maurice/snix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Set /nix/store permission to 1737

Browse source 
I.e., not readable to the nixbld group. This improves purity a bit for
non-chroot builds, because it prevents a builder from enumerating
store paths (i.e. it can only access paths it knows about).
This commit is contained in:
Eelco Dolstra 2015-01-08 16:39:07 +01:00
parent 128538ef06
commit 27b7b94923
2 changed files with 6 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/libstore/local-store.cc
View file

@ -251,10 +251,12 @@ LocalStore::LocalStore(bool reserveSpace)
multi-user install. */
if (getuid() == 0 && settings.buildUsersGroup != "") {
mode_t perm = 01737;
Path perUserDir = profilesDir + "/per-user";
createDirs(perUserDir);
if (chmod(perUserDir.c_str(), 01777) == -1)
throw SysError(format("could not set permissions on %1% to 1777") % perUserDir);
if (chmod(perUserDir.c_str(), perm) == -1)
throw SysError(format("could not set permissions on %1% to 1737") % perUserDir);
struct group * gr = getgrnam(settings.buildUsersGroup.c_str());
if (!gr)
@ -265,10 +267,10 @@ LocalStore::LocalStore(bool reserveSpace)
if (stat(settings.nixStore.c_str(), &st))
throw SysError(format("getting attributes of path %1%") % settings.nixStore);
if (st.st_uid != 0 || st.st_gid != gr->gr_gid || (st.st_mode & ~S_IFMT) != 01775) {
if (st.st_uid != 0 || st.st_gid != gr->gr_gid || (st.st_mode & ~S_IFMT) != perm) {
if (chown(settings.nixStore.c_str(), 0, gr->gr_gid) == -1)
throw SysError(format("changing ownership of path %1%") % settings.nixStore);
if (chmod(settings.nixStore.c_str(), 01775) == -1)
if (chmod(settings.nixStore.c_str(), perm) == -1)
throw SysError(format("changing permissions on path %1%") % settings.nixStore);
}
}