Guix services: ‘chmod’ leaves opportunity to leak secrets

OpenSubmitted by Xinglu Chen.
Details
2 participants
  • Maxime Devos
  • Xinglu Chen
Owner
unassigned
Severity
normal
X
X
Xinglu Chen wrote on 6 Jun 2021 14:51
(address . bug-guix@gnu.org)
87y2bn5f6v.fsf@yoctocell.xyz
[ This was reported on the Nixpkgs bug tracker a few weeks ago

When doing something like

(call-with-output-file FILE
(lambda (port)
(display SECRET port)))
(chmod FILE #o400)

an unpriviliged user could open FILE before FILE had been chmod’ed, and
then read the contents of FILE.

One solution to this problem would be to use

(mkdir (dirname FILE) #o400)

before writing SECRET to FILE.

I have identified at least two services which are vulnerable to this:

* ‘wireguard-service-type’ in (gnu services vpn)
* ‘patchwork-service-type’ in (gnu servicse web)
-----BEGIN PGP SIGNATURE-----

iQJJBAEBCAAzFiEEAVhh4yyK5+SEykIzrPUJmaL7XHkFAmC8xNgVHHB1YmxpY0B5
b2N0b2NlbGwueHl6AAoJEKz1CZmi+1x5thAQAL3qpee3wHvYmFD9wL480xx6V3Xe
+4f7rNdr+6QgfwBpTZ3M2JNtLokNaDBVIAFnumSeCNTy7QrQgzbYbhrm9uh13nsy
h0LaT7/R9hYZ3rm4SaSmuAO0Gm/mhCl5jtmdQjDozi4SbBZa0bp87QioZcbUC7p2
hKiB7CTrCu5WHtPC55RfRxq4X+s6X6dBM4PEgw9C5b28mvw6KMe9rFNC1r2u3jIH
iXddPJxIZN9sjjBjO4EkRAtB5WGvfQLC+foPcnhNISvSKCtaonn4dQvgjeJ+0Qwc
CQ0CpU/rQYt1KSFPvcvH1CtUI7a3j/J63kKInGm/U9vh386yFnuX0J787Q91AUW4
ZfrIH0b5cYjLW40Ro8yNvjviFLj8x4FZFfD/D2P3AsbBvmBwukSr1VFHaGbEawu4
gNyUciMUtW2NFly9w9wGHm5qS/kog9VrS64G1dsTa4MGqJzwYv+SvXj/uzyyO6cq
vVPoT7VPeUUAjVUB08j08KmCVl/38xuBtHjr06B7DWMut+11TkqDga3iNLrdUaQS
H/N2002yErF1ZOeGfl74+iRDHMg/F92epHmOGlLEh1VAEWWjj4lvF5nz41uFGz0y
KSpx0ZrNPb+WABAUUj2EuQquxx22FeSgc4tZuKTrjJDd/nS+X6rheuL0cO0MvRnF
uWTrfD4wGuEapukq
=lgih
-----END PGP SIGNATURE-----

M
M
Maxime Devos wrote on 8 Jun 2021 10:55
74f0e45af9ab426a5105452f191cffad337ca7ce.camel@telenet.be
Xinglu Chen schreef op zo 06-06-2021 om 14:51 [+0200]:
Toggle quote (19 lines)
> [ This was reported on the Nixpkgs bug tracker a few weeks ago
> <https://github.com/NixOS/nixpkgs/issues/121293> ]
>
> When doing something like
>
> (call-with-output-file FILE
> (lambda (port)
> (display SECRET port)))
> (chmod FILE #o400)
>
> an unpriviliged user could open FILE before FILE had been chmod’ed, and
> then read the contents of FILE.
>
> One solution to this problem would be to use
>
> (mkdir (dirname FILE) #o400)
>
> before writing SECRET to FILE.

Alternatively, a variant of call-with-output-file
could be defined that has a #:perms argument.

This new procedure, let's call it call-with-output-file*,
could create a file with the right permissions with
(open "/etc/...-secret" (bitwise-ior O_WRONLY O_CREAT) #o400)
or something like that.

Then the vulnerable code above would become ...

