpW2YsCrScK6XFt69R79OSkHHJQs=; b=ev60VAoTdDe4YZxNiKYpZLzwqNVvk01uTZDoR60kzkACAmbHH4dwgZbhY7TLqLAn/6CQ/Z lO7so7oOCC8QIjFgpo2kJXlnpDgPDLpmflbmlLO/i4AfVKUMJ2ewdKXfRQaQJxuDvdkcnX edroyrmvklscjRwxkz/zccE4HGNBKwKwPt3Xx9P3gKO4RBwbekNbQNI4rS1mRvSjUSS5hN zl+wdCeB00PIhMPvFZe1qrwpybfoDLuaGFxUxowf2rPFdaVs1lyAuOs0KTBl3zeSyekvSp QKIE01mdV7pcXhiX971ruV6D9VknBC4oLm0oiC9tLMWbqOCoWEvYvOCTGydHOg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1623142635; a=rsa-sha256; cv=none; b=pW6XYPhLTcOfoExh4qFHWu14nly9nOjeLc4aEkZOMOcjy8+to4f4Wt8s9V9rZ7OHxcOmtU sqFEyuV3tQjQcMNb267VK5bkuGYs9u6mCF6GeW+SRyYeqelcDYEsB9HJIx4QJYSeqat+SG cNoYE3lZF9MGMNoUcPNTq8YvtcwlzcZ1diZbJqwZ1DJKTpKV7jsWlo/SECX1/VjdtE9Yqo V9/8Y6q5kxG+anXFtu8QBT0e4riZiL8I2TbyUHUjMpKHNIinUQy0NVzpBADyZKczwOWA+2 QSwbqMihmvhC6ypa7svKrM2kTdUk2reuo/vcM59K7ipQHLDWuH1iwPBYLMBqAw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r21 header.b=u6FJ8RYC; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -3.42 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r21 header.b=u6FJ8RYC; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 84D9C137D6 X-Spam-Score: -3.42 X-Migadu-Scanner: scn0.migadu.com X-TUID: RK0wuuTDi0G1 --=-h0c5os5Br/nYubEHOe9j Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Xinglu Chen schreef op zo 06-06-2021 om 14:51 [+0200]: > [ This was reported on the Nixpkgs bug tracker a few weeks ago > ] >=20 > When doing something like >=20 > (call-with-output-file FILE > (lambda (port) > (display SECRET port))) > (chmod FILE #o400) >=20 > an unpriviliged user could open FILE before FILE had been chmod=E2=80=99e= d, and > then read the contents of FILE. >=20 > One solution to this problem would be to use >=20 > (mkdir (dirname FILE) #o400) >=20 > before writing SECRET to FILE. Alternatively, a variant of call-with-output-file could be defined that has a #:perms argument. This new procedure, let's call it call-with-output-file*, could create a file with the right permissions with (open "/etc/...-secret" (bitwise-ior O_WRONLY O_CREAT) #o400) or something like that. Then the vulnerable code above would become ... (call-with-output-file* FILE (lambda (port) (display SECRET port)) #:perms #o400) This seems a bit easier in usage to me! No need to worry if changing the permissions of the parent directory would break anything this way. Greetings, Maxime. --=-h0c5os5Br/nYubEHOe9j Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYL8woxccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7l6LAP9lvxXDTIy22StYXL4K5fIrEGpA w1WNajUSoUbXzxfV3wD/Z+45+0ZgGs32klEU5w/WMU6Rc1b8l6UAO3eYcJMBhgE= =JCiS -----END PGP SIGNATURE----- --=-h0c5os5Br/nYubEHOe9j--