GNU bug report logs - #48872
Guix services: ‘chmod’ leaves opportunity to leak secrets

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Package: guix; Reported by: Xinglu Chen <public@HIDDEN>; dated Sun, 6 Jun 2021 12:52:01 UTC; Maintainer for guix is bug-guix@HIDDEN.

Message received at 48872 <at> debbugs.gnu.org:


Received: (at 48872) by debbugs.gnu.org; 8 Jun 2021 08:56:59 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 08 04:56:59 2021
Received: from localhost ([127.0.0.1]:57374 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lqXXe-00046N-Uq
	for submit <at> debbugs.gnu.org; Tue, 08 Jun 2021 04:56:59 -0400
Received: from baptiste.telenet-ops.be ([195.130.132.51]:42636)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maximedevos@HIDDEN>) id 1lqXXc-00046C-JK
 for 48872 <at> debbugs.gnu.org; Tue, 08 Jun 2021 04:56:57 -0400
Received: from ptr-bvsjgyjmffd7q9timvx.18120a2.ip6.access.telenet.be
 ([IPv6:2a02:1811:8c09:9d00:aaf1:9810:a0b8:a55d])
 by baptiste.telenet-ops.be with bizsmtp
 id EYwu2501X0mfAB401Ywuyi; Tue, 08 Jun 2021 10:56:55 +0200
Message-ID: <74f0e45af9ab426a5105452f191cffad337ca7ce.camel@HIDDEN>
Subject: Re: bug#48872: Guix services: =?UTF-8?Q?=E2=80=98chmod=E2=80=99?=
 leaves opportunity to leak secrets
From: Maxime Devos <maximedevos@HIDDEN>
To: Xinglu Chen <public@HIDDEN>, 48872 <at> debbugs.gnu.org
Date: Tue, 08 Jun 2021 10:55:57 +0200
In-Reply-To: <87y2bn5f6v.fsf@HIDDEN>
References: <87y2bn5f6v.fsf@HIDDEN>
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-h0c5os5Br/nYubEHOe9j"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21;
 t=1623142615; bh=0bFQiKI9p5XSlJhmpW2YsCrScK6XFt69R79OSkHHJQs=;
 h=Subject:From:To:Date:In-Reply-To:References;
 b=u6FJ8RYCUSWft+6xak/YiTjtAMN4f7EVJ2Vm/QEghZ1sOHTX0YCUZx8vicejvHUgn
 7z+snA0W3WR+JyA0UT0DWAx6jFDvjUcS44sUSxqY5/z8FeM+mEUNkPyOLXDWMCDBk0
 UW8HR+R736NneslsdFYurK/JKsEuQE/VFXV1hWDXsgNDbMHHW53pDHGAAVGVAzOAaB
 5nJPck7jRIpymC4QHgqaraONNMB7qvWCigBSD3uzCVUHl0nP7DBmeRdbHh7IifWbCG
 rZJE4p0GfK2vQ9xJcW36+vShjFyVJNUwYVEsWpZqPEVlHXtcXNoI2pdw/yTQtx1EYq
 OkhV9B47PGyVA==
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 48872
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)


--=-h0c5os5Br/nYubEHOe9j
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Xinglu Chen schreef op zo 06-06-2021 om 14:51 [+0200]:
> [  This was reported on the Nixpkgs bug tracker a few weeks ago
>    <https://github.com/NixOS/nixpkgs/issues/121293>  ]
>=20
> When doing something like
>=20
>   (call-with-output-file FILE
>     (lambda (port)
>       (display SECRET port)))
>   (chmod FILE #o400)
>=20
> an unpriviliged user could open FILE before FILE had been chmod=E2=80=99e=
d, and
> then read the contents of FILE.
>=20
> One solution to this problem would be to use
>=20
>   (mkdir (dirname FILE) #o400)
>=20
> before writing SECRET to FILE.

Alternatively, a variant of call-with-output-file
could be defined that has a #:perms argument.

This new procedure, let's call it call-with-output-file*,
could create a file with the right permissions with
(open "/etc/...-secret" (bitwise-ior O_WRONLY O_CREAT) #o400)
or something like that.

Then the vulnerable code above would become ...

  (call-with-output-file* FILE
    (lambda (port)
      (display SECRET port))
    #:perms #o400)

This seems a bit easier in usage to me!
No need to worry if changing the permissions of the parent
directory would break anything this way.

Greetings,
Maxime.

--=-h0c5os5Br/nYubEHOe9j
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYL8woxccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7l6LAP9lvxXDTIy22StYXL4K5fIrEGpA
w1WNajUSoUbXzxfV3wD/Z+45+0ZgGs32klEU5w/WMU6Rc1b8l6UAO3eYcJMBhgE=
=JCiS
-----END PGP SIGNATURE-----

