X-Loop: help-debbugs@HIDDEN
Subject: bug#48872: Guix services: =?UTF-8?Q?=E2=80=98chmod=E2=80=99?= leaves opportunity to leak secrets
Resent-From: Xinglu Chen <public@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Sun, 06 Jun 2021 12:52:01 +0000
Resent-Message-ID: <handler.48872.B.162298390620292 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: report 48872
X-GNU-PR-Package: guix
X-GNU-PR-Keywords:
To: 48872 <at> debbugs.gnu.org
X-Debbugs-Original-To: bug-guix@HIDDEN
Received: via spool by submit <at> debbugs.gnu.org id=B.162298390620292
(code B ref -1); Sun, 06 Jun 2021 12:52:01 +0000
Received: (at submit) by debbugs.gnu.org; 6 Jun 2021 12:51:46 +0000
Received: from localhost ([127.0.0.1]:50953 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1lpsFm-0005HE-GT
for submit <at> debbugs.gnu.org; Sun, 06 Jun 2021 08:51:46 -0400
Received: from lists.gnu.org ([209.51.188.17]:46964)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <public@HIDDEN>) id 1lpsFk-0005H6-5u
for submit <at> debbugs.gnu.org; Sun, 06 Jun 2021 08:51:44 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:35008)
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <public@HIDDEN>)
id 1lpsFj-000285-RV
for bug-guix@HIDDEN; Sun, 06 Jun 2021 08:51:43 -0400
Received: from h87-96-130-155.cust.a3fiber.se ([87.96.130.155]:46894
helo=mail.yoctocell.xyz)
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <public@HIDDEN>)
id 1lpsFh-0000Do-Lt
for bug-guix@HIDDEN; Sun, 06 Jun 2021 08:51:43 -0400
From: Xinglu Chen <public@HIDDEN>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yoctocell.xyz;
s=mail; t=1622983897;
bh=BSNpJyJCrstJ15+48uwihBFgwogEC5HueGq36XHQCPY=;
h=From:To:Subject:Date;
b=b8RDabciTJtrKKAPvPsqim3IU/ZpX3IyN270ia0FMd0iah0SsBa9JR9I8PfF/0og8
w1tEi3xeXrpgBMdO0yfnJmFICxdQ0qE2bcjIevcIj9SnWtHzGIf10LzNFYwIm+fXlb
EJ19Img1CMC+nneZAit4z8V32fvlaAuo60Ku9O3E=
Date: Sun, 06 Jun 2021 14:51:36 +0200
Message-ID: <87y2bn5f6v.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha256; protocol="application/pgp-signature"
Received-SPF: pass client-ip=87.96.130.155; envelope-from=public@HIDDEN;
helo=mail.yoctocell.xyz
X-Spam_score_int: 30
X-Spam_score: 3.0
X-Spam_bar: +++
X-Spam_report: (3.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_SUSPICIOUS_NTLD=0.499,
FROM_SUSPICIOUS_NTLD_FP=1.591, PDS_OTHER_BAD_TLD=1.997, RDNS_DYNAMIC=0.982,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 2.7 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: [ This was reported on the Nixpkgs bug tracker a few weeks
ago <https://github.com/NixOS/nixpkgs/issues/121293> ] When doing something
like (call-with-output-file FILE (lambda (port) (display SECRET port))) (chmod
FILE #o400)
Content analysis details: (2.7 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
[URI: yoctocell.xyz (xyz)]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail)
-0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4)
[209.51.188.17 listed in wl.mailspike.net]
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/,
medium trust [209.51.188.17 listed in list.dnswl.org]
0.5 FROM_SUSPICIOUS_NTLD From abused NTLD
-0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
1.6 FROM_SUSPICIOUS_NTLD_FP From abused NTLD
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.1 (/)
--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
[ This was reported on the Nixpkgs bug tracker a few weeks ago
<https://github.com/NixOS/nixpkgs/issues/121293> ]
When doing something like
(call-with-output-file FILE
(lambda (port)
(display SECRET port)))
(chmod FILE #o400)
an unpriviliged user could open FILE before FILE had been chmod=E2=80=99ed,=
and
then read the contents of FILE.
