about summary refs log tree commit diff
path: root/src/libstore/optimise-store.cc
diff options
context:
space:
mode:
authorEelco Dolstra <eelco.dolstra@logicblox.com>2013-02-26T01·30+0100
committerEelco Dolstra <eelco.dolstra@logicblox.com>2013-02-26T01·30+0100
commit5526a282b5b44e9296e61e07d7d2626a79141ac4 (patch)
tree47d50327dc39bc716fa9ef047ab2b6d2667340e0 /src/libstore/optimise-store.cc
parentdadf7a5b46f08b59c7e15a40937a9039ef273d63 (diff)
Security: Don't allow builders to change permissions on files they don't own
It turns out that in multi-user Nix, a builder may be able to do

  ln /etc/shadow $out/foo

Afterwards, canonicalisePathMetaData() will be applied to $out/foo,
causing /etc/shadow's mode to be set to 444 (readable by everybody but
writable by nobody).  That's obviously Very Bad.

Fortunately, this fails in NixOS's default configuration because
/nix/store is a bind mount, so "ln" will fail with "Invalid
cross-device link".  It also fails if hard-link restrictions are
enabled, so a workaround is:

  echo 1 > /proc/sys/fs/protected_hardlinks

The solution is to check that all files in $out are owned by the build
user.  This means that innocuous operations like "ln
${pkgs.foo}/some-file $out/" are now rejected, but that already failed
in chroot builds anyway.
Diffstat (limited to 'src/libstore/optimise-store.cc')
-rw-r--r--src/libstore/optimise-store.cc2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/libstore/optimise-store.cc b/src/libstore/optimise-store.cc
index e91c2b1ce52c..75f2d7d6cc40 100644
--- a/src/libstore/optimise-store.cc
+++ b/src/libstore/optimise-store.cc
@@ -32,7 +32,7 @@ struct MakeReadOnly
     {
         try {
             /* This will make the path read-only. */
-            if (path != "") canonicalisePathMetaData(path, false);
+            if (path != "") canonicalisePathMetaData(path, false, -1);
         } catch (...) {
             ignoreException();
         }