From patchwork Tue Jun 8 15:40:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Xinglu Chen X-Patchwork-Id: 30022 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 67FF327BC81; Tue, 8 Jun 2021 16:42:26 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS, T_DKIM_INVALID,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 2363327BC78 for ; Tue, 8 Jun 2021 16:42:26 +0100 (BST) Received: from localhost ([::1]:49532 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lqds0-0002sG-Vx for patchwork@mira.cbaines.net; Tue, 08 Jun 2021 11:42:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52616) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lqdre-0002pv-Eu for guix-patches@gnu.org; Tue, 08 Jun 2021 11:42:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:48009) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lqdre-0003B5-7H for guix-patches@gnu.org; Tue, 08 Jun 2021 11:42:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lqdrd-0002bE-VA for guix-patches@gnu.org; Tue, 08 Jun 2021 11:42:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#48923] [PATCH] build: utils: Add =?utf-8?q?=E2=80=98call-with-?= =?utf-8?q?outp?= Resent-From: Xinglu Chen Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 08 Jun 2021 15:42:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 48923 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 48923@debbugs.gnu.org Cc: Maxime Devos X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16231668759936 (code B ref -1); Tue, 08 Jun 2021 15:42:01 +0000 Received: (at submit) by debbugs.gnu.org; 8 Jun 2021 15:41:15 +0000 Received: from localhost ([127.0.0.1]:59555 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lqdqp-0002a8-T5 for submit@debbugs.gnu.org; Tue, 08 Jun 2021 11:41:15 -0400 Received: from lists.gnu.org ([209.51.188.17]:36280) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lqdql-0002Zx-FP for submit@debbugs.gnu.org; Tue, 08 Jun 2021 11:41:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52356) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lqdql-0002K0-03 for guix-patches@gnu.org; Tue, 08 Jun 2021 11:41:07 -0400 Received: from h87-96-130-155.cust.a3fiber.se ([87.96.130.155]:53820 helo=mail.yoctocell.xyz) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lqdqh-0002ow-Hf for guix-patches@gnu.org; Tue, 08 Jun 2021 11:41:06 -0400 From: Xinglu Chen DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=yoctocell.xyz; s=mail; t=1623166852; bh=Cyr65nQYbBHMn8TBQX4HCVmfJ8FIw82qXbvPu88NHlI=; h=From:To:Cc:Subject:Date; b=hNBlMkTAOYihLPoeG5XM3Td5EGlxkdDE3wyNJeFOjVlIMLhF5xnTvuYEPmgECz3NN xvtj1ChvQVQcXo3U0YKDIsbvfDxGS2bz6d9e6CYTNON71DiHcBbY6wZYMDIKY0WgRL UcBqXHjdYplHd7xDTCZzqYczkPQhKK4tiym2DpSw= Message-Id: <23ac66d29119c5395fee0e993ea0fe811beefd91.1623166798.git.public@yoctocell.xyz> Date: Tue, 08 Jun 2021 17:40:52 +0200 MIME-Version: 1.0 Received-SPF: pass client-ip=87.96.130.155; envelope-from=public@yoctocell.xyz; helo=mail.yoctocell.xyz X-Spam_score_int: 29 X-Spam_score: 2.9 X-Spam_bar: ++ X-Spam_report: (2.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_SUSPICIOUS_NTLD=0.498, FROM_SUSPICIOUS_NTLD_FP=1.563, PDS_OTHER_BAD_TLD=1.997, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches Using ‘call-with-output-file*’ instead of ‘call-with-output-file’ and ‘chmod’ will prevent secrets from being leaked. See . * guix/build/utils.scm (call-with-output-file*): New procedure. * doc/guix.texi (Build Utilities): Document it. --- doc/guix.texi | 19 +++++++++++++++++++ guix/build/utils.scm | 10 ++++++++++ 2 files changed, 29 insertions(+) base-commit: 503c2039a280dd52a751a6852b4157fccd1b4195 diff --git a/doc/guix.texi b/doc/guix.texi index 59b4ac11b4..7e15cd9e92 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -8612,6 +8612,25 @@ Be careful about using @code{$} to match the end of a line; by itself it won't match the terminating newline of a line. @end deffn +@deffn {Scheme Procedure} call-with-output-file* @var{file} @var{proc} @ + [#:perms #o666] +Open FILE for output, set the file permission bits to @var{perms}, and +call @code{(PROC port)} with the resulting port. + +The advantage of using this procedure compared to something like this + +@lisp +(call-with-output-file "FILE" + (lambda (port) + (display "top secret" port))) +(chmod "FILE" #o400) +@end lisp + +is that, with the latter, an unpriviliged user could open @var{file} +before the permission was changed to @code{#o400}, thus making it +possible to leak sensitive information. +@end deffn + @subsection File Search @cindex file, searching diff --git a/guix/build/utils.scm b/guix/build/utils.scm index 419c10195b..df960eee84 100644 --- a/guix/build/utils.scm +++ b/guix/build/utils.scm @@ -5,6 +5,7 @@ ;;; Copyright © 2015, 2018 Mark H Weaver ;;; Copyright © 2018 Arun Isaac ;;; Copyright © 2018, 2019 Ricardo Wurmus +;;; Copyright © 2021 Xinglu Chen ;;; ;;; This file is part of GNU Guix. ;;; @@ -66,6 +67,7 @@ file-name-predicate find-files false-if-file-not-found + call-with-output-file* search-path-as-list set-path-environment-variable @@ -448,6 +450,14 @@ also be included. If FAIL-ON-ERROR? is true, raise an exception upon error." #f (apply throw args))))) +;; Prevent secrets from leaking, see +(define* (call-with-output-file* file proc #:key (perms #o666)) + "FILE should be string containg the path to a file, PROC should be a procedure +that accepts the port as an argument, and PERMS should be the permission bits +of the file, the default is 666." + (let ((port (open file (bitwise-ior O_WRONLY O_CREAT) perms))) + (call-with-port port proc))) + ;;; ;;; Search paths.