diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-03-24T10·35+0100 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-03-24T10·35+0100 |
commit | 5ce50cd99e740d0d0f18c30327ae687be9356553 (patch) | |
tree | 22711ae7759fd6514259afc5794a47bc4ccab6fa /src/libstore | |
parent | 6f0c6e20e03bc82fcf0d2198cf81fa2cf25c2f6c (diff) |
Tighten permissions on chroot directories
Diffstat (limited to 'src/libstore')
-rw-r--r-- | src/libstore/build.cc | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc index d0299914813c..88efb9a65d1a 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -1838,6 +1838,12 @@ void DerivationGoal::startBuilder() printMsg(lvlChatty, format("setting up chroot environment in ‘%1%’") % chrootRootDir); + if (mkdir(chrootRootDir.c_str(), 0750) == -1) + throw SysError(format("cannot create ‘%1%’") % chrootRootDir); + + if (chown(chrootRootDir.c_str(), 0, buildUser.getGID()) == -1) + throw SysError(format("cannot change ownership of ‘%1%’") % chrootRootDir); + /* Create a writable /tmp in the chroot. Many builders need this. (Of course they should really respect $TMPDIR instead.) */ @@ -1874,8 +1880,12 @@ void DerivationGoal::startBuilder() can be bind-mounted). !!! As an extra security precaution, make the fake Nix store only writable by the build user. */ - createDirs(chrootRootDir + settings.nixStore); - chmod_(chrootRootDir + settings.nixStore, 01777); + Path chrootStoreDir = chrootRootDir + settings.nixStore; + createDirs(chrootStoreDir); + chmod_(chrootStoreDir, 0730); + + if (chown(chrootStoreDir.c_str(), 0, buildUser.getGID()) == -1) + throw SysError(format("cannot change ownership of ‘%1%’") % chrootStoreDir); foreach (PathSet::iterator, i, inputPaths) { struct stat st; |