GNU bug report logs - #57363
[PATCH 0/1] Set #o640 permissions for log file of shepherd service in container.

Previous Next

Package: guix-patches;

Reported by: Arun Isaac <arunisaac <at> systemreboot.net>

Date: Tue, 23 Aug 2022 17:32:02 UTC

Severity: normal

Tags: patch

Done: Arun Isaac <arunisaac <at> systemreboot.net>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 57363 in the body.
You can then email your comments to 57363 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to guix-patches <at> gnu.org:
bug#57363; Package guix-patches. (Tue, 23 Aug 2022 17:32:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arun Isaac <arunisaac <at> systemreboot.net>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Tue, 23 Aug 2022 17:32:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Arun Isaac <arunisaac <at> systemreboot.net>
To: guix-patches <at> gnu.org
Cc: Arun Isaac <arunisaac <at> systemreboot.net>,
 Ludovic Courtès <ludo <at> gnu.org>
Subject: [PATCH 0/1] Set #o640 permissions for log file of shepherd service in
 container.
Date: Tue, 23 Aug 2022 23:01:02 +0530
When a shepherd service is run using make-forkexec-constructor, the log file
has #o640 permissions. This is set in the shepherd source code.
=> https://git.savannah.gnu.org/cgit/shepherd.git/tree/modules/shepherd/service.scm?h=v0.9.1#n987

However, when a shepherd service is run using
make-forkexec-constructor/container, the log file has #o644 permissions. This
patch corrects that.

CCing Ludo since they wrote the code adjacent to this patch.

Thanks!

Arun Isaac (1):
  shepherd: Set #o640 permissions for log file of service in container.

 gnu/build/shepherd.scm | 2 ++
 1 file changed, 2 insertions(+)

-- 
2.37.1





Information forwarded to guix-patches <at> gnu.org:
bug#57363; Package guix-patches. (Tue, 23 Aug 2022 17:34:02 GMT) Full text and rfc822 format available.

Message #8 received at 57363 <at> debbugs.gnu.org (full text, mbox):

From: Arun Isaac <arunisaac <at> systemreboot.net>
To: 57363 <at> debbugs.gnu.org
Cc: Arun Isaac <arunisaac <at> systemreboot.net>,
 Ludovic Courtès <ludo <at> gnu.org>
Subject: [PATCH] shepherd: Set #o640 permissions for log file of service in
 container.
Date: Tue, 23 Aug 2022 23:03:25 +0530
* gnu/build/shepherd.scm (make-forkexec-constructor/container): Set #o640
permissions for log file.
---
 gnu/build/shepherd.scm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/gnu/build/shepherd.scm b/gnu/build/shepherd.scm
index f4caefce3c..c7ba73967f 100644
--- a/gnu/build/shepherd.scm
+++ b/gnu/build/shepherd.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2017, 2018, 2019, 2020, 2022 Ludovic Courtès <ludo <at> gnu.org>
 ;;; Copyright © 2020 Mathieu Othacehe <othacehe <at> gnu.org>
 ;;; Copyright © 2022 Leo Nikkilä <hello <at> lnikki.la>
+;;; Copyright © 2022 Arun Isaac <arunisaac <at> systemreboot.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -187,6 +188,7 @@ (define mounts
       ;; Create LOG-FILE so we can map it in the container.
       (unless (file-exists? log-file)
         (call-with-output-file log-file (const #t))
+        (chmod log-file #o640)
         (when user
           (let ((pw (getpwnam user)))
             (chown log-file (passwd:uid pw) (passwd:gid pw))))))
-- 
2.37.1





Information forwarded to guix-patches <at> gnu.org:
bug#57363; Package guix-patches. (Fri, 26 Aug 2022 14:49:01 GMT) Full text and rfc822 format available.

Message #11 received at 57363 <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: Arun Isaac <arunisaac <at> systemreboot.net>, 57363 <at> debbugs.gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>
Subject: Re: [bug#57363] [PATCH 0/1] Set #o640 permissions for log file of
 shepherd service in container.
Date: Fri, 26 Aug 2022 16:48:40 +0200
[Message part 1 (text/plain, inline)]
On 23-08-2022 19:31, Arun Isaac wrote:

> However, when a shepherd service is run using
> make-forkexec-constructor/container, the log file has #o644 permissions. This
> patch corrects that.

There is a small window during which the log file has overly-wide 
permissions, which IIUC makes the log openable when it shouldn't, which 
could later be exploited (after the daemon has been running for a while) 
to extract anything secret written to the log by the service.

Try using (close (open log-file (logior O_CREAT O_APPEND O_CLOEXEC) 
#o600)) instead, that should make things atomic.

I do not know if clearing the log file is desired -- if so, remove 
O_APPEND, if not, keep O_APPEND.

Maybe O_RDONLY or O_WRONLY or O_RDWR needs to be added to make the call 
to 'open' succeed.

Greetings,
Maxime

[OpenPGP_0x49E3EE22191725EE.asc (application/pgp-keys, attachment)]
[OpenPGP_signature (application/pgp-signature, attachment)]

Information forwarded to guix-patches <at> gnu.org:
bug#57363; Package guix-patches. (Mon, 29 Aug 2022 19:16:02 GMT) Full text and rfc822 format available.

