diff options
author | Eelco Dolstra <e.dolstra@tudelft.nl> | 2012-02-15T00·31+0100 |
---|---|---|
committer | Eelco Dolstra <e.dolstra@tudelft.nl> | 2012-02-15T00·31+0100 |
commit | bd013b6f987c23c3b99b639ba7cdbc7b694a13f5 (patch) | |
tree | b1726c5b26371a9ee0666ab0b6aff9b1df5755c5 /src | |
parent | 5e57047d874e0f01dcb3bbc8b809fcc1aa82755b (diff) |
On Linux, make the Nix store really read-only by using the immutable bit
I was bitten one time too many by Python modifying the Nix store by creating *.pyc files when run as root. On Linux, we can prevent this by setting the immutable bit on files and directories (as in ‘chattr +i’). This isn't supported by all filesystems, so it's not an error if setting the bit fails. The immutable bit is cleared by the garbage collector before deleting a path. The only tricky aspect is in optimiseStore(), since it's forbidden to create hard links to an immutable file. Thus optimiseStore() temporarily clears the immutable bit before creating the link.
Diffstat (limited to 'src')
-rw-r--r-- | src/libstore/local-store.cc | 7 | ||||
-rw-r--r-- | src/libstore/optimise-store.cc | 26 | ||||
-rw-r--r-- | src/libutil/Makefile.am | 4 | ||||
-rw-r--r-- | src/libutil/immutable.cc | 67 | ||||
-rw-r--r-- | src/libutil/immutable.hh | 19 | ||||
-rw-r--r-- | src/libutil/util.cc | 3 |
6 files changed, 122 insertions, 4 deletions
diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index a30839643c4b..21b1bdceae2f 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -5,6 +5,7 @@ #include "pathlocks.hh" #include "worker-protocol.hh" #include "derivations.hh" +#include "immutable.hh" #include <iostream> #include <algorithm> @@ -405,6 +406,10 @@ void canonicalisePathMetaData(const Path & path, bool recurse) if (lstat(path.c_str(), &st)) throw SysError(format("getting attributes of path `%1%'") % path); + /* Really make sure that the path is of a supported type. This + has already been checked in dumpPath(). */ + assert(S_ISREG(st.st_mode) || S_ISDIR(st.st_mode) || S_ISLNK(st.st_mode)); + /* Change ownership to the current uid. If it's a symlink, use lchown if available, otherwise don't bother. Wrong ownership of a symlink doesn't matter, since the owning user can't change @@ -451,6 +456,8 @@ void canonicalisePathMetaData(const Path & path, bool recurse) foreach (Strings::iterator, i, names) canonicalisePathMetaData(path + "/" + *i, true); } + + makeImmutable(path); } diff --git a/src/libstore/optimise-store.cc b/src/libstore/optimise-store.cc index 89be6ac6529a..2ca98f46ddf4 100644 --- a/src/libstore/optimise-store.cc +++ b/src/libstore/optimise-store.cc @@ -1,5 +1,6 @@ #include "util.hh" #include "local-store.hh" +#include "immutable.hh" #include <sys/types.h> #include <sys/stat.h> @@ -19,6 +20,7 @@ static void makeWritable(const Path & path) struct stat st; if (lstat(path.c_str(), &st)) throw SysError(format("getting attributes of path `%1%'") % path); + if (S_ISDIR(st.st_mode) || S_ISREG(st.st_mode)) makeMutable(path); if (chmod(path.c_str(), st.st_mode | S_IWUSR) == -1) throw SysError(format("changing writability of `%1%'") % path); } @@ -31,6 +33,8 @@ struct MakeReadOnly ~MakeReadOnly() { try { + /* This will make the path read-only (and restore the + immutable bit on platforms that support it). */ if (path != "") canonicalisePathMetaData(path, false); } catch (...) { ignoreException(); @@ -39,6 +43,14 @@ struct MakeReadOnly }; +struct MakeImmutable +{ + Path path; + MakeImmutable(const Path & path) : path(path) { } + ~MakeImmutable() { makeImmutable(path); } +}; + + static void hashAndLink(bool dryRun, HashToPath & hashToPath, OptimiseStats & stats, const Path & path) { @@ -96,14 +108,24 @@ static void hashAndLink(bool dryRun, HashToPath & hashToPath, /* Make the containing directory writable, but only if it's not the store itself (we don't want or need to - mess with its permissions). */ + mess with its permissions). */ bool mustToggle = !isStorePath(path); if (mustToggle) makeWritable(dirOf(path)); /* When we're done, make the directory