diff options
author | Eelco Dolstra <e.dolstra@tudelft.nl> | 2011-12-21T19·11+0000 |
---|---|---|
committer | Eelco Dolstra <e.dolstra@tudelft.nl> | 2011-12-21T19·11+0000 |
commit | 4d728bc3e60a6d07858f7a881221688ccdebb7fe (patch) | |
tree | b81152d5b52c1ea8b2ad4c4d286a22992b75f00f | |
parent | 69d6f0936a59da5cc35040407f4b667437d61add (diff) |
* Security: make sure the lock files used by build-remote.pl are not
readable to other users. Otherwise, any user can open the lock file for reading and lock it, thus DoSing the remote build mechanism.
-rwxr-xr-x | scripts/build-remote.pl.in | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/scripts/build-remote.pl.in b/scripts/build-remote.pl.in index 6a6515756163..8bf77df04b35 100755 --- a/scripts/build-remote.pl.in +++ b/scripts/build-remote.pl.in @@ -1,6 +1,6 @@ #! @perl@ -w @perlFlags@ -use Fcntl ':flock'; +use Fcntl qw(:DEFAULT :flock); use English '-no_match_vars'; use IO::Handle; use Nix::Config; @@ -56,7 +56,7 @@ sub openSlotLock { my ($machine, $slot) = @_; my $slotLockFn = "$currentLoad/" . (join '+', @{$machine->{systemTypes}}) . "-" . $machine->{hostName} . "-$slot"; my $slotLock = new IO::Handle; - open $slotLock, ">>$slotLockFn" or die; + sysopen $slotLock, "$slotLockFn", O_RDWR|O_CREAT, 0600 or die; return $slotLock; } @@ -64,7 +64,7 @@ sub openSlotLock { # Read the list of machines. my @machines; if (defined $conf && -e $conf) { - open CONF, "< $conf" or die; + open CONF, "<$conf" or die; while (<CONF>) { chomp; s/\#.*$//g; @@ -104,7 +104,7 @@ REQ: while (1) { # Acquire the exclusive lock on $currentLoad/main-lock. mkdir $currentLoad, 0777 or die unless -d $currentLoad; my $mainLock = "$currentLoad/main-lock"; - open MAINLOCK, ">>$mainLock" or die; + sysopen MAINLOCK, "$mainLock", O_RDWR|O_CREAT, 0600 or die; flock(MAINLOCK, LOCK_EX) or die; @@ -232,7 +232,7 @@ sub removeRoots { # the same missing path simultaneously, causing the effective network # bandwidth and target disk speed to be divided by N. my $uploadLock = "$currentLoad/$hostName.upload-lock"; -open MAINLOCK, ">>$uploadLock" or die; +sysopen MAINLOCK, "$uploadLock", O_RDWR|O_CREAT, 0600 or die; flock(MAINLOCK, LOCK_EX) or die; Nix::CopyClosure::copyTo($hostName, [ @sshOpts ], [ $drvPath, @inputs ], "", "", 0, 0, $maybeSign ne ""); close MAINLOCK; |