--- Begin Message ---
Subject: |
Re: Bug#758971: byte-compiled files have wrong permissions |
Date: |
Sun, 14 Sep 2014 16:33:47 -0500 |
User-agent: |
Notmuch/0.18.1 (http://notmuchmail.org) Emacs/24.3.1 (x86_64-pc-linux-gnu) |
[If possible, please preserve the -forwarded address in any replies.]
I suspect this should be fixed, if it hasn't been already.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758971
Thanks
Rand Peters <address@hidden> writes:
> Package: guile-2.0
> Version: 2.0.11+1-1
> Tags: security
>
> Guile automatically byte-compiles programs when they are run, and
> places the byte-compiled file in a subdirectory of
> $HOME/.cache/guile/.
>
> However, the permissions of the byte-compiled file are derived from
> umask rather than the permissions of the source file. This means that
> sensitive data (e.g. a hard-coded password) contained in a source file
> with restrictive permissions will be copied into a byte-compiled file
> that may be world-readable.
>
> Guile should ensure that the permissions of byte-compiled files match
> those of the source.
>
> Example:
>
> $ touch myscript
>
> $ chmod 700 myscript # source file readable only to owner
>
> $ cat >> myscript <<'EOF'
> #!/usr/bin/guile \
> -e main -s
> !#
>
> (define secret-password "DEADBEEFDEADBEEF")
>
> (define (main args)
> (display "this program contains an embedded secret")
> (newline))
> EOF
>
> $ ./myscript
> ;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0
> ;;; or pass the --no-auto-compile argument to disable.
> ;;; compiling /home/rwp/./myscript
> ;;; compiled /home/rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> this program contains an embedded secret
>
> $ ls -l ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> -rw-r--r-- 1 rwp rwp 456 Jul 1 12:00 /home/[...]/myscript.go
>
> # ^^ Note that the byte-compiled file is world-readable
>
> $ strings ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
> [...]
> DEADBEEFDEADBEEF
> secret-password
> [...]
--
Rob Browning
rlb @defaultvalue.org and @debian.org
GPG as of 2011-07-10 E6A9 DA3C C9FD 1FF8 C676 D2C4 C0F0 39E9 ED1B 597A
GPG as of 2002-11-03 14DD 432F AE39 534D B592 F9A0 25C8 D377 8C7E 73A4
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#18477: Bug#758971: byte-compiled files have wrong permissions |
Date: |
Tue, 21 Jun 2016 18:06:00 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
Fixed in 2.0 and the 2.2 prerelease. Thanks!
Andy
On Sun 14 Sep 2014 23:33, Rob Browning <address@hidden> writes:
> [If possible, please preserve the -forwarded address in any replies.]
>
> I suspect this should be fixed, if it hasn't been already.
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758971
>
> Thanks
>
> Rand Peters <address@hidden> writes:
>
>> Package: guile-2.0
>> Version: 2.0.11+1-1
>> Tags: security
>>
>> Guile automatically byte-compiles programs when they are run, and
>> places the byte-compiled file in a subdirectory of
>> $HOME/.cache/guile/.
>>
>> However, the permissions of the byte-compiled file are derived from
>> umask rather than the permissions of the source file. This means that
>> sensitive data (e.g. a hard-coded password) contained in a source file
>> with restrictive permissions will be copied into a byte-compiled file
>> that may be world-readable.
>>
>> Guile should ensure that the permissions of byte-compiled files match
>> those of the source.
>>
>> Example:
>>
>> $ touch myscript
>>
>> $ chmod 700 myscript # source file readable only to owner
>>
>> $ cat >> myscript <<'EOF'
>> #!/usr/bin/guile \
>> -e main -s
>> !#
>>
>> (define secret-password "DEADBEEFDEADBEEF")
>>
>> (define (main args)
>> (display "this program contains an embedded secret")
>> (newline))
>> EOF
>>
>> $ ./myscript
>> ;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0
>> ;;; or pass the --no-auto-compile argument to disable.
>> ;;; compiling /home/rwp/./myscript
>> ;;; compiled /home/rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
>> this program contains an embedded secret
>>
>> $ ls -l ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
>> -rw-r--r-- 1 rwp rwp 456 Jul 1 12:00 /home/[...]/myscript.go
>>
>> # ^^ Note that the byte-compiled file is world-readable
>>
>> $ strings ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go
>> [...]
>> DEADBEEFDEADBEEF
>> secret-password
>> [...]
--- End Message ---