read-only again and reset its timestamp back to 0. */ MakeReadOnly makeReadOnly(mustToggle ? dirOf(path) : ""); - + + /* If ‘prevPath’ is immutable, we can't create hard links + to it, so make it mutable first (and make it immutable + again when we're done). We also have to make ‘path’ + mutable, otherwise rename() will fail to delete it. */ + makeMutable(prevPath.first); + MakeImmutable mk1(prevPath.first); + + makeMutable(path); + MakeImmutable mk2(path); + if (link(prevPath.first.c_str(), tempLink.c_str()) == -1) { if (errno == EMLINK) { /* Too many links to the same file (>= 32000 on diff --git a/src/libutil/Makefile.am b/src/libutil/Makefile.am index 98f32633b894..a326060cfea9 100644 --- a/src/libutil/Makefile.am +++ b/src/libutil/Makefile.am @@ -1,12 +1,12 @@ pkglib_LTLIBRARIES = libutil.la libutil_la_SOURCES = util.cc hash.cc serialise.cc \ - archive.cc xml-writer.cc + archive.cc xml-writer.cc immutable.cc libutil_la_LIBADD = ../boost/format/libformat.la ${aterm_lib} ${sqlite_lib} pkginclude_HEADERS = util.hh hash.hh serialise.hh \ - archive.hh xml-writer.hh types.hh + archive.hh xml-writer.hh types.hh immutable.hh if !HAVE_OPENSSL libutil_la_SOURCES += \ diff --git a/src/libutil/immutable.cc b/src/libutil/immutable.cc new file mode 100644 index 000000000000..f72f85625486 --- /dev/null +++ b/src/libutil/immutable.cc @@ -0,0 +1,67 @@ +#include "config.h" + +#include "immutable.hh" +#include "util.hh" + +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> + +#if HAVE_LINUX_FS_H +#include <linux/fs.h> +#include <sys/ioctl.h> +#include <errno.h> +#endif + +namespace nix { + + +void changeMutable(const Path & path, bool mut) +{ +#if defined(FS_IOC_SETFLAGS) && defined(FS_IOC_GETFLAGS) && defined(FS_IMMUTABLE_FL) + + /* Don't even try if we're not root. One day we should support + the CAP_LINUX_IMMUTABLE capability. */ + if (getuid() != 0) return; + + /* The O_NOFOLLOW is important to prevent us from changing the + mutable bit on the target of a symlink (which would be a + security hole). */ + AutoCloseFD fd = open(path.c_str(), O_RDONLY | O_NOFOLLOW); + if (fd == -1) { + if (errno == ELOOP) return; // it's a symlink + throw SysError(format("opening file `%1%'") % path); + } + + unsigned int flags = 0, old; + + /* Silently ignore errors getting/setting the immutable flag so + that we work correctly on filesystems that don't support it. */ + if (ioctl(fd, FS_IOC_GETFLAGS, &flags)) return; + + old = flags; + + if (mut) flags &= ~FS_IMMUTABLE_FL; + else flags |= FS_IMMUTABLE_FL; + + if (old == flags) return; + + if (ioctl(fd, FS_IOC_SETFLAGS, &flags)) return; + +#endif +} + + +void makeImmutable(const Path & path) +{ + changeMutable(path, false); +} + + +void makeMutable(const Path & path) +{ + changeMutable(path, true); +} + + +} diff --git a/src/libutil/immutable.hh b/src/libutil/immutable.hh new file mode 100644 index 000000000000..5a42a4610736 --- /dev/null +++ b/src/libutil/immutable.hh @@ -0,0 +1,19 @@ +#ifndef __IMMUTABLE_H +#define __IMMUTABLE_H + +#include <types.hh> + +namespace nix { + +/* Make the given path immutable, i.e., prevent it from being modified + in any way, even by root. This is a no-op on platforms that do not + support this, or if the calling user is not privileged. On Linux, + this is implemented by doing the equivalent of ‘chattr +i path’. */ +void makeImmutable(const Path & path); + +/* Make the given path mutable. */ +void makeMutable(const Path & path); + +} + +#endif /* !__IMMUTABLE_H */ diff --git a/src/libutil/util.cc b/src/libutil/util.cc index 42e5519b48b0..31322f9c4894 100644 --- a/src/libutil/util.cc +++ b/src/libutil/util.cc @@ -12,6 +12,7 @@ #include <limits.h> #include "util.hh" +#include "immutable.hh" extern char * * environ; @@ -304,6 +305,8 @@ static void _deletePath(const Path & path, unsigned long long & bytesFreed, struct stat st = lstat(path); + if (S_ISDIR(st.st_mode) || S_ISREG(st.st_mode)) makeMutable(path); + if (!S_ISDIR(st.st_mode) && st.st_nlink == 1) { bytesFreed += st.st_size; blocksFreed += st.st_blocks; |