[ This was reported on the Nixpkgs bug tracker a few weeks ago ] When doing something like (call-with-output-file FILE (lambda (port) (display SECRET port))) (chmod FILE #o400) an unpriviliged user could open FILE before FILE had been chmod’ed, and then read the contents of FILE. One solution to this problem would be to use (mkdir (dirname FILE) #o400) before writing SECRET to FILE. I have identified at least two services which are vulnerable to this: * ‘wireguard-service-type’ in (gnu services vpn) * ‘patchwork-service-type’ in (gnu servicse web)