From unknown Sat Jun 14 03:54:12 2025 X-Loop: help-debbugs@gnu.org Subject: bug#48872: Guix services: =?UTF-8?Q?=E2=80=98chmod=E2=80=99?= leaves opportunity to leak secrets Resent-From: Xinglu Chen Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sun, 06 Jun 2021 12:52:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 48872 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 48872@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.162298390620292 (code B ref -1); Sun, 06 Jun 2021 12:52:01 +0000 Received: (at submit) by debbugs.gnu.org; 6 Jun 2021 12:51:46 +0000 Received: from localhost ([127.0.0.1]:50953 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lpsFm-0005HE-GT for submit@debbugs.gnu.org; Sun, 06 Jun 2021 08:51:46 -0400 Received: from lists.gnu.org ([209.51.188.17]:46964) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lpsFk-0005H6-5u for submit@debbugs.gnu.org; Sun, 06 Jun 2021 08:51:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35008) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lpsFj-000285-RV for bug-guix@gnu.org; Sun, 06 Jun 2021 08:51:43 -0400 Received: from h87-96-130-155.cust.a3fiber.se ([87.96.130.155]:46894 helo=mail.yoctocell.xyz) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lpsFh-0000Do-Lt for bug-guix@gnu.org; Sun, 06 Jun 2021 08:51:43 -0400 From: Xinglu Chen DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yoctocell.xyz; s=mail; t=1622983897; bh=BSNpJyJCrstJ15+48uwihBFgwogEC5HueGq36XHQCPY=; h=From:To:Subject:Date; b=b8RDabciTJtrKKAPvPsqim3IU/ZpX3IyN270ia0FMd0iah0SsBa9JR9I8PfF/0og8 w1tEi3xeXrpgBMdO0yfnJmFICxdQ0qE2bcjIevcIj9SnWtHzGIf10LzNFYwIm+fXlb EJ19Img1CMC+nneZAit4z8V32fvlaAuo60Ku9O3E= Date: Sun, 06 Jun 2021 14:51:36 +0200 Message-ID: <87y2bn5f6v.fsf@yoctocell.xyz> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Received-SPF: pass client-ip=87.96.130.155; envelope-from=public@yoctocell.xyz; helo=mail.yoctocell.xyz X-Spam_score_int: 30 X-Spam_score: 3.0 X-Spam_bar: +++ X-Spam_report: (3.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_SUSPICIOUS_NTLD=0.499, FROM_SUSPICIOUS_NTLD_FP=1.591, PDS_OTHER_BAD_TLD=1.997, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: 2.7 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: [ This was reported on the Nixpkgs bug tracker a few weeks ago ] When doing something like (call-with-output-file FILE (lambda (port) (display SECRET port))) (chmod FILE #o400) Content analysis details: (2.7 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: yoctocell.xyz (xyz)] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) -0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4) [209.51.188.17 listed in wl.mailspike.net] -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [209.51.188.17 listed in list.dnswl.org] 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 1.6 FROM_SUSPICIOUS_NTLD_FP From abused NTLD X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.1 (/) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable [ This was reported on the Nixpkgs bug tracker a few weeks ago ] When doing something like (call-with-output-file FILE (lambda (port) (display SECRET port))) (chmod