GNU bug report logs - #18477
Bug#758971: byte-compiled files have wrong permissions

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 18477 in the body.
You can then email your comments to 18477 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Rob Browning <rlb <at> defaultvalue.org>
To: bug-guile <at> gnu.org
Cc: 758971 <at> bugs.debian.org, 758971-forwarded <at> bugs.debian.org,
 Rand Peters <rwpeters <at> yandex.com>
Subject: Re: Bug#758971: byte-compiled files have wrong permissions
Date: Sun, 14 Sep 2014 16:33:47 -0500

[If possible, please preserve the -forwarded address in any replies.]

I suspect this should be fixed, if it hasn't been already.

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758971

Thanks

Rand Peters <rwpeters <at> yandex.com> writes:

> Package: guile-2.0
> Version: 2.0.11+1-1
> Tags: security
>
> Guile automatically byte-compiles programs when they are run, and
> places the byte-compiled file in a subdirectory of
> $HOME/.cache/guile/.
>
> However, the permissions of the byte-compiled file are derived from
> umask rather than the permissions of the source file. This means that
> sensitive data (e.g. a hard-coded password) contained in a source file
> with restrictive permissions will be copied into a byte-compiled file
> that may be world-readable.
>
> Guile should ensure that the permissions of byte-compiled files match
> those of the source.
>
> Example:
>
> $ touch myscript
>
> $ chmod 700 myscript             # source file readable only to owner
>
> $ cat >> myscript <<'EOF'
> #!/usr/bin/guile \
> -e main -s
> !#
>
> (define secret-password "DEADBEEFDEADBEEF")
>
> (define (main args)
>   (display "this program contains an embedded secret")
>   (newline))
> EOF
>
> $ ./myscript
> ;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0
> ;;;       or pass the --no-auto-compile argument to disable.
> ;;; compiling /home/rwp/./myscript
> ;;; compiled /home/rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> this program contains an embedded secret
>
> $ ls -l ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> -rw-r--r-- 1 rwp rwp 456 Jul 1 12:00 /home/[...]/myscript.go
>
> # ^^ Note that the byte-compiled file is world-readable
>
> $ strings ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> [...]
> DEADBEEFDEADBEEF
> secret-password
> [...]

-- 
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4

Message #10 received at 18477 <at> debbugs.gnu.org (full text, mbox):

From: Matt Wette <matthew.wette <at> verizon.net>
To: 18477 <at> debbugs.gnu.org
Subject: byte-compiled files have wrong permissions
Date: Tue, 09 Feb 2016 17:39:14 -0800

Comment:

Does a fix of this bug imply that permissions on each directory in the trail to compiled files should reflect the permissions on the trail to the source file?

Message #15 received at 18477-done <at> debbugs.gnu.org (full text, mbox):

From: Andy Wingo <wingo <at> pobox.com>
To: Rob Browning <rlb <at> defaultvalue.org>
Cc: 18477-done <at> debbugs.gnu.org, 758971 <at> bugs.debian.org,
 758971-forwarded <at> bugs.debian.org, Rand Peters <rwpeters <at> yandex.com>
Subject: Re: bug#18477: Bug#758971: byte-compiled files have wrong permissions
Date: Tue, 21 Jun 2016 18:06:00 +0200

Fixed in 2.0 and the 2.2 prerelease.  Thanks!

Andy

On Sun 14 Sep 2014 23:33, Rob Browning <rlb <at> defaultvalue.org> writes:

> [If possible, please preserve the -forwarded address in any replies.]
>
> I suspect this should be fixed, if it hasn't been already.
>
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758971
>
> Thanks
>
> Rand Peters <rwpeters <at> yandex.com> writes:
>
>> Package: guile-2.0
>> Version: 2.0.11+1-1
>> Tags: security
>>
>> Guile automatically byte-compiles programs when they are run, and
>> places the byte-compiled file in a subdirectory of
>> $HOME/.cache/guile/.
>>
>> However, the permissions of the byte-compiled file are derived from
>> umask rather than the permissions of the source file. This means that
>> sensitive data (e.g. a hard-coded password) contained in a source file
>> with restrictive permissions will be copied into a byte-compiled file
>> that may be world-readable.
>>
>> Guile should ensure that the permissions of byte-compiled files match
>> those of the source.
>>
>> Example:
>>
>> $ touch myscript
>>
>> $ chmod 700 myscript             # source file readable only to owner
>>
>> $ cat >> myscript <<'EOF'
>> #!/usr/bin/guile \
>> -e main -s
>> !#
>>
>> (define secret-password "DEADBEEFDEADBEEF")
>>
>> (define (main args)
>>   (display "this program contains an embedded secret")
>>   (newline))
>> EOF
>>
>> $ ./myscript
>> ;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0
>> ;;;       or pass the --no-auto-compile argument to disable.
>> ;;; compiling /home/rwp/./myscript
>> ;;; compiled /home/rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
>> this program contains an embedded secret
>>
>> $ ls -l ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
>> -rw-r--r-- 1 rwp rwp 456 Jul 1 12:00 /home/[...]/myscript.go
>>
>> # ^^ Note that the byte-compiled file is world-readable
>>
>> $ strings ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
>> [...]
>> DEADBEEFDEADBEEF
>> secret-password
>> [...]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.