GNU bug report logs - #18477
Bug#758971: byte-compiled files have wrong permissions

Previous Next

Package: guile;

Reported by: Rob Browning <rlb <at> defaultvalue.org>

Date: Sun, 14 Sep 2014 21:35:02 UTC

Severity: important

Done: Andy Wingo <wingo <at> pobox.com>

Bug is archived. No further changes may be made.

Full log

Message #15 received at 18477-done <at> debbugs.gnu.org (full text, mbox):

From: Andy Wingo <wingo <at> pobox.com>
To: Rob Browning <rlb <at> defaultvalue.org>
Cc: 18477-done <at> debbugs.gnu.org, 758971 <at> bugs.debian.org,
 758971-forwarded <at> bugs.debian.org, Rand Peters <rwpeters <at> yandex.com>
Subject: Re: bug#18477: Bug#758971: byte-compiled files have wrong permissions
Date: Tue, 21 Jun 2016 18:06:00 +0200

Fixed in 2.0 and the 2.2 prerelease.  Thanks!

Andy

On Sun 14 Sep 2014 23:33, Rob Browning <rlb <at> defaultvalue.org> writes:

> [If possible, please preserve the -forwarded address in any replies.]
>
> I suspect this should be fixed, if it hasn't been already.
>
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758971
>
> Thanks
>
> Rand Peters <rwpeters <at> yandex.com> writes:
>
>> Package: guile-2.0
>> Version: 2.0.11+1-1
>> Tags: security
>>
>> Guile automatically byte-compiles programs when they are run, and
>> places the byte-compiled file in a subdirectory of
>> $HOME/.cache/guile/.
>>
>> However, the permissions of the byte-compiled file are derived from
>> umask rather than the permissions of the source file. This means that
>> sensitive data (e.g. a hard-coded password) contained in a source file
>> with restrictive permissions will be copied into a byte-compiled file
>> that may be world-readable.
>>
>> Guile should ensure that the permissions of byte-compiled files match
>> those of the source.
>>
>> Example:
>>
>> $ touch myscript
>>
>> $ chmod 700 myscript             # source file readable only to owner
>>
>> $ cat >> myscript <<'EOF'
>> #!/usr/bin/guile \
>> -e main -s
>> !#
>>
>> (define secret-password "DEADBEEFDEADBEEF")
>>
>> (define (main args)
>>   (display "this program contains an embedded secret")
>>   (newline))
>> EOF
>>
>> $ ./myscript
>> ;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0
>> ;;;       or pass the --no-auto-compile argument to disable.
>> ;;; compiling /home/rwp/./myscript
>> ;;; compiled /home/rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
>> this program contains an embedded secret
>>
>> $ ls -l ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
>> -rw-r--r-- 1 rwp rwp 456 Jul 1 12:00 /home/[...]/myscript.go
>>
>> # ^^ Note that the byte-compiled file is world-readable
>>
>> $ strings ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
>> [...]
>> DEADBEEFDEADBEEF
>> secret-password
>> [...]
This bug report was last modified 9 years and 29 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.