[debbugs-tracker] bug#18477: closed (Bug#758971: byte-compiled files have wrong permissions)

[GNU bug Tracking System]

Your message dated Tue, 21 Jun 2016 18:06:00 +0200
with message-id <address@hidden>
and subject line Re: bug#18477: Bug#758971: byte-compiled files have wrong 
permissions
has caused the debbugs.gnu.org bug report #18477,
regarding Bug#758971: byte-compiled files have wrong permissions
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden)


-- 
18477: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=18477
GNU Bug Tracking System
Contact address@hidden with problems
> --- Begin Message ---
>
>
>
> Subject: 
>
> Re: Bug#758971: byte-compiled files have wrong permissions
>
>
>
>
> Date: 
>
> Sun, 14 Sep 2014 16:33:47 -0500
>
>
>
>
> User-agent: 
>
> Notmuch/0.18.1 (http://notmuchmail.org) Emacs/24.3.1 (x86_64-pc-linux-gnu)
>
>
>
>
> [If possible, please preserve the -forwarded address in any replies.]
>
> I suspect this should be fixed, if it hasn't been already.
>
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758971
>
> Thanks
>
> Rand Peters <address@hidden> writes:
>
> > Package: guile-2.0
> > Version: 2.0.11+1-1
> > Tags: security
> >
> > Guile automatically byte-compiles programs when they are run, and
> > places the byte-compiled file in a subdirectory of
> > $HOME/.cache/guile/.
> >
> > However, the permissions of the byte-compiled file are derived from
> > umask rather than the permissions of the source file. This means that
> > sensitive data (e.g. a hard-coded password) contained in a source file
> > with restrictive permissions will be copied into a byte-compiled file
> > that may be world-readable.
> >
> > Guile should ensure that the permissions of byte-compiled files match
> > those of the source.
> >
> > Example:
> >
> > $ touch myscript
> >
> > $ chmod 700 myscript             # source file readable only to owner
> >
> > $ cat >> myscript <<'EOF'
> > #!/usr/bin/guile \
> > -e main -s
> > !#
> >
> > (define secret-password "DEADBEEFDEADBEEF")
> >
> > (define (main args)
> >   (display "this program contains an embedded secret")
> >   (newline))
> > EOF
> >
> > $ ./myscript
> > ;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0
> > ;;;       or pass the --no-auto-compile argument to disable.
> > ;;; compiling /home/rwp/./myscript
> > ;;; compiled /home/rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> > this program contains an embedded secret
> >
> > $ ls -l ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> > -rw-r--r-- 1 rwp rwp 456 Jul 1 12:00 /home/[...]/myscript.go
> >
> > # ^^ Note that the byte-compiled file is world-readable
> >
> > $ strings ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> > [...]
> > DEADBEEFDEADBEEF
> > secret-password
> > [...]
>
> -- 
> Rob Browning
> rlb @defaultvalue.org and @debian.org
> GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
> GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
>
>
>
> --- End Message ---
> --- Begin Message ---
>
>
>
> Subject: 
>
> Re: bug#18477: Bug#758971: byte-compiled files have wrong permissions
>
>
>
>
> Date: 
>
> Tue, 21 Jun 2016 18:06:00 +0200
>
>
>
>
> User-agent: 
>
> Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
>
>
>
>
> Fixed in 2.0 and the 2.2 prerelease.  Thanks!
>
> Andy
>
> On Sun 14 Sep 2014 23:33, Rob Browning <address@hidden> writes:
>
> > [If possible, please preserve the -forwarded address in any replies.]
> >
> > I suspect this should be fixed, if it hasn't been already.
> >
> >   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758971
> >
> > Thanks
> >
> > Rand Peters <address@hidden> writes:
> >
> >> Package: guile-2.0
> >> Version: 2.0.11+1-1
> >> Tags: security
> >>
> >> Guile automatically byte-compiles programs when they are run, and
> >> places the byte-compiled file in a subdirectory of
> >> $HOME/.cache/guile/.
> >>
> >> However, the permissions of the byte-compiled file are derived from
> >> umask rather than the permissions of the source file. This means that
> >> sensitive data (e.g. a hard-coded password) contained in a source file
> >> with restrictive permissions will be copied into a byte-compiled file
> >> that may be world-readable.
> >>
> >> Guile should ensure that the permissions of byte-compiled files match
> >> those of the source.
> >>
> >> Example:
> >>
> >> $ touch myscript
> >>
> >> $ chmod 700 myscript             # source file readable only to owner
> >>
> >> $ cat >> myscript <<'EOF'
> >> #!/usr/bin/guile \
> >> -e main -s
> >> !#
> >>
> >> (define secret-password "DEADBEEFDEADBEEF")
> >>
> >> (define (main args)
> >>   (display "this program contains an embedded secret")
> >>   (newline))
> >> EOF
> >>
> >> $ ./myscript
> >> ;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0
> >> ;;;       or pass the --no-auto-compile argument to disable.
> >> ;;; compiling /home/rwp/./myscript
> >> ;;; compiled /home/rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> >> this program contains an embedded secret
> >>
> >> $ ls -l ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> >> -rw-r--r-- 1 rwp rwp 456 Jul 1 12:00 /home/[...]/myscript.go
> >>
> >> # ^^ Note that the byte-compiled file is world-readable
> >>
> >> $ strings ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> >> [...]
> >> DEADBEEFDEADBEEF
> >> secret-password
> >> [...]
>
>
> --- End Message ---