[bug#57365] [PATCH] gnu: guile-smc: Update to 0.5.0

[Maxime Devos]

On 26-08-2022 15:34, Mathieu Othacehe wrote:
> +               (("\\(add-handler! %logger %syslog\\)")
> +                (string-append
> +                 "(add-handler! %logger\n"
> +                 "              (make <port-log/us>\n"
> +                 "                    #:port (open-file \"/tmp/smc.log\" 
> \"a+\")))\n")))))

When is this /tmp/smc.log used? When compiling guile-smc or when running 
guile-smc?

If the latter, an attacker on a multi-user system could use it to make 
you append to files the attacker ordinarily doesn't have access to -- 
consider guile-smc being in a process as root and the attacker creating 
/tmp/smc.log as a symlink to /etc/passwd first, depending on what was 
logged, there is now an additional entry in there or its corrupted, 
preventing booting.

> Guile-SMC tries to log to the syslog by default but it seems that this
> option is not working in Guix, so we need another way to log the
> messages.  Or it may be that I just overlooked something.
I do think it works, at least there are plenty of mentions of 'syslog' 
in the Guix repository. However, possibly the build container forbids 
access (unverified), maybe for running tests you need a different logger.

Greetings,
Maxime.

OpenPGP_0x49E3EE22191725EE.asc
Description: OpenPGP public key

OpenPGP_signature
Description: OpenPGP digital signature