GNU bug report logs - #48872
Guix services: ‘chmod’ leaves opportunity to leak secrets

Previous Next

Package: guix;

Reported by: Xinglu Chen <public <at> yoctocell.xyz>

Date: Sun, 6 Jun 2021 12:52:01 UTC

Severity: normal

To reply to this bug, email your comments to 48872 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#48872; Package guix. (Sun, 06 Jun 2021 12:52:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Xinglu Chen <public <at> yoctocell.xyz>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Sun, 06 Jun 2021 12:52:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Xinglu Chen <public <at> yoctocell.xyz>
To: bug-guix <at> gnu.org
Subject: Guix services: ‘chmod’ leaves opportunity to
 leak secrets
Date: Sun, 06 Jun 2021 14:51:36 +0200

[Message part 1 (text/plain, inline)]
[  This was reported on the Nixpkgs bug tracker a few weeks ago
   <https://github.com/NixOS/nixpkgs/issues/121293>  ]

When doing something like

  (call-with-output-file FILE
    (lambda (port)
      (display SECRET port)))
  (chmod FILE #o400)

an unpriviliged user could open FILE before FILE had been chmod’ed, and
then read the contents of FILE.

One solution to this problem would be to use

  (mkdir (dirname FILE) #o400)

before writing SECRET to FILE.

I have identified at least two services which are vulnerable to this:

* ‘wireguard-service-type’ in (gnu services vpn)
* ‘patchwork-service-type’ in (gnu servicse web)



[signature.asc (application/pgp-signature, inline)]
Information forwarded to bug-guix <at> gnu.org:
bug#48872; Package guix. (Tue, 08 Jun 2021 08:57:02 GMT) Full text and rfc822 format available.

Message #8 received at 48872 <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: Xinglu Chen <public <at> yoctocell.xyz>, 48872 <at> debbugs.gnu.org
Subject: Re: bug#48872: Guix services: ‘chmod’
 leaves opportunity to leak secrets
Date: Tue, 08 Jun 2021 10:55:57 +0200

[Message part 1 (text/plain, inline)]
Xinglu Chen schreef op zo 06-06-2021 om 14:51 [+0200]:
> [  This was reported on the Nixpkgs bug tracker a few weeks ago
>    <https://github.com/NixOS/nixpkgs/issues/121293>  ]
> 
> When doing something like
> 
>   (call-with-output-file FILE
>     (lambda (port)
>       (display SECRET port)))
>   (chmod FILE #o400)
> 
> an unpriviliged user could open FILE before FILE had been chmod’ed, and
> then read the contents of FILE.
> 
> One solution to this problem would be to use
> 
>   (mkdir (dirname FILE) #o400)
> 
> before writing SECRET to FILE.

Alternatively, a variant of call-with-output-file
could be defined that has a #:perms argument.

This new procedure, let's call it call-with-output-file*,
could create a file with the right permissions with
(open "/etc/...-secret" (bitwise-ior O_WRONLY O_CREAT) #o400)
or something like that.

Then the vulnerable code above would become ...

  (call-with-output-file* FILE
    (lambda (port)
      (display SECRET port))
    #:perms #o400)

This seems a bit easier in usage to me!
No need to worry if changing the permissions of the parent
directory would break anything this way.

Greetings,
Maxime.

[signature.asc (application/pgp-signature, inline)]
Information forwarded to bug-guix <at> gnu.org:
bug#48872; Package guix. (Tue, 08 Jun 2021 14:44:02 GMT) Full text and rfc822 format available.

Message #11 received at 48872 <at> debbugs.gnu.org (full text, mbox):

From: Xinglu Chen <public <at> yoctocell.xyz>
To: Maxime Devos <maximedevos <at> telenet.be>, 48872 <at> debbugs.gnu.org
Subject: Re: bug#48872: Guix services: ‘chmod’ leaves
 opportunity to leak secrets
Date: Tue, 08 Jun 2021 16:42:43 +0200

[Message part 1 (text/plain, inline)]
On Tue, Jun 08 2021, Maxime Devos wrote:

> Xinglu Chen schreef op zo 06-06-2021 om 14:51 [+0200]:
>> [  This was reported on the Nixpkgs bug tracker a few weeks ago
>>    <https://github.com/NixOS/nixpkgs/issues/121293>  ]
>> 
>> When doing something like
>> 
>>   (call-with-output-file FILE
>>     (lambda (port)
>>       (display SECRET port)))
>>   (chmod FILE #o400)
>> 
>> an unpriviliged user could open FILE before FILE had been chmod’ed, and
>> then read the contents of FILE.
>> 
>> One solution to this problem would be to use
>> 
>>   (mkdir (dirname FILE) #o400)
>> 
>> before writing SECRET to FILE.
>
> Alternatively, a variant of call-with-output-file
> could be defined that has a #:perms argument.
>
> This new procedure, let's call it call-with-output-file*,
> could create a file with the right permissions with
> (open "/etc/...-secret" (bitwise-ior O_WRONLY O_CREAT) #o400)
> or something like that.
>
> Then the vulnerable code above would become ...
>
>   (call-with-output-file* FILE
>     (lambda (port)
>       (display SECRET port))
>     #:perms #o400)
>
> This seems a bit easier in usage to me!
> No need to worry if changing the permissions of the parent
> directory would break anything this way.

Indeed, this sounds like a better approach!


[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 4 years and 6 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.