diff options
Diffstat (limited to 'src/libstore')
-rw-r--r-- | src/libstore/build.cc | 18 | ||||
-rw-r--r-- | src/libstore/gc.cc | 5 | ||||
-rw-r--r-- | src/libstore/globals.cc | 9 | ||||
-rw-r--r-- | src/libstore/globals.hh | 3 | ||||
-rw-r--r-- | src/libstore/local-store.cc | 116 | ||||
-rw-r--r-- | src/libstore/local-store.hh | 4 | ||||
-rw-r--r-- | src/libstore/optimise-store.cc | 2 | ||||
-rw-r--r-- | src/libstore/remote-store.cc | 2 | ||||
-rw-r--r-- | src/libstore/worker-protocol.hh | 8 |
9 files changed, 112 insertions, 55 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 75802c324ef9..73223bc1ad84 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -43,6 +43,12 @@ #include <sched.h> #endif +/* In GNU libc 2.11, <sys/mount.h> does not define `MS_PRIVATE', but + <linux/fs.h> does. */ +#if !defined MS_PRIVATE && defined HAVE_LