From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id AMhgIj6Cv2Dp7gAAgWs5BA (envelope-from ) for ; Tue, 08 Jun 2021 16:44:14 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id CFWKHT6Cv2CXagAAbx9fmQ (envelope-from ) for ; Tue, 08 Jun 2021 14:44:14 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id B3C0E19D44 for ; Tue, 8 Jun 2021 16:44:13 +0200 (CEST) Received: from localhost ([::1]:45546 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lqcxg-0000wL-9W for larch@yhetil.org; Tue, 08 Jun 2021 10:44:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38924) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lqcxW-0000os-Pg for bug-guix@gnu.org; Tue, 08 Jun 2021 10:44:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:47957) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lqcxW-0003JW-HR for bug-guix@gnu.org; Tue, 08 Jun 2021 10:44:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lqcxW-00016q-2G for bug-guix@gnu.org; Tue, 08 Jun 2021 10:44:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#48872: Guix services: =?UTF-8?Q?=E2=80=98chmod=E2=80=99?= leaves opportunity to leak secrets Resent-From: Xinglu Chen Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 08 Jun 2021 14:44:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48872 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Maxime Devos , 48872@debbugs.gnu.org Received: via spool by 48872-submit@debbugs.gnu.org id=B48872.16231633844180 (code B ref 48872); Tue, 08 Jun 2021 14:44:02 +0000 Received: (at 48872) by debbugs.gnu.org; 8 Jun 2021 14:43:04 +0000 Received: from localhost ([127.0.0.1]:59503 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lqcwa-00015M-K6 for submit@debbugs.gnu.org; Tue, 08 Jun 2021 10:43:04 -0400 Received: from h87-96-130-155.cust.a3fiber.se ([87.96.130.155]:60894 helo=mail.yoctocell.xyz) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lqcwY-00014p-5w for 48872@debbugs.gnu.org; Tue, 08 Jun 2021 10:43:03 -0400 From: Xinglu Chen DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yoctocell.xyz; s=mail; t=1623163373; bh=Oblm3D8k42TMEMbOsBxuiyn7OhRft/2IZKUbNhKXiwA=; h=From:To:Subject:In-Reply-To:References:Date; b=od7m/p8MzUlhROTRNYyzHaVN4Vh2MTi6sYOfg7Ht/vfnO3c83zACIJS6VDm9401Xq oO9z7gIRr/aaSv/E2E4sskqVOaxFdCM6aeVzjvSVHIQtjDYnVoJ3Lwnnyf1fyMNTLO Kd6Fz1uZ54Sh5Otx2bj9PY+a5jYJhL3qwF2IbnD4= In-Reply-To: <74f0e45af9ab426a5105452f191cffad337ca7ce.camel@telenet.be> References: <87y2bn5f6v.fsf@yoctocell.xyz> <74f0e45af9ab426a5105452f191cffad337ca7ce.camel@telenet.be> Date: Tue, 08 Jun 2021 16:42:43 +0200 Message-ID: <874ke8s9i4.fsf@yoctocell.xyz> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1623163454; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=eapRQAtHohAgpCdrNFiyAKbjDApNUhKcS0fXvRKHFiQ=; b=jtcJbSdCgq+nm6g2e60Cj5eJu8AP0w2GjFT7U5tEHkTUsnsQ7LxcaztBXdAb/BvYxwo9C3 /dFChXC1nDPnpgbX3kXxYxoZDmqKeOdg/CYjlAYEwqnYbgjHcKqAm0CCXa/5x+Mk3EUoBo 8ssDUNeuRwiKpM65mcCP6OgG6GlilyD4pk/9M4Ihahn1ew7qNHU+yrwMOJl643j4tDmmQ7 5BIOBPyAw/K56V9la9alupB+s3RZ0yiLFNiWT+UtJlrnkUQRBVz75t2Y+c0giXZbLUaU5p ugTWYBYdeMOkx6rKZekLY3hZm5WYlegFmn+eYYvg64tiM/Cv8nkVy51esDtfQQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1623163454; a=rsa-sha256; cv=none; b=hHODyvMAdvNpnOOQanfAYZAEZ1kYV+K9FdYIp6Pg11jc8u01JWdYzy/bFzmmBckOJWDnpp vg2g/4zT6Szeb5VQrwA/MT6TA6673dLvDvbOPsTC3HQwGztOSPlDpoUSKYtsIyBs2uM/vf qLZ+7e1KrObH5bWtOigC+NIsOwWRvffclu1ywb1V3ZTwUbjJbW+HY6rlkZXZ4QCaWGvZi9 bIKYOW7p088bpb+rsBcKxfoeFMji0Y/Ffox3melXE68sSWGKyrYdLawn6dGk5q03zb8eKK xaKeJfrvIYI3Fx8QpSZ31X2mCXF+Vum8U42oTg6cNB/xaHlYqnTqiqJLPDoWYQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=yoctocell.xyz header.s=mail header.b="od7m/p8M"; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -3.42 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=yoctocell.xyz header.s=mail header.b="od7m/p8M"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=yoctocell.xyz (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: B3C0E19D44 X-Spam-Score: -3.42 X-Migadu-Scanner: scn0.migadu.com X-TUID: TgjreaRoSwNW --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Tue, Jun 08 2021, Maxime Devos wrote: > Xinglu Chen schreef op zo 06-06-2021 om 14:51 [+0200]: >> [ This was reported on the Nixpkgs bug tracker a few weeks ago >> ] >>=20 >> When doing something like >>=20 >> (call-with-output-file FILE >> (lambda (port) >> (display SECRET port))) >> (chmod FILE #o400) >>=20 >> an unpriviliged user could open FILE before FILE had been chmod=E2=80=99= ed, and >> then read the contents of FILE. >>=20 >> One solution to this problem would be to use >>=20 >> (mkdir (dirname FILE) #o400) >>=20 >> before writing SECRET to FILE. > > Alternatively, a variant of call-with-output-file > could be defined that has a #:perms argument. > > This new procedure, let's call it call-with-output-file*, > could create a file with the right permissions with > (open "/etc/...-secret" (bitwise-ior O_WRONLY O_CREAT) #o400) > or something like that. > > Then the vulnerable code above would become ... > > (call-with-output-file* FILE > (lambda (port) > (display SECRET port)) > #:perms #o400) > > This seems a bit easier in usage to me! > No need to worry if changing the permissions of the parent > directory would break anything this way. Indeed, this sounds like a better approach! --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEAVhh4yyK5+SEykIzrPUJmaL7XHkFAmC/geMVHHB1YmxpY0B5 b2N0b2NlbGwueHl6AAoJEKz1CZmi+1x5pbEQAICeiXsKUaAhqNwFguL6CV9xIE89 QD/qwDdJMFUkwROqh8J5/QTRgi9Z6jY4xUO1Qs26SSJ2TcxJJ3iKejqVnA59acGM qfoC1FZ+HzvgJoXll3L/3+Guvp1WI/zfLyrVUC58xRMYgMLJVmPHlgfOrjzgxRHR YlcLYg2YGSx5ZCwEDmmh7BHxCO2KpBsOeubn60RRi9CBc7uRwSWKDQ7mUbRjYfc0 Xyx74EZbi/riDXibJhQHTTrEluQi4JnQ07j5ZY6svSCWJIr7cdB+A6HItIKDTP2+ U9TnbL3Lh5KkUP9kMx4QdSXVJyx91umZxLGqeooHfpy43IVJTCw0DvH8DcIFsUL5 NP9EnWr49RkrhoIJQjUAzXP5sT//cgusYrYkUXzpjJvgkVuVlfmbf8wiKMYksLBs a8GFgs+lnGGVKuFzyIVwpEK4BqjjhYs/nD/Hxz6iZ84zDgSxbIEigQDZCtfLRsbk rqNprdd+m01rYEyGMLlrA7ma2mdfkw7CzsTK3p0bgg2JEfuqWS5VfkXHAunQv2Wy w3Y56Vts/YQl4V0xPYROKxdSCXn3hmutbVpdzgsx3xUlJ0qXMXcowUG8WUpp5ZTM JY9u9jtWm9A0zShYrikXpBEmThkYdIlgSKjsOci0PyVs5FORkf7qr9dbCrdGugX2 0qD80KQXJjQlHY7r =IxgZ -----END PGP SIGNATURE----- --=-=-=--