Security: Don't allow builders to change permissions on files they don't own
It turns out that in multi-user Nix, a builder may be able to do
ln /etc/shadow $out/foo
Afterwards, canonicalisePathMetaData() will be applied to $out/foo,
causing /etc/shadow's mode to be set to 444 (readable by everybody but
writable by nobody). That's obviously Very Bad.
Fortunately, this fails in NixOS's default configuration because
/nix/store is a bind mount, so "ln" will fail with "Invalid
cross-device link". It also fails if hard-link restrictions are
enabled, so a workaround is:
echo 1 > /proc/sys/fs/protected_hardlinks
The solution is to check that all files in $out are owned by the build
user. This means that innocuous operations like "ln
${pkgs.foo}/some-file $out/" are now rejected, but that already failed
in chroot builds anyway.
This commit is contained in:
Eelco Dolstra
parent
dadf7a5b46
commit
5526a282b5
5 changed files with 17 additions and 20 deletions
|
|
@ -2287,7 +2287,7 @@ void DerivationGoal::computeClosure()
|
|||
}
|
||||
|
||||
/* Get rid of all weird permissions. */
|
||||
canonicalisePathMetaData(path);
|
||||
canonicalisePathMetaData(path, buildUser.enabled() ? buildUser.getUID() : -1);
|
||||
|
||||
/* For this output path, find the references to other paths
|
||||
contained in it. Compute the SHA-256 NAR hash at the same
|
||||
|
|
@ -2839,7 +2839,7 @@ void SubstitutionGoal::finished()
|
|||
return;
|
||||
}
|
||||
|
||||
canonicalisePathMetaData(destPath);
|
||||
canonicalisePathMetaData(destPath, -1);
|
||||
|
||||
worker.store.optimisePath(destPath); // FIXME: combine with hashPath()
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue