[ This was reported on the Nixpkgs bug tracker a few weeks ago <https://github.com/NixOS/nixpkgs/issues/121293> ]
When doing something like
(call-with-output-file FILE
(lambda (port)
(display SECRET port)))
(chmod FILE #o400)
an unpriviliged user could open FILE before FILE had been chmod’ed, and
then read the contents of FILE.
One solution to this problem would be to use
(mkdir (dirname FILE) #o400)
before writing SECRET to FILE.
I have identified at least two services which are vulnerable to this:
* ‘wireguard-service-type’ in (gnu services vpn)
* ‘patchwork-service-type’ in (gnu servicse web)
signature.asc
Description: PGP signature
