Fixed in 2.0 and the 2.2 prerelease. Thanks! Andy
On Sun 14 Sep 2014 23:33, Rob Browning <r...@defaultvalue.org> writes: > [If possible, please preserve the -forwarded address in any replies.] > > I suspect this should be fixed, if it hasn't been already. > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758971 > > Thanks > > Rand Peters <rwpet...@yandex.com> writes: > >> Package: guile-2.0 >> Version: 2.0.11+1-1 >> Tags: security >> >> Guile automatically byte-compiles programs when they are run, and >> places the byte-compiled file in a subdirectory of >> $HOME/.cache/guile/. >> >> However, the permissions of the byte-compiled file are derived from >> umask rather than the permissions of the source file. This means that >> sensitive data (e.g. a hard-coded password) contained in a source file >> with restrictive permissions will be copied into a byte-compiled file >> that may be world-readable. >> >> Guile should ensure that the permissions of byte-compiled files match >> those of the source. >> >> Example: >> >> $ touch myscript >> >> $ chmod 700 myscript # source file readable only to owner >> >> $ cat >> myscript <<'EOF' >> #!/usr/bin/guile \ >> -e main -s >> !# >> >> (define secret-password "DEADBEEFDEADBEEF") >> >> (define (main args) >> (display "this program contains an embedded secret") >> (newline)) >> EOF >> >> $ ./myscript >> ;;; note: auto-compilation is enabled, set GUILE_AUTO_COMPILE=0 >> ;;; or pass the --no-auto-compile argument to disable. >> ;;; compiling /home/rwp/./myscript >> ;;; compiled /home/rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go >> this program contains an embedded secret >> >> $ ls -l ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go >> -rw-r--r-- 1 rwp rwp 456 Jul 1 12:00 /home/[...]/myscript.go >> >> # ^^ Note that the byte-compiled file is world-readable >> >> $ strings ~rwp/.cache/guile/ccache/2.0-LE-4-2.0/home/rwp/myscript.go >> [...] >> DEADBEEFDEADBEEF >> secret-password >> [...]