Remove world-writability from per-user directories

'nix-daemon' now creates subdirectories for users when they first connect. Fixes #509 (CVE-2019-17365). Should also fix #3127. (cherry picked from commit 5a303093dcae1e5ce9212616ef18f2ca51020b0d)
2019-10-09 18:01:21 +02:00 · 2019-10-09 18:01:21 +02:00 · 65953789bc
commit 65953789bc
parent 910b0fcc11
11 changed files with 41 additions and 43 deletions
--- a/scripts/install-multi-user.sh
+++ b/scripts/install-multi-user.sh
@ -529,16 +529,15 @@ create_build_users() {
 }

 create_directories() {
+    # FIXME: remove all of this because it duplicates LocalStore::LocalStore().
+
    _sudo "to make the basic directory structure of Nix (part 1)" \
-          mkdir -pv -m 0755 /nix /nix/var /nix/var/log /nix/var/log/nix /nix/var/log/nix/drvs /nix/var/nix{,/db,/gcroots,/profiles,/temproots,/userpool}
+          mkdir -pv -m 0755 /nix /nix/var /nix/var/log /nix/var/log/nix /nix/var/log/nix/drvs /nix/var/nix{,/db,/gcroots,/profiles,/temproots,/userpool} /nix/var/nix/{gcroots,profiles}/per-user

    _sudo "to make the basic directory structure of Nix (part 2)" \
-          mkdir -pv -m 1777 /nix/var/nix/{gcroots,profiles}/per-user
-
-    _sudo "to make the basic directory structure of Nix (part 3)" \
          mkdir -pv -m 1775 /nix/store

-    _sudo "to make the basic directory structure of Nix (part 4)" \
+    _sudo "to make the basic directory structure of Nix (part 3)" \
          chgrp "$NIX_BUILD_GROUP_NAME" /nix/store

    _sudo "to set up the root user's profile (part 1)" \