Security: Don't allow builders to change permissions on files they don't own

It turns out that in multi-user Nix, a builder may be able to do

  ln /etc/shadow $out/foo

Afterwards, canonicalisePathMetaData() will be applied to $out/foo,
causing /etc/shadow's mode to be set to 444 (readable by everybody but
writable by nobody).  That's obviously Very Bad.

Fortunately, this fails in NixOS's default configuration because
/nix/store is a bind mount, so "ln" will fail with "Invalid
cross-device link".  It also fails if hard-link restrictions are
enabled, so a workaround is:

  echo 1 > /proc/sys/fs/protected_hardlinks

The solution is to check that all files in $out are owned by the build
user.  This means that innocuous operations like "ln
${pkgs.foo}/some-file $out/" are now rejected, but that already failed
in chroot builds anyway.

1 files changed, 2 insertions, 2 deletions

diff --git a/src/libstore/local-store.hh b/src/libstore/local-store.hh
index 2b0d71380915..d3e1ca29294e 100644
--- a/src/libstore/local-store.hh
+++ b/src/libstore/local-store.hh
@@ -307,9 +307,9 @@ private:
      without execute permission; setuid bits etc. are cleared)
    - the owner and group are set to the Nix user and group, if we're
      in a setuid Nix installation. */
-void canonicalisePathMetaData(const Path & path);
+void canonicalisePathMetaData(const Path & path, uid_t fromUid);
 
-void canonicalisePathMetaData(const Path & path, bool recurse);
+void canonicalisePathMetaData(const Path & path, bool recurse, uid_t fromUid);
 
 MakeError(PathInUse, Error);