Message #14 received at 57363 <at> debbugs.gnu.org (full text, mbox):

From: Arun Isaac <arunisaac <at> systemreboot.net>
To: Maxime Devos <maximedevos <at> telenet.be>, 57363 <at> debbugs.gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>
Subject: Re: [bug#57363] [PATCH 0/1] Set #o640 permissions for log file of
 shepherd service in container.
Date: Tue, 30 Aug 2022 00:45:33 +0530
Hi Maxime,

> There is a small window during which the log file has overly-wide 
> permissions, which IIUC makes the log openable when it shouldn't, which 
> could later be exploited (after the daemon has been running for a while) 
> to extract anything secret written to the log by the service.

True, thanks for catching that!

> Try using (close (open log-file (logior O_CREAT O_APPEND O_CLOEXEC) 
> #o600)) instead, that should make things atomic.

Done. An updated patch follows.

> I do not know if clearing the log file is desired -- if so, remove 
> O_APPEND, if not, keep O_APPEND.

I don't think clearing the log file is desired. Append is good, I
think. Users wouldn't want their log files overwritten everytime their
system is restarted.

Regards,
Arun




Information forwarded to guix-patches <at> gnu.org:
bug#57363; Package guix-patches. (Mon, 29 Aug 2022 19:16:02 GMT) Full text and rfc822 format available.

Message #17 received at 57363 <at> debbugs.gnu.org (full text, mbox):

From: Arun Isaac <arunisaac <at> systemreboot.net>
To: Maxime Devos <maximedevos <at> telenet.be>,
 Arun Isaac <arunisaac <at> systemreboot.net>, 57363 <at> debbugs.gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>
Subject: [PATCH v2] shepherd: Set #o640 permissions for log file of service in
 container.
Date: Tue, 30 Aug 2022 00:45:47 +0530
* gnu/build/shepherd.scm (make-forkexec-constructor/container): Set #o640
permissions for log file.
---
 gnu/build/shepherd.scm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/gnu/build/shepherd.scm b/gnu/build/shepherd.scm
index f4caefce3c..9d9bfcfbc0 100644
--- a/gnu/build/shepherd.scm
+++ b/gnu/build/shepherd.scm
@@ -2,6 +2,7 @@
 ;;; Copyright © 2017, 2018, 2019, 2020, 2022 Ludovic Courtès <ludo <at> gnu.org>
 ;;; Copyright © 2020 Mathieu Othacehe <othacehe <at> gnu.org>
 ;;; Copyright © 2022 Leo Nikkilä <hello <at> lnikki.la>
+;;; Copyright © 2022 Arun Isaac <arunisaac <at> systemreboot.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -186,7 +187,7 @@ (define mounts
     (when log-file
       ;; Create LOG-FILE so we can map it in the container.
       (unless (file-exists? log-file)
-        (call-with-output-file log-file (const #t))
+        (close (open log-file (logior O_CREAT O_APPEND O_CLOEXEC) #o640))
         (when user
           (let ((pw (getpwnam user)))
             (chown log-file (passwd:uid pw) (passwd:gid pw))))))
-- 
2.37.1





Information forwarded to guix-patches <at> gnu.org:
bug#57363; Package guix-patches. (Fri, 02 Sep 2022 09:22:01 GMT) Full text and rfc822 format available.

Message #20 received at 57363 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Arun Isaac <arunisaac <at> systemreboot.net>
Cc: 57363 <at> debbugs.gnu.org, Maxime Devos <maximedevos <at> telenet.be>
Subject: Re: [PATCH v2] shepherd: Set #o640 permissions for log file of
 service in container.
Date: Fri, 02 Sep 2022 11:21:31 +0200
Hi,

Arun Isaac <arunisaac <at> systemreboot.net> skribis:

> * gnu/build/shepherd.scm (make-forkexec-constructor/container): Set #o640
> permissions for log file.

LGTM!

However, note that ‘make-forkexec-constructor/container’ is now
deprecated in favor of (guix least-authority); apparently PageKite and
Jami are the only real users left.

Thanks,
Ludo’.




Reply sent to Arun Isaac <arunisaac <at> systemreboot.net>:
You have taken responsibility. (Fri, 02 Sep 2022 11:21:02 GMT) Full text and rfc822 format available.

Notification sent to Arun Isaac <arunisaac <at> systemreboot.net>:
bug acknowledged by developer. (Fri, 02 Sep 2022 11:21:02 GMT) Full text and rfc822 format available.

Message #25 received at 57363-done <at> debbugs.gnu.org (full text, mbox):

From: Arun Isaac <arunisaac <at> systemreboot.net>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 57363-done <at> debbugs.gnu.org, Maxime Devos <maximedevos <at> telenet.be>
Subject: Re: [PATCH v2] shepherd: Set #o640 permissions for log file of
 service in container.
Date: Fri, 02 Sep 2022 16:50:43 +0530
>> * gnu/build/shepherd.scm (make-forkexec-constructor/container): Set #o640
>> permissions for log file.
>
> LGTM!

Thanks, pushed!

> However, note that ‘make-forkexec-constructor/container’ is now
> deprecated in favor of (guix least-authority); apparently PageKite and
> Jami are the only real users left.

Ah, I didn't know. I've been making extensive use of
make-forkexec-constructor/container in guix-forge and all my
services. Time to switch!




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Fri, 30 Sep 2022 11:24:09 GMT) Full text and rfc822 format available.

This bug report was last modified 1 year and 180 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.