FILE #o400) an unpriviliged user could open FILE before FILE had been chmod=E2=80=99ed,= and then read the contents of FILE. One solution to this problem would be to use (mkdir (dirname FILE) #o400) before writing SECRET to FILE. I have identified at least two services which are vulnerable to this: * =E2=80=98wireguard-service-type=E2=80=99 in (gnu services vpn) * =E2=80=98patchwork-service-type=E2=80=99 in (gnu servicse web) --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEAVhh4yyK5+SEykIzrPUJmaL7XHkFAmC8xNgVHHB1YmxpY0B5 b2N0b2NlbGwueHl6AAoJEKz1CZmi+1x5thAQAL3qpee3wHvYmFD9wL480xx6V3Xe +4f7rNdr+6QgfwBpTZ3M2JNtLokNaDBVIAFnumSeCNTy7QrQgzbYbhrm9uh13nsy h0LaT7/R9hYZ3rm4SaSmuAO0Gm/mhCl5jtmdQjDozi4SbBZa0bp87QioZcbUC7p2 hKiB7CTrCu5WHtPC55RfRxq4X+s6X6dBM4PEgw9C5b28mvw6KMe9rFNC1r2u3jIH iXddPJxIZN9sjjBjO4EkRAtB5WGvfQLC+foPcnhNISvSKCtaonn4dQvgjeJ+0Qwc CQ0CpU/rQYt1KSFPvcvH1CtUI7a3j/J63kKInGm/U9vh386yFnuX0J787Q91AUW4 ZfrIH0b5cYjLW40Ro8yNvjviFLj8x4FZFfD/D2P3AsbBvmBwukSr1VFHaGbEawu4 gNyUciMUtW2NFly9w9wGHm5qS/kog9VrS64G1dsTa4MGqJzwYv+SvXj/uzyyO6cq vVPoT7VPeUUAjVUB08j08KmCVl/38xuBtHjr06B7DWMut+11TkqDga3iNLrdUaQS H/N2002yErF1ZOeGfl74+iRDHMg/F92epHmOGlLEh1VAEWWjj4lvF5nz41uFGz0y KSpx0ZrNPb+WABAUUj2EuQquxx22FeSgc4tZuKTrjJDd/nS+X6rheuL0cO0MvRnF uWTrfD4wGuEapukq =lgih -----END PGP SIGNATURE----- --=-=-=-- From unknown Sat Jun 14 03:54:12 2025 X-Loop: help-debbugs@gnu.org Subject: bug#48872: Guix services: =?UTF-8?Q?=E2=80=98chmod=E2=80=99?= leaves opportunity to leak secrets Resent-From: Maxime Devos Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 08 Jun 2021 08:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48872 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Xinglu Chen , 48872@debbugs.gnu.org Received: via spool by 48872-submit@debbugs.gnu.org id=B48872.162314261915776 (code B ref 48872); Tue, 08 Jun 2021 08:57:02 +0000 Received: (at 48872) by debbugs.gnu.org; 8 Jun 2021 08:56:59 +0000 Received: from localhost ([127.0.0.1]:57374 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lqXXe-00046N-Uq for submit@debbugs.gnu.org; Tue, 08 Jun 2021 04:56:59 -0400 Received: from baptiste.telenet-ops.be ([195.130.132.51]:42636) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lqXXc-00046C-JK for 48872@debbugs.gnu.org; Tue, 08 Jun 2021 04:56:57 -0400 Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d]) by baptiste.telenet-ops.be with bizsmtp id EYwu2501X0mfAB401Ywuyi; Tue, 08 Jun 2021 10:56:55 +0200 Message-ID: <74f0e45af9ab426a5105452f191cffad337ca7ce.camel@telenet.be> From: Maxime Devos Date: Tue, 08 Jun 2021 10:55:57 +0200 In-Reply-To: <87y2bn5f6v.fsf@yoctocell.xyz> References: <87y2bn5f6v.fsf@yoctocell.xyz> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-h0c5os5Br/nYubEHOe9j" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1623142615; bh=0bFQiKI9p5XSlJhmpW2YsCrScK6XFt69R79OSkHHJQs=; h=Subject:From:To:Date:In-Reply-To:References; b=u6FJ8RYCUSWft+6xak/YiTjtAMN4f7EVJ2Vm/QEghZ1sOHTX0YCUZx8vicejvHUgn 7z+snA0W3WR+JyA0UT0DWAx6jFDvjUcS44sUSxqY5/z8FeM+mEUNkPyOLXDWMCDBk0 UW8HR+R736NneslsdFYurK/JKsEuQE/VFXV1hWDXsgNDbMHHW53pDHGAAVGVAzOAaB 5nJPck7jRIpymC4QHgqaraONNMB7qvWCigBSD3uzCVUHl0nP7DBmeRdbHh7IifWbCG rZJE4p0GfK2vQ9xJcW36+vShjFyVJNUwYVEsWpZqPEVlHXtcXNoI2pdw/yTQtx1EYq OkhV9B47PGyVA== X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --=-h0c5os5Br/nYubEHOe9j Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Xinglu Chen schreef op zo 06-06-2021 om 14:51 [+0200]: > [ This was reported on the Nixpkgs bug tracker a few weeks ago > ] >=20 > When doing something like >=20 > (call-with-output-file FILE > (lambda (port) > (display SECRET port))) > (chmod FILE #o400) >=20 > an unpriviliged user could open FILE before FILE had been chmod=E2=80=99e= d, and > then read the contents of FILE. >=20 > One solution to this problem would be to use >=20 > (mkdir (dirname FILE) #o400) >=20 > before writing SECRET to FILE. Alternatively, a variant of call-with-output-file could be defined that has a #:perms argument. This new procedure, let's call it call-with-output-file*, could create a file with the right permissions with (open "/etc/...-secret" (bitwise-ior O_WRONLY O_CREAT) #o400) or something like that. Then the vulnerable code above would become ... (call-with-output-file* FILE (lambda (port) (display SECRET port)) #:perms #o400) This seems a bit easier in usage to me! No need to worry if changing the permissions of the parent directory would break anything this way. Greetings, Maxime. --=-h0c5os5Br/nYubEHOe9j Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYL8woxccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7l6LAP9lvxXDTIy22StYXL4K5fIrEGpA w1WNajUSoUbXzxfV3wD/Z+45+0ZgGs32klEU5w/WMU6Rc1b8l6UAO3eYcJMBhgE= =JCiS -----END PGP SIGNATURE----- --=-h0c5os5Br/nYubEHOe9j-- From unknown Sat Jun 14 03:54:12 2025 X-Loop: help-debbugs@gnu.org Subject: bug#48872: Guix services: =?UTF-8?Q?=E2=80=98chmod=E2=80=99?= leaves opportunity to leak secrets Resent-From: Xinglu Chen Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 08 Jun 2021 14:44:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48872 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Maxime Devos , 48872@debbugs.gnu.org Received: via spool by 48872-submit@debbugs.gnu.org id=B48872.16231633844180 (code B ref 48872); Tue, 08 Jun 2021 14:44:02 +0000 Received: (at 48872) by debbugs.gnu.org; 8 Jun 2021 14:43:04 +0000 Received: from localhost ([127.0.0.1]:59503 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lqcwa-00015M-K6 for submit@debbugs.gnu.org; Tue, 08 Jun 2021 10:43:04 -0400 Received: from h87-96-130-155.cust.a3fiber.se ([87.96.130.155]:60894 helo=mail.yoctocell.xyz) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lqcwY-00014p-5w for 48872@debbugs.gnu.org; Tue, 08 Jun 2021 10:43:03 -0400 From: Xinglu Chen DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yoctocell.xyz; s=mail; t=1623163373; bh=Oblm3D8k42TMEMbOsBxuiyn7OhRft/2IZKUbNhKXiwA=; h=From:To:Subject:In-Reply-To:References:Date; b=od7m/p8MzUlhROTRNYyzHaVN4Vh2MTi6sYOfg7Ht/vfnO3c83zACIJS6VDm9401Xq oO9z7gIRr/aaSv/E2E4sskqVOaxFdCM6aeVzjvSVHIQtjDYnVoJ3Lwnnyf1fyMNTLO Kd6Fz1uZ54Sh5Otx2bj9PY+a5jYJhL3qwF2IbnD4= In-Reply-To: <74f0e45af9ab426a5105452f191cffad337ca7ce.camel@telenet.be> References: <87y2bn5f6v.fsf@yoctocell.xyz> <74f0e45af9ab426a5105452f191cffad337ca7ce.camel@telenet.be> Date: Tue, 08 Jun 2021 16:42:43 +0200 Message-ID: <874ke8s9i4.fsf@yoctocell.xyz> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 2.9 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Tue, Jun 08 2021, Maxime Devos wrote: > Xinglu Chen schreef op zo 06-06-2021 om 14:51 [+0200]: >> [ This was reported on the Nixpkgs bug tracker a few weeks ago >> ] >> >> When doing someth [...] Content analysis details: (2.9 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: yoctocell.xyz (xyz)] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.9 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On Tue, Jun 08 2021, Maxime Devos wrote: > Xinglu Chen schreef op zo 06-06-2021 om 14:51 [+0200]: >> [ This was reported on the Nixpkgs bug tracker a few weeks ago >> ] >> >> When doing someth [...] Content analysis details: (2.9 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: yoctocell.xyz (xyz)] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS 1.0 BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Tue, Jun 08 2021, Maxime Devos wrote: > Xinglu Chen schreef op zo 06-06-2021 om 14:51 [+0200]: >> [ This was reported on the Nixpkgs bug tracker a few weeks ago >> ] >>=20 >> When doing something like >>=20 >> (call-with-output-file FILE >> (lambda (port) >> (display SECRET port))) >> (chmod FILE #o400) >>=20 >> an unpriviliged user could open FILE before FILE had been chmod=E2=80=99= ed, and >> then read the contents of FILE. >>=20 >> One solution to this problem would be to use >>=20 >> (mkdir (dirname FILE) #o400) >>=20 >> before writing SECRET to FILE. > > Alternatively, a variant of call-with-output-file > could be defined that has a #:perms argument. > > This new procedure, let's call it call-with-output-file*, > could create a file with the right permissions with > (open "/etc/...-secret" (bitwise-ior O_WRONLY O_CREAT) #o400) > or something like that. > > Then the vulnerable code above would become ... > > (call-with-output-file* FILE > (lambda (port) > (display SECRET port)) > #:perms #o400) > > This seems a bit easier in usage to me! > No need to worry if changing the permissions of the parent > directory would break anything this way. Indeed, this sounds like a better approach! --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEAVhh4yyK5+SEykIzrPUJmaL7XHkFAmC/geMVHHB1YmxpY0B5 b2N0b2NlbGwueHl6AAoJEKz1CZmi+1x5pbEQAICeiXsKUaAhqNwFguL6CV9xIE89 QD/qwDdJMFUkwROqh8J5/QTRgi9Z6jY4xUO1Qs26SSJ2TcxJJ3iKejqVnA59acGM qfoC1FZ+HzvgJoXll3L/3+Guvp1WI/zfLyrVUC58xRMYgMLJVmPHlgfOrjzgxRHR YlcLYg2YGSx5ZCwEDmmh7BHxCO2KpBsOeubn60RRi9CBc7uRwSWKDQ7mUbRjYfc0 Xyx74EZbi/riDXibJhQHTTrEluQi4JnQ07j5ZY6svSCWJIr7cdB+A6HItIKDTP2+ U9TnbL3Lh5KkUP9kMx4QdSXVJyx91umZxLGqeooHfpy43IVJTCw0DvH8DcIFsUL5 NP9EnWr49RkrhoIJQjUAzXP5sT//cgusYrYkUXzpjJvgkVuVlfmbf8wiKMYksLBs a8GFgs+lnGGVKuFzyIVwpEK4BqjjhYs/nD/Hxz6iZ84zDgSxbIEigQDZCtfLRsbk rqNprdd+m01rYEyGMLlrA7ma2mdfkw7CzsTK3p0bgg2JEfuqWS5VfkXHAunQv2Wy w3Y56Vts/YQl4V0xPYROKxdSCXn3hmutbVpdzgsx3xUlJ0qXMXcowUG8WUpp5ZTM JY9u9jtWm9A0zShYrikXpBEmThkYdIlgSKjsOci0PyVs5FORkf7qr9dbCrdGugX2 0qD80KQXJjQlHY7r =IxgZ -----END PGP SIGNATURE----- --=-=-=--