(call-with-output-file* FILE
(lambda (port)
(display SECRET port))
#:perms #o400)

This seems a bit easier in usage to me!
No need to worry if changing the permissions of the parent
directory would break anything this way.

Greetings,
Maxime.
-----BEGIN PGP SIGNATURE-----

iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYL8woxccbWF4aW1lZGV2
b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7l6LAP9lvxXDTIy22StYXL4K5fIrEGpA
w1WNajUSoUbXzxfV3wD/Z+45+0ZgGs32klEU5w/WMU6Rc1b8l6UAO3eYcJMBhgE=
=JCiS
-----END PGP SIGNATURE-----


X
X
Xinglu Chen wrote on 8 Jun 2021 16:42
874ke8s9i4.fsf@yoctocell.xyz
On Tue, Jun 08 2021, Maxime Devos wrote:

Toggle quote (39 lines)
> Xinglu Chen schreef op zo 06-06-2021 om 14:51 [+0200]:
>> [ This was reported on the Nixpkgs bug tracker a few weeks ago
>> <https://github.com/NixOS/nixpkgs/issues/121293> ]
>>
>> When doing something like
>>
>> (call-with-output-file FILE
>> (lambda (port)
>> (display SECRET port)))
>> (chmod FILE #o400)
>>
>> an unpriviliged user could open FILE before FILE had been chmod’ed, and
>> then read the contents of FILE.
>>
>> One solution to this problem would be to use
>>
>> (mkdir (dirname FILE) #o400)
>>
>> before writing SECRET to FILE.
>
> Alternatively, a variant of call-with-output-file
> could be defined that has a #:perms argument.
>
> This new procedure, let's call it call-with-output-file*,
> could create a file with the right permissions with
> (open "/etc/...-secret" (bitwise-ior O_WRONLY O_CREAT) #o400)
> or something like that.
>
> Then the vulnerable code above would become ...
>
> (call-with-output-file* FILE
> (lambda (port)
> (display SECRET port))
> #:perms #o400)
>
> This seems a bit easier in usage to me!
> No need to worry if changing the permissions of the parent
> directory would break anything this way.

Indeed, this sounds like a better approach!
-----BEGIN PGP SIGNATURE-----

iQJJBAEBCAAzFiEEAVhh4yyK5+SEykIzrPUJmaL7XHkFAmC/geMVHHB1YmxpY0B5
b2N0b2NlbGwueHl6AAoJEKz1CZmi+1x5pbEQAICeiXsKUaAhqNwFguL6CV9xIE89
QD/qwDdJMFUkwROqh8J5/QTRgi9Z6jY4xUO1Qs26SSJ2TcxJJ3iKejqVnA59acGM
qfoC1FZ+HzvgJoXll3L/3+Guvp1WI/zfLyrVUC58xRMYgMLJVmPHlgfOrjzgxRHR
YlcLYg2YGSx5ZCwEDmmh7BHxCO2KpBsOeubn60RRi9CBc7uRwSWKDQ7mUbRjYfc0
Xyx74EZbi/riDXibJhQHTTrEluQi4JnQ07j5ZY6svSCWJIr7cdB+A6HItIKDTP2+
U9TnbL3Lh5KkUP9kMx4QdSXVJyx91umZxLGqeooHfpy43IVJTCw0DvH8DcIFsUL5
NP9EnWr49RkrhoIJQjUAzXP5sT//cgusYrYkUXzpjJvgkVuVlfmbf8wiKMYksLBs
a8GFgs+lnGGVKuFzyIVwpEK4BqjjhYs/nD/Hxz6iZ84zDgSxbIEigQDZCtfLRsbk
rqNprdd+m01rYEyGMLlrA7ma2mdfkw7CzsTK3p0bgg2JEfuqWS5VfkXHAunQv2Wy
w3Y56Vts/YQl4V0xPYROKxdSCXn3hmutbVpdzgsx3xUlJ0qXMXcowUG8WUpp5ZTM
JY9u9jtWm9A0zShYrikXpBEmThkYdIlgSKjsOci0PyVs5FORkf7qr9dbCrdGugX2
0qD80KQXJjQlHY7r
=IxgZ
-----END PGP SIGNATURE-----

?