GNU bug report logs - #57365
[PATCH] gnu: guile-smc: Update to 0.5.0

Previous Next

Full log

View this message in rfc822 format

From: Maxime Devos <maximedevos <at> telenet.be>
To: Mathieu Othacehe <othacehe <at> gnu.org>, "Artyom V. Poptsov" <poptsov.artyom <at> gmail.com>
Cc: 57365 <at> debbugs.gnu.org
Subject: [bug#57365] [PATCH] gnu: guile-smc: Update to 0.5.0
Date: Sat, 27 Aug 2022 09:54:47 +0200

[Message part 1 (text/plain, inline)]

On 26-08-2022 15:34, Mathieu Othacehe wrote:
> +               (("\\(add-handler! %logger %syslog\\)")
> +                (string-append
> +                 "(add-handler! %logger\n"
> +                 "              (make <port-log/us>\n"
> +                 "                    #:port (open-file \"/tmp/smc.log\" \"a+\")))\n")))))

When is this /tmp/smc.log used? When compiling guile-smc or when running 
guile-smc?

If the latter, an attacker on a multi-user system could use it to make 
you append to files the attacker ordinarily doesn't have access to -- 
consider guile-smc being in a process as root and the attacker creating 
/tmp/smc.log as a symlink to /etc/passwd first, depending on what was 
logged, there is now an additional entry in there or its corrupted, 
preventing booting.

> Guile-SMC tries to log to the syslog by default but it seems that this
> option is not working in Guix, so we need another way to log the
> messages.  Or it may be that I just overlooked something.
I do think it works, at least there are plenty of mentions of 'syslog' 
in the Guix repository. However, possibly the build container forbids 
access (unverified), maybe for running tests you need a different logger.

Greetings,
Maxime.

[OpenPGP_0x49E3EE22191725EE.asc (application/pgp-keys, attachment)]

[OpenPGP_signature (application/pgp-signature, attachment)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.