--=-h0c5os5Br/nYubEHOe9j--
Information forwarded to bug-guix@HIDDEN:
bug#48872; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 6 Jun 2021 12:51:46 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jun 06 08:51:46 2021
Received: from localhost ([127.0.0.1]:50953 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lpsFm-0005HE-GT
	for submit <at> debbugs.gnu.org; Sun, 06 Jun 2021 08:51:46 -0400
Received: from lists.gnu.org ([209.51.188.17]:46964)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <public@HIDDEN>) id 1lpsFk-0005H6-5u
 for submit <at> debbugs.gnu.org; Sun, 06 Jun 2021 08:51:44 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:35008)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <public@HIDDEN>)
 id 1lpsFj-000285-RV
 for bug-guix@HIDDEN; Sun, 06 Jun 2021 08:51:43 -0400
Received: from h87-96-130-155.cust.a3fiber.se ([87.96.130.155]:46894
 helo=mail.yoctocell.xyz)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <public@HIDDEN>)
 id 1lpsFh-0000Do-Lt
 for bug-guix@HIDDEN; Sun, 06 Jun 2021 08:51:43 -0400
From: Xinglu Chen <public@HIDDEN>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yoctocell.xyz;
 s=mail; t=1622983897;
 bh=BSNpJyJCrstJ15+48uwihBFgwogEC5HueGq36XHQCPY=;
 h=From:To:Subject:Date;
 b=b8RDabciTJtrKKAPvPsqim3IU/ZpX3IyN270ia0FMd0iah0SsBa9JR9I8PfF/0og8
 w1tEi3xeXrpgBMdO0yfnJmFICxdQ0qE2bcjIevcIj9SnWtHzGIf10LzNFYwIm+fXlb
 EJ19Img1CMC+nneZAit4z8V32fvlaAuo60Ku9O3E=
To: bug-guix@HIDDEN
Subject: Guix services: =?utf-8?B?4oCYY2htb2TigJk=?= leaves opportunity to
 leak secrets
Date: Sun, 06 Jun 2021 14:51:36 +0200
Message-ID: <87y2bn5f6v.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
Received-SPF: pass client-ip=87.96.130.155; envelope-from=public@HIDDEN;
 helo=mail.yoctocell.xyz
X-Spam_score_int: 30
X-Spam_score: 3.0
X-Spam_bar: +++
X-Spam_report: (3.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_SUSPICIOUS_NTLD=0.499,
 FROM_SUSPICIOUS_NTLD_FP=1.591, PDS_OTHER_BAD_TLD=1.997, RDNS_DYNAMIC=0.982,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 2.7 (++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  [ This was reported on the Nixpkgs bug tracker a few weeks
 ago <https://github.com/NixOS/nixpkgs/issues/121293> ] When doing something
 like (call-with-output-file FILE (lambda (port) (display SECRET port))) (chmod
 FILE #o400) 
 Content analysis details:   (2.7 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 2.0 PDS_OTHER_BAD_TLD      Untrustworthy TLDs
 [URI: yoctocell.xyz (xyz)]
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
 -0.0 RCVD_IN_MSPIKE_H4      RBL: Very Good reputation (+4)
 [209.51.188.17 listed in wl.mailspike.net]
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
 medium trust [209.51.188.17 listed in list.dnswl.org]
 0.5 FROM_SUSPICIOUS_NTLD   From abused NTLD
 -0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
 1.6 FROM_SUSPICIOUS_NTLD_FP From abused NTLD
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.1 (/)

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

[  This was reported on the Nixpkgs bug tracker a few weeks ago
   <https://github.com/NixOS/nixpkgs/issues/121293>  ]

When doing something like

  (call-with-output-file FILE
    (lambda (port)
      (display SECRET port)))
  (chmod FILE #o400)

an unpriviliged user could open FILE before FILE had been chmod=E2=80=99ed,=
 and
then read the contents of FILE.

One solution to this problem would be to use

  (mkdir (dirname FILE) #o400)

before writing SECRET to FILE.

I have identified at least two services which are vulnerable to this:

* =E2=80=98wireguard-service-type=E2=80=99 in (gnu services vpn)
* =E2=80=98patchwork-service-type=E2=80=99 in (gnu servicse web)



--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCAAzFiEEAVhh4yyK5+SEykIzrPUJmaL7XHkFAmC8xNgVHHB1YmxpY0B5
b2N0b2NlbGwueHl6AAoJEKz1CZmi+1x5thAQAL3qpee3wHvYmFD9wL480xx6V3Xe
+4f7rNdr+6QgfwBpTZ3M2JNtLokNaDBVIAFnumSeCNTy7QrQgzbYbhrm9uh13nsy
h0LaT7/R9hYZ3rm4SaSmuAO0Gm/mhCl5jtmdQjDozi4SbBZa0bp87QioZcbUC7p2
hKiB7CTrCu5WHtPC55RfRxq4X+s6X6dBM4PEgw9C5b28mvw6KMe9rFNC1r2u3jIH
iXddPJxIZN9sjjBjO4EkRAtB5WGvfQLC+foPcnhNISvSKCtaonn4dQvgjeJ+0Qwc
CQ0CpU/rQYt1KSFPvcvH1CtUI7a3j/J63kKInGm/U9vh386yFnuX0J787Q91AUW4
ZfrIH0b5cYjLW40Ro8yNvjviFLj8x4FZFfD/D2P3AsbBvmBwukSr1VFHaGbEawu4
gNyUciMUtW2NFly9w9wGHm5qS/kog9VrS64G1dsTa4MGqJzwYv+SvXj/uzyyO6cq
vVPoT7VPeUUAjVUB08j08KmCVl/38xuBtHjr06B7DWMut+11TkqDga3iNLrdUaQS
H/N2002yErF1ZOeGfl74+iRDHMg/F92epHmOGlLEh1VAEWWjj4lvF5nz41uFGz0y
KSpx0ZrNPb+WABAUUj2EuQquxx22FeSgc4tZuKTrjJDd/nS+X6rheuL0cO0MvRnF
uWTrfD4wGuEapukq
=lgih
-----END PGP SIGNATURE-----
--=-=-=--
Acknowledgement sent to Xinglu Chen <public@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#48872; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Tue, 8 Jun 2021 09:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.