One solution to this problem would be to use
(mkdir (dirname FILE) #o400)
before writing SECRET to FILE.
I have identified at least two services which are vulnerable to this:
* =E2=80=98wireguard-service-type=E2=80=99 in (gnu services vpn)
* =E2=80=98patchwork-service-type=E2=80=99 in (gnu servicse web)
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEAVhh4yyK5+SEykIzrPUJmaL7XHkFAmC8xNgVHHB1YmxpY0B5
b2N0b2NlbGwueHl6AAoJEKz1CZmi+1x5thAQAL3qpee3wHvYmFD9wL480xx6V3Xe
+4f7rNdr+6QgfwBpTZ3M2JNtLokNaDBVIAFnumSeCNTy7QrQgzbYbhrm9uh13nsy
h0LaT7/R9hYZ3rm4SaSmuAO0Gm/mhCl5jtmdQjDozi4SbBZa0bp87QioZcbUC7p2
hKiB7CTrCu5WHtPC55RfRxq4X+s6X6dBM4PEgw9C5b28mvw6KMe9rFNC1r2u3jIH
iXddPJxIZN9sjjBjO4EkRAtB5WGvfQLC+foPcnhNISvSKCtaonn4dQvgjeJ+0Qwc
CQ0CpU/rQYt1KSFPvcvH1CtUI7a3j/J63kKInGm/U9vh386yFnuX0J787Q91AUW4
ZfrIH0b5cYjLW40Ro8yNvjviFLj8x4FZFfD/D2P3AsbBvmBwukSr1VFHaGbEawu4
gNyUciMUtW2NFly9w9wGHm5qS/kog9VrS64G1dsTa4MGqJzwYv+SvXj/uzyyO6cq
vVPoT7VPeUUAjVUB08j08KmCVl/38xuBtHjr06B7DWMut+11TkqDga3iNLrdUaQS
H/N2002yErF1ZOeGfl74+iRDHMg/F92epHmOGlLEh1VAEWWjj4lvF5nz41uFGz0y
KSpx0ZrNPb+WABAUUj2EuQquxx22FeSgc4tZuKTrjJDd/nS+X6rheuL0cO0MvRnF
uWTrfD4wGuEapukq
=lgih
-----END PGP SIGNATURE-----
--=-=-=--
Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) Content-Type: text/plain; charset=utf-8 X-Loop: help-debbugs@HIDDEN From: help-debbugs@HIDDEN (GNU bug Tracking System) To: Xinglu Chen <public@HIDDEN> Subject: bug#48872: Acknowledgement (Guix services: =?UTF-8?Q?=E2=80=98chmod=E2=80=99?= leaves opportunity to leak secrets) Message-ID: <handler.48872.B.162298390620292.ack <at> debbugs.gnu.org> References: <87y2bn5f6v.fsf@HIDDEN> X-Gnu-PR-Message: ack 48872 X-Gnu-PR-Package: guix Reply-To: 48872 <at> debbugs.gnu.org Date: Sun, 06 Jun 2021 12:52:01 +0000 Thank you for filing a new bug report with debbugs.gnu.org. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): bug-guix@HIDDEN If you wish to submit further information on this problem, please send it to 48872 <at> debbugs.gnu.org. Please do not send mail to help-debbugs@HIDDEN unless you wish to report a problem with the Bug-tracking system. --=20 48872: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D48872 GNU Bug Tracking System Contact help-debbugs@HIDDEN with problems
X-Loop: help-debbugs@HIDDEN
Subject: bug#48872: Guix services: =?UTF-8?Q?=E2=80=98chmod=E2=80=99?= leaves opportunity to leak secrets
Resent-From: Maxime Devos <maximedevos@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-guix@HIDDEN
Resent-Date: Tue, 08 Jun 2021 08:57:02 +0000
Resent-Message-ID: <handler.48872.B48872.162314261915776 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 48872
X-GNU-PR-Package: guix
X-GNU-PR-Keywords:
To: Xinglu Chen <public@HIDDEN>, 48872 <at> debbugs.gnu.org
Received: via spool by 48872-submit <at> debbugs.gnu.org id=B48872.162314261915776
(code B ref 48872); Tue, 08 Jun 2021 08:57:02 +0000
Received: (at 48872) by debbugs.gnu.org; 8 Jun 2021 08:56:59 +0000
Received: from localhost ([127.0.0.1]:57374 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1lqXXe-00046N-Uq
