about summary refs log tree commit diff
path: root/src/libstore
diff options
context:
space:
mode:
authorEelco Dolstra <e.dolstra@tudelft.nl>2005-10-17T16·59+0000
committerEelco Dolstra <e.dolstra@tudelft.nl>2005-10-17T16·59+0000
commit439823ae803444052442ad6ceb7191ba22cbc4cf (patch)
tree5a99fbaea5aa4c453e8806fa96ff18629dd36cff /src/libstore
parent7ef574e5d0568a27a3f30b68af6d0a744aff90ff (diff)
* Check that the build result is owned by the build user, and that
  nobody else has write permission to the build result.  This catches
  most hack attempts.

Diffstat (limited to 'src/libstore')
-rw-r--r--src/libstore/build.cc15
1 files changed, 13 insertions, 2 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index e0a7c6689742..47d0979213ba 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -1194,6 +1194,10 @@ void DerivationGoal::computeClosure()
                 % drvPath % path);
         }
 
+        struct stat st;
+        if (lstat(path.c_str(), &st))
+            throw SysError(format("getting attributes of path `%1%'") % path);
+            
         startNest(nest, lvlTalkative,
             format("scanning for references inside `%1%'") % path);
 
@@ -1214,8 +1218,6 @@ void DerivationGoal::computeClosure()
                 /* The output path should be a regular file without
                    execute permission. */
                 struct stat st;
-                if (lstat(path.c_str(), &st))
-                    throw SysError(format("getting attributes of path `%1%'") % path);
                 if (!S_ISREG(st.st_mode) || (st.st_mode & S_IXUSR) != 0)
                     throw Error(
                         format("output path `%1% should be a non-executable regular file")
@@ -1234,6 +1236,15 @@ void DerivationGoal::computeClosure()
                     % path % algo % printHash(h) % printHash(h2));
         }
 
+        /* Check that the output is not group or world writable, as
+           that means that someone else can have interfered with the
+           build.  Also, the output should be owned by the build
+           user. */
+        if ((st.st_mode & (S_IWGRP | S_IWOTH)) ||
+            (buildUser != 0 && st.st_uid != buildUser))
+            throw Error(format("suspicious ownership or permission on `%1%'; rejecting this build output") % path);
+
+        /* Get rid of all weird permissions. */
 	canonicalisePathMetaData(path);
 
 	/* For this output path, find the references to other paths contained