Guix services: ‘chmod’ leaves opportunity to leak secrets

  • Open
  • quality assurance status badge
Details
2 participants
  • Maxime Devos
  • Xinglu Chen
Owner
unassigned
Submitted by
Xinglu Chen
Severity
normal
X
X
Xinglu Chen wrote on 6 Jun 2021 14:51
(address . bug-guix@gnu.org)
87y2bn5f6v.fsf@yoctocell.xyz
[ This was reported on the Nixpkgs bug tracker a few weeks ago

When doing something like

(call-with-output-file FILE
(lambda (port)
(display SECRET port)))
(chmod FILE #o400)

an unpriviliged user could open FILE before FILE had been chmod’ed, and
then read the contents of FILE.

One solution to this problem would be to use

(mkdir (dirname FILE) #o400)

before writing SECRET to FILE.

I have identified at least two services which are vulnerable to this:

* ‘wireguard-service-type’ in (gnu services vpn)
* ‘patchwork-service-type’ in (gnu servicse web)
-----BEGIN PGP SIGNATURE-----

iQJJBAEBCAAzFiEEAVhh4yyK5+SEykIzrPUJmaL7XHkFAmC8xNgVHHB1YmxpY0B5
b2N0b2NlbGwueHl6AAoJEKz1CZmi+1x5thAQAL3qpee3wHvYmFD9wL480xx6V3Xe
+4f7rNdr+6QgfwBpTZ3M2JNtLokNaDBVIAFnumSeCNTy7QrQgzbYbhrm9uh13nsy
h0LaT7/R9hYZ3rm4SaSmuAO0Gm/mhCl5jtmdQjDozi4SbBZa0bp87QioZcbUC7p2
hKiB7CTrCu5WHtPC55RfRxq4X+s6X6dBM4PEgw9C5b28mvw6KMe9rFNC1r2u3jIH
iXddPJxIZN9sjjBjO4EkRAtB5WGvfQLC+foPcnhNISvSKCtaonn4dQvgjeJ+0Qwc
CQ0CpU/rQYt1KSFPvcvH1CtUI7a3j/J63kKInGm/U9vh386yFnuX0J787Q91AUW4
ZfrIH0b5cYjLW40Ro8yNvjviFLj8x4FZFfD/D2P3AsbBvmBwukSr1VFHaGbEawu4
gNyUciMUtW2NFly9w9wGHm5qS/kog9VrS64G1dsTa4MGqJzwYv+SvXj/uzyyO6cq
vVPoT7VPeUUAjVUB08j08KmCVl/38xuBtHjr06B7DWMut+11TkqDga3iNLrdUaQS
H/N2002yErF1ZOeGfl74+iRDHMg/F92epHmOGlLEh1VAEWWjj4lvF5nz41uFGz0y
KSpx0ZrNPb+WABAUUj2EuQquxx22FeSgc4tZuKTrjJDd/nS+X6rheuL0cO0MvRnF
uWTrfD4wGuEapukq
=lgih
-----END PGP SIGNATURE-----

M
M
Maxime Devos wrote on 8 Jun 2021 10:55
74f0e45af9ab426a5105452f191cffad337ca7ce.camel@telenet.be
Xinglu Chen schreef op zo 06-06-2021 om 14:51 [+0200]:
Toggle quote (19 lines)
> [ This was reported on the Nixpkgs bug tracker a few weeks ago
> <https://github.com/NixOS/nixpkgs/issues/121293> ]
>
> When doing something like
>
> (call-with-output-file FILE
> (lambda (port)
> (display SECRET port)))
> (chmod FILE #o400)
>
> an unpriviliged user could open FILE before FILE had been chmod’ed, and
> then read the contents of FILE.
>
> One solution to this problem would be to use
>
> (mkdir (dirname FILE) #o400)
>
> before writing SECRET to FILE.

Alternatively, a variant of call-with-output-file
could be defined that has a #:perms argument.

This new procedure, let's call it call-with-output-file*,
could create a file with the right permissions with
(open "/etc/...-secret" (bitwise-ior O_WRONLY O_CREAT) #o400)
or something like that.

Then the vulnerable code above would become ...

(call-with-output-file* FILE
(lambda (port)
(display SECRET port))
#:perms #o400)

This seems a bit easier in usage to me!
No need to worry if changing the permissions of the parent
directory would break anything this way.

Greetings,
Maxime.
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYL8woxccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7l6LAP9lvxXDTIy22StYXL4K5fIrEGpA
w1WNajUSoUbXzxfV3wD/Z+45+0ZgGs32klEU5w/WMU6Rc1b8l6UAO3eYcJMBhgE=
=JCiS
-----END PGP SIGNATURE-----


X
X
Xinglu Chen wrote on 8 Jun 2021 16:42
874ke8s9i4.fsf@yoctocell.xyz
On Tue, Jun 08 2021, Maxime Devos wrote:

Toggle quote (39 lines)
> Xinglu Chen schreef op zo 06-06-2021 om 14:51 [+0200]:
>> [ This was reported on the Nixpkgs bug tracker a few weeks ago
>> <https://github.com/NixOS/nixpkgs/issues/121293> ]
>>
>> When doing something like
>>
>> (call-with-output-file FILE
>> (lambda (port)
>> (display SECRET port)))
>> (chmod FILE #o400)
>>
>> an unpriviliged user could open FILE before FILE had been chmod’ed, and
>> then read the contents of FILE.
>>
>> One solution to this problem would be to use
>>
>> (mkdir (dirname FILE) #o400)
>>
>> before writing SECRET to FILE.
>
> Alternatively, a variant of call-with-output-file
> could be defined that has a #:perms argument.
>
> This new procedure, let's call it call-with-output-file*,
> could create a file with the right permissions with
> (open "/etc/...-secret" (bitwise-ior O_WRONLY O_CREAT) #o400)
> or something like that.
>
> Then the vulnerable code above would become ...
>
> (call-with-output-file* FILE
> (lambda (port)
> (display SECRET port))
> #:perms #o400)
>
> This seems a bit easier in usage to me!
> No need to worry if changing the permissions of the parent
> directory would break anything this way.

Indeed, this sounds like a better approach!
-----BEGIN PGP SIGNATURE-----

iQJJBAEBCAAzFiEEAVhh4yyK5+SEykIzrPUJmaL7XHkFAmC/geMVHHB1YmxpY0B5
b2N0b2NlbGwueHl6AAoJEKz1CZmi+1x5pbEQAICeiXsKUaAhqNwFguL6CV9xIE89
QD/qwDdJMFUkwROqh8J5/QTRgi9Z6jY4xUO1Qs26SSJ2TcxJJ3iKejqVnA59acGM
qfoC1FZ+HzvgJoXll3L/3+Guvp1WI/zfLyrVUC58xRMYgMLJVmPHlgfOrjzgxRHR
YlcLYg2YGSx5ZCwEDmmh7BHxCO2KpBsOeubn60RRi9CBc7uRwSWKDQ7mUbRjYfc0
Xyx74EZbi/riDXibJhQHTTrEluQi4JnQ07j5ZY6svSCWJIr7cdB+A6HItIKDTP2+
U9TnbL3Lh5KkUP9kMx4QdSXVJyx91umZxLGqeooHfpy43IVJTCw0DvH8DcIFsUL5
NP9EnWr49RkrhoIJQjUAzXP5sT//cgusYrYkUXzpjJvgkVuVlfmbf8wiKMYksLBs
a8GFgs+lnGGVKuFzyIVwpEK4BqjjhYs/nD/Hxz6iZ84zDgSxbIEigQDZCtfLRsbk
rqNprdd+m01rYEyGMLlrA7ma2mdfkw7CzsTK3p0bgg2JEfuqWS5VfkXHAunQv2Wy
w3Y56Vts/YQl4V0xPYROKxdSCXn3hmutbVpdzgsx3xUlJ0qXMXcowUG8WUpp5ZTM
JY9u9jtWm9A0zShYrikXpBEmThkYdIlgSKjsOci0PyVs5FORkf7qr9dbCrdGugX2
0qD80KQXJjQlHY7r
=IxgZ
-----END PGP SIGNATURE-----

?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 48872@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 48872
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch