Remove world-writability from per-user directories

'nix-daemon' now creates subdirectories for users when they first connect. Fixes #509 (CVE-2019-17365). Should also fix #3127. (cherry picked from commit 5a303093dcae1e5ce9212616ef18f2ca51020b0d)
2019-10-09 18:01:21 +02:00 · 2019-10-09 18:01:21 +02:00 · 65953789bc
commit 65953789bc
parent 910b0fcc11
11 changed files with 41 additions and 43 deletions
--- a/tests/nix-profile.sh
+++ b/tests/nix-profile.sh
@ -10,5 +10,3 @@ USER=$user $SHELL -e -c ". $TEST_ROOT/nix-profile.sh" # test idempotency

 [ -L $TEST_HOME/.nix-profile ]
 [ -e $TEST_HOME/.nix-channels ]
-[ -e $TEST_ROOT/profile-var/nix/gcroots/per-user/$user ]
-[ -e $TEST_ROOT/profile-var/nix/profiles/per-user/$user ]
--- a/tests/remote-store.sh
+++ b/tests/remote-store.sh
@ -13,3 +13,7 @@ cmp $TEST_ROOT/d1 $TEST_ROOT/d2
 nix-store --gc --max-freed 1K

 killDaemon
+
+user=$(whoami)
+[ -e $NIX_STATE_DIR/gcroots/per-user/$user ]
+[ -e $NIX_STATE_DIR/profiles/per-user/$user ]
--- a/tests/user-envs.sh
+++ b/tests/user-envs.sh
@ -20,7 +20,7 @@ drvPath10=$(nix-env -f ./user-envs.nix -qa --drv-path --no-name '*' | grep foo-1

 # Query descriptions.
 nix-env -f ./user-envs.nix -qa '*' --description | grep -q silly
-rm -f $HOME/.nix-defexpr
+rm -rf $HOME/.nix-defexpr
 ln -s $(pwd)/user-envs.nix $HOME/.nix-defexpr
 nix-env -qa '*' --description | grep -q silly