GNU bug report logs -
#18477
Bug#758971: byte-compiled files have wrong permissions
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 18477 in the body.
You can then email your comments to 18477 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guile <at> gnu.org
:
bug#18477
; Package
guile
.
(Sun, 14 Sep 2014 21:35:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Rob Browning <rlb <at> defaultvalue.org>
:
New bug report received and forwarded. Copy sent to
bug-guile <at> gnu.org
.
(Sun, 14 Sep 2014 21:35:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[If possible, please preserve the -forwarded address in any replies.]
I suspect this should be fixed, if it hasn't been already.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758971
Thanks
Rand Peters <rwpeters <at> yandex.com> writes:
> Package: guile-2.0
> Version: 2.0.11+1-1
> Tags: security
>
> Guile automatically byte-compiles programs when they are run, and
> places the byte-compiled file in a subdirectory of
> $HOME/.cache/guile/.
>
> However, the permissions of the byte-compiled file are derived from
> umask rather than the permissions of the source file. This means that
> sensitive data (e.g. a hard-coded password) contained in a source file
> with restrictive permissions will be copied into a byte-compiled file
> that may be world-readable.
>
> Guile should ensure that the permissions of byte-compiled files match
> those of the source.
>
> Example:
>
> $ touch myscript
>
> $ chmod 700 myscript # source file readable only to owner
>
> $ cat >> myscript <<'EOF'
> #!/usr/bin/guile \
> -e main -s
> !#
>
> (define secret-password "DEADBEEFDEADBEEF")
>
> (define (main args)
> (display "this program contains an embedded secret")
> (newline))
> EOF
>
> $ ./myscript
> ;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0
> ;;; or pass the --no-auto-compile argument to disable.
> ;;; compiling /home/rwp/./myscript
> ;;; compiled /home/rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> this program contains an embedded secret
>
> $ ls -l ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> -rw-r--r-- 1 rwp rwp 456 Jul 1 12:00 /home/[...]/myscript.go
>
> # ^^ Note that the byte-compiled file is world-readable
>
> $ strings ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> [...]
> DEADBEEFDEADBEEF
> secret-password
> [...]
--
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
Severity set to 'important' from 'normal'
Request was from
Mark H Weaver <mhw <at> netris.org>
to
control <at> debbugs.gnu.org
.
(Wed, 01 Oct 2014 23:25:04 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guile <at> gnu.org
:
bug#18477
; Package
guile
.
(Wed, 10 Feb 2016 01:40:01 GMT)
Full text and
rfc822 format available.
Message #10 received at 18477 <at> debbugs.gnu.org (full text, mbox):
Comment:
Does a fix of this bug imply that permissions on each directory in the trail to compiled files should reflect the permissions on the trail to the source file?
Reply sent
to
Andy Wingo <wingo <at> pobox.com>
:
You have taken responsibility.
(Tue, 21 Jun 2016 16:07:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Rob Browning <rlb <at> defaultvalue.org>
:
bug acknowledged by developer.
(Tue, 21 Jun 2016 16:07:03 GMT)
Full text and
rfc822 format available.
Message #15 received at 18477-done <at> debbugs.gnu.org (full text, mbox):
Fixed in 2.0 and the 2.2 prerelease. Thanks!
Andy
On Sun 14 Sep 2014 23:33, Rob Browning <rlb <at> defaultvalue.org> writes:
> [If possible, please preserve the -forwarded address in any replies.]
>
> I suspect this should be fixed, if it hasn't been already.
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758971
>
> Thanks
>
> Rand Peters <rwpeters <at> yandex.com> writes:
>
>> Package: guile-2.0
>> Version: 2.0.11+1-1
>> Tags: security
>>
>> Guile automatically byte-compiles programs when they are run, and
>> places the byte-compiled file in a subdirectory of
>> $HOME/.cache/guile/.
>>
>> However, the permissions of the byte-compiled file are derived from
>> umask rather than the permissions of the source file. This means that
>> sensitive data (e.g. a hard-coded password) contained in a source file
>> with restrictive permissions will be copied into a byte-compiled file
>> that may be world-readable.
>>
>> Guile should ensure that the permissions of byte-compiled files match
>> those of the source.
>>
>> Example:
>>
>> $ touch myscript
>>
>> $ chmod 700 myscript # source file readable only to owner
>>
>> $ cat >> myscript <<'EOF'
>> #!/usr/bin/guile \
>> -e main -s
>> !#
>>
>> (define secret-password "DEADBEEFDEADBEEF")
>>
>> (define (main args)
>> (display "this program contains an embedded secret")
>> (newline))
>> EOF
>>
>> $ ./myscript
>> ;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0
>> ;;; or pass the --no-auto-compile argument to disable.
>> ;;; compiling /home/rwp/./myscript
>> ;;; compiled /home/rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
>> this program contains an embedded secret
>>
>> $ ls -l ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
>> -rw-r--r-- 1 rwp rwp 456 Jul 1 12:00 /home/[...]/myscript.go
>>
>> # ^^ Note that the byte-compiled file is world-readable
>>
>> $ strings ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
>> [...]
>> DEADBEEFDEADBEEF
>> secret-password
>> [...]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Wed, 20 Jul 2016 11:24:05 GMT)
Full text and
rfc822 format available.
This bug report was last modified 7 years and 275 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.