for submit <at> debbugs.gnu.org; Tue, 08 Jun 2021 04:56:59 -0400
Received: from baptiste.telenet-ops.be ([195.130.132.51]:42636)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <maximedevos@HIDDEN>) id 1lqXXc-00046C-JK
for 48872 <at> debbugs.gnu.org; Tue, 08 Jun 2021 04:56:57 -0400
Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be
([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d])
by baptiste.telenet-ops.be with bizsmtp
id EYwu2501X0mfAB401Ywuyi; Tue, 08 Jun 2021 10:56:55 +0200
Message-ID: <74f0e45af9ab426a5105452f191cffad337ca7ce.camel@HIDDEN>
From: Maxime Devos <maximedevos@HIDDEN>
Date: Tue, 08 Jun 2021 10:55:57 +0200
In-Reply-To: <87y2bn5f6v.fsf@HIDDEN>
References: <87y2bn5f6v.fsf@HIDDEN>
Content-Type: multipart/signed; micalg="pgp-sha512";
protocol="application/pgp-signature"; boundary="=-h0c5os5Br/nYubEHOe9j"
User-Agent: Evolution 3.34.2
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21;
t=1623142615; bh=0bFQiKI9p5XSlJhmpW2YsCrScK6XFt69R79OSkHHJQs=;
h=Subject:From:To:Date:In-Reply-To:References;
b=u6FJ8RYCUSWft+6xak/YiTjtAMN4f7EVJ2Vm/QEghZ1sOHTX0YCUZx8vicejvHUgn
7z+snA0W3WR+JyA0UT0DWAx6jFDvjUcS44sUSxqY5/z8FeM+mEUNkPyOLXDWMCDBk0
UW8HR+R736NneslsdFYurK/JKsEuQE/VFXV1hWDXsgNDbMHHW53pDHGAAVGVAzOAaB
5nJPck7jRIpymC4QHgqaraONNMB7qvWCigBSD3uzCVUHl0nP7DBmeRdbHh7IifWbCG
rZJE4p0GfK2vQ9xJcW36+vShjFyVJNUwYVEsWpZqPEVlHXtcXNoI2pdw/yTQtx1EYq
OkhV9B47PGyVA==
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)
--=-h0c5os5Br/nYubEHOe9j
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Xinglu Chen schreef op zo 06-06-2021 om 14:51 [+0200]:
> [ This was reported on the Nixpkgs bug tracker a few weeks ago
> <https://github.com/NixOS/nixpkgs/issues/121293> ]
>=20
> When doing something like
>=20
> (call-with-output-file FILE
> (lambda (port)
> (display SECRET port)))
> (chmod FILE #o400)
>=20
> an unpriviliged user could open FILE before FILE had been chmod=E2=80=99e=
d, and
> then read the contents of FILE.
>=20
> One solution to this problem would be to use
>=20
> (mkdir (dirname FILE) #o400)
>=20
> before writing SECRET to FILE.
Alternatively, a variant of call-with-output-file
could be defined that has a #:perms argument.
This new procedure, let's call it call-with-output-file*,
could create a file with the right permissions with
(open "/etc/...-secret" (bitwise-ior O_WRONLY O_CREAT) #o400)
or something like that.
Then the vulnerable code above would become ...
(call-with-output-file* FILE
(lambda (port)
(display SECRET port))
#:perms #o400)
This seems a bit easier in usage to me!
No need to worry if changing the permissions of the parent
directory would break anything this way.
Greetings,
Maxime.
--=-h0c5os5Br/nYubEHOe9j
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYL8woxccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7l6LAP9lvxXDTIy22StYXL4K5fIrEGpA
w1WNajUSoUbXzxfV3wD/Z+45+0ZgGs32klEU5w/WMU6Rc1b8l6UAO3eYcJMBhgE=
=JCiS
-----END PGP SIGNATURE-----
--=-h0c5os5Br/nYubEHOe9j--
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.