GNU bug report logs -
#57363
[PATCH 0/1] Set #o640 permissions for log file of shepherd service in container.
Previous Next
Reported by: Arun Isaac <arunisaac <at> systemreboot.net>
Date: Tue, 23 Aug 2022 17:32:02 UTC
Severity: normal
Tags: patch
Done: Arun Isaac <arunisaac <at> systemreboot.net>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 57363 in the body.
You can then email your comments to 57363 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org
:
bug#57363
; Package
guix-patches
.
(Tue, 23 Aug 2022 17:32:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Arun Isaac <arunisaac <at> systemreboot.net>
:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org
.
(Tue, 23 Aug 2022 17:32:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
When a shepherd service is run using make-forkexec-constructor, the log file
has #o640 permissions. This is set in the shepherd source code.
=> https://git.savannah.gnu.org/cgit/shepherd.git/tree/modules/shepherd/service.scm?h=v0.9.1#n987
However, when a shepherd service is run using
make-forkexec-constructor/container, the log file has #o644 permissions. This
patch corrects that.
CCing Ludo since they wrote the code adjacent to this patch.
Thanks!
Arun Isaac (1):
shepherd: Set #o640 permissions for log file of service in container.
gnu/build/shepherd.scm | 2 ++
1 file changed, 2 insertions(+)
--
2.37.1
Information forwarded
to
guix-patches <at> gnu.org
:
bug#57363
; Package
guix-patches
.
(Tue, 23 Aug 2022 17:34:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 57363 <at> debbugs.gnu.org (full text, mbox):
* gnu/build/shepherd.scm (make-forkexec-constructor/container): Set #o640
permissions for log file.
---
gnu/build/shepherd.scm | 2 ++
1 file changed, 2 insertions(+)
diff --git a/gnu/build/shepherd.scm b/gnu/build/shepherd.scm
index f4caefce3c..c7ba73967f 100644
--- a/gnu/build/shepherd.scm
+++ b/gnu/build/shepherd.scm
@@ -2,6 +2,7 @@
;;; Copyright © 2017, 2018, 2019, 2020, 2022 Ludovic Courtès <ludo <at> gnu.org>
;;; Copyright © 2020 Mathieu Othacehe <othacehe <at> gnu.org>
;;; Copyright © 2022 Leo Nikkilä <hello <at> lnikki.la>
+;;; Copyright © 2022 Arun Isaac <arunisaac <at> systemreboot.net>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -187,6 +188,7 @@ (define mounts
;; Create LOG-FILE so we can map it in the container.
(unless (file-exists? log-file)
(call-with-output-file log-file (const #t))
+ (chmod log-file #o640)
(when user
(let ((pw (getpwnam user)))
(chown log-file (passwd:uid pw) (passwd:gid pw))))))
--
2.37.1
Information forwarded
to
guix-patches <at> gnu.org
:
bug#57363
; Package
guix-patches
.
(Fri, 26 Aug 2022 14:49:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 57363 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 23-08-2022 19:31, Arun Isaac wrote:
> However, when a shepherd service is run using
> make-forkexec-constructor/container, the log file has #o644 permissions. This
> patch corrects that.
There is a small window during which the log file has overly-wide
permissions, which IIUC makes the log openable when it shouldn't, which
could later be exploited (after the daemon has been running for a while)
to extract anything secret written to the log by the service.
Try using (close (open log-file (logior O_CREAT O_APPEND O_CLOEXEC)
#o600)) instead, that should make things atomic.
I do not know if clearing the log file is desired -- if so, remove
O_APPEND, if not, keep O_APPEND.
Maybe O_RDONLY or O_WRONLY or O_RDWR needs to be added to make the call
to 'open' succeed.
Greetings,
Maxime
[OpenPGP_0x49E3EE22191725EE.asc (application/pgp-keys, attachment)]
[OpenPGP_signature (application/pgp-signature, attachment)]
Information forwarded
to
guix-patches <at> gnu.org
:
bug#57363
; Package
guix-patches
.
(Mon, 29 Aug 2022 19:16:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 57363 <at> debbugs.gnu.org (full text, mbox):
Hi Maxime,
> There is a small window during which the log file has overly-wide
> permissions, which IIUC makes the log openable when it shouldn't, which
> could later be exploited (after the daemon has been running for a while)
> to extract anything secret written to the log by the service.
True, thanks for catching that!
> Try using (close (open log-file (logior O_CREAT O_APPEND O_CLOEXEC)
> #o600)) instead, that should make things atomic.
Done. An updated patch follows.
> I do not know if clearing the log file is desired -- if so, remove
> O_APPEND, if not, keep O_APPEND.
I don't think clearing the log file is desired. Append is good, I
think. Users wouldn't want their log files overwritten everytime their
system is restarted.
Regards,
Arun
Information forwarded
to
guix-patches <at> gnu.org
:
bug#57363
; Package
guix-patches
.
(Mon, 29 Aug 2022 19:16:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 57363 <at> debbugs.gnu.org (full text, mbox):
* gnu/build/shepherd.scm (make-forkexec-constructor/container): Set #o640
permissions for log file.
---
gnu/build/shepherd.scm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/gnu/build/shepherd.scm b/gnu/build/shepherd.scm
index f4caefce3c..9d9bfcfbc0 100644
--- a/gnu/build/shepherd.scm
+++ b/gnu/build/shepherd.scm
@@ -2,6 +2,7 @@
;;; Copyright © 2017, 2018, 2019, 2020, 2022 Ludovic Courtès <ludo <at> gnu.org>
;;; Copyright © 2020 Mathieu Othacehe <othacehe <at> gnu.org>
;;; Copyright © 2022 Leo Nikkilä <hello <at> lnikki.la>
+;;; Copyright © 2022 Arun Isaac <arunisaac <at> systemreboot.net>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -186,7 +187,7 @@ (define mounts
(when log-file
;; Create LOG-FILE so we can map it in the container.
(unless (file-exists? log-file)
- (call-with-output-file log-file (const #t))
+ (close (open log-file (logior O_CREAT O_APPEND O_CLOEXEC) #o640))
(when user
(let ((pw (getpwnam user)))
(chown log-file (passwd:uid pw) (passwd:gid pw))))))
--
2.37.1
Information forwarded
to
guix-patches <at> gnu.org
:
bug#57363
; Package
guix-patches
.
(Fri, 02 Sep 2022 09:22:01 GMT)
Full text and
rfc822 format available.
Message #20 received at 57363 <at> debbugs.gnu.org (full text, mbox):
Hi,
Arun Isaac <arunisaac <at> systemreboot.net> skribis:
> * gnu/build/shepherd.scm (make-forkexec-constructor/container): Set #o640
> permissions for log file.
LGTM!
However, note that ‘make-forkexec-constructor/container’ is now
deprecated in favor of (guix least-authority); apparently PageKite and
Jami are the only real users left.
Thanks,
Ludo’.
Reply sent
to
Arun Isaac <arunisaac <at> systemreboot.net>
:
You have taken responsibility.
(Fri, 02 Sep 2022 11:21:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Arun Isaac <arunisaac <at> systemreboot.net>
:
bug acknowledged by developer.
(Fri, 02 Sep 2022 11:21:02 GMT)
Full text and
rfc822 format available.
Message #25 received at 57363-done <at> debbugs.gnu.org (full text, mbox):
>> * gnu/build/shepherd.scm (make-forkexec-constructor/container): Set #o640
>> permissions for log file.
>
> LGTM!
Thanks, pushed!
> However, note that ‘make-forkexec-constructor/container’ is now
> deprecated in favor of (guix least-authority); apparently PageKite and
> Jami are the only real users left.
Ah, I didn't know. I've been making extensive use of
make-forkexec-constructor/container in guix-forge and all my
services. Time to switch!
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Fri, 30 Sep 2022 11:24:09 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 180 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.