From debbugs-submit-bounces@debbugs.gnu.org Tue Jun 08 14:30:27 2021 Received: (at 48923) by debbugs.gnu.org; 8 Jun 2021 18:30:27 +0000 Received: from localhost ([127.0.0.1]:59781 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lqgUc-0002qq-NP for submit@debbugs.gnu.org; Tue, 08 Jun 2021 14:30:27 -0400 Received: from h87-96-130-155.cust.a3fiber.se ([87.96.130.155]:37574 helo=mail.yoctocell.xyz) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lqgUY-0002qY-Bb for 48923@debbugs.gnu.org; Tue, 08 Jun 2021 14:30:25 -0400 From: Xinglu Chen DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yoctocell.xyz; s=mail; t=1623177014; bh=915n3rghIFKNR72xC75ghfOJjwcE+tnDEMvdJxYZvNk=; h=From:To:Cc:Subject:In-Reply-To:References:Date; b=QCWscX/i4wUnCfgCt62AARjsM84PrAXemOJonkG+/fYvoHOxqe4DVc8BnpFACsJm3 1Fay8hISSKJjt1po3ZocpdQZDzxden19HiTneBpx9/C5+tr+9aJXeILX/m7+KlV7Z9 DtkCsL79/+QObsEh7BtQijZap6AxYBckSmFM4zKY= To: 48923@debbugs.gnu.org Subject: [PATCH v2] activation: Add =?utf-8?Q?=E2=80=98call-with-output-fi?= =?utf-8?Q?le*=E2=80=99?= procedure. In-Reply-To: <23ac66d29119c5395fee0e993ea0fe811beefd91.1623166798.git.public@yoctocell.xyz> References: <23ac66d29119c5395fee0e993ea0fe811beefd91.1623166798.git.public@yoctocell.xyz> Message-Id: <7500e1ba2d55d397d4c105ca189746f78de02d35.1623176839.git.public@yoctocell.xyz> Date: Tue, 08 Jun 2021 20:30:13 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 2.9 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Using ‘call-with-output-file*’ instead of ‘call-with-output-file’ and ‘chmod’ will prevent secrets from being leaked. See . * guix/build/activation.scm (call-with-output-file*): New procedure. * doc/guix.texi (Activation): New section; document ‘call-with-output-file*’. --- Changes since v1: Content analysis details: (2.9 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: yoctocell.xyz (xyz)] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS X-Debbugs-Envelope-To: 48923 Cc: Maxime Devos X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.9 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Using ‘call-with-output-file*’ instead of ‘call-with-output-file’ and ‘chmod’ will prevent secrets from being leaked. See . * guix/build/activation.scm (call-with-output-file*): New procedure. * doc/guix.texi (Activation): New section; document ‘call-with-output-file*’. --- Changes since v1: Content analysis details: (1.9 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: yoctocell.xyz (xyz)] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 0.4 RDNS_DYNAMIC Delivered to internal network by host with dynamic-looking rDNS -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager Using =E2=80=98call-with-output-file*=E2=80=99 instead of =E2=80=98call-wit= h-output-file=E2=80=99 and =E2=80=98chmod=E2=80=99 will prevent secrets from being leaked. See . * guix/build/activation.scm (call-with-output-file*): New procedure. * doc/guix.texi (Activation): New section; document =E2=80=98call-with-outp= ut-file*=E2=80=99. --- Changes since v1: * Moved =E2=80=98call-with-output-file*=E2=80=99 from (gnu build utils) to = (gnu build activation). * Added a =E2=80=9CActivation=E2=80=9D section in the manual to document th= e new procedure. doc/guix.texi | 31 +++++++++++++++++++++++++++++++ gnu/build/activation.scm | 13 ++++++++++++- 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/doc/guix.texi b/doc/guix.texi index 59b4ac11b4..643c7ff126 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -321,6 +321,7 @@ System Configuration * Invoking guix deploy:: Deploying a system configuration to a remo= te host. * Running Guix in a VM:: How to run Guix System in a virtual machin= e. * Defining Services:: Adding new service definitions. +* Activation:: Setting up system-wide files and directori= es. =20 Services =20 @@ -13386,6 +13387,7 @@ instance to support new system services. * Invoking guix deploy:: Deploying a system configuration to a remo= te host. * Running Guix in a VM:: How to run Guix System in a virtual machin= e. * Defining Services:: Adding new service definitions. +* Activation:: Setting up system-wide files and directori= es. @end menu =20 @node Using the Configuration System @@ -34633,6 +34635,35 @@ system: This service represents PID@tie{}1. @end defvr =20 +@node Activation +@section Activation + +@dfn{Activation} is the process that sets up system-wide files and +directories so that an @code{operating-system} (@pxref{operating-system +Reference}) configuration becomes active. This will happen when +invoking commands like @command{guix system reconfigure} or +@command{guix system switch-generation}, but not when invoking +@command{guix system build} (@pxref{Invoking guix system}). + +@deffn {Scheme Procedure} call-with-output-file* @var{file} @var{proc} @ + [#:perms #o666] +Open FILE for output, set the file permission bits to @var{perms}, and +call @code{(PROC port)} with the resulting port. + +The advantage of using this procedure compared to something like this + +@lisp +(call-with-output-file "FILE" + (lambda (port) + (display "top secret" port))) +(chmod "FILE" #o400) +@end lisp + +is that, with the latter, an unpriviliged user could open @var{file} +before the permission was changed to @code{#o400}, thus making it +possible to leak sensitive information. +@end deffn + =20 @node Documentation @chapter Documentation diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm index 2af1d44b5f..0054079cb6 100644 --- a/gnu/build/activation.scm +++ b/gnu/build/activation.scm @@ -6,6 +6,7 @@ ;;; Copyright =C2=A9 2018 Arun Isaac ;;; Copyright =C2=A9 2018, 2019 Ricardo Wurmus ;;; Copyright =C2=A9 2021 Maxime Devos +;;; Copyright =C2=A9 2021 Xinglu Chen ;;; ;;; This file is part of GNU Guix. ;;; @@ -34,6 +35,7 @@ #:use-module (srfi srfi-1) #:use-module (srfi srfi-11) #:use-module (srfi srfi-26) + #:use-module (srfi srfi-60) #:export (activate-users+groups activate-user-home activate-etc @@ -43,7 +45,8 @@ activate-firmware activate-ptrace-attach activate-current-system - mkdir-p/perms)) + mkdir-p/perms + call-with-output-file*)) =20 ;;; Commentary: ;;; @@ -102,6 +105,14 @@ Warning: this is currently suspect to a TOCTTOU race!" (chown directory (passwd:uid owner) (passwd:gid owner)) (chmod directory bits)) =20 +;; Prevent secrets from leaking, see +(define* (call-with-output-file* file proc #:key (perms #o666)) + "FILE should be string containg the path to a file, PROC should be a pro= cedure +that accepts the port as an argument, and PERMS should be the permission b= its +of the file, the default is 666." + (let ((port (open file (bitwise-ior O_WRONLY O_CREAT) perms))) + (call-with-port port proc))) + (define* (copy-account-skeletons home #:key (directory %skeleton-directory) base-commit: 503c2039a280dd52a751a6852b4157fccd1b4195 --=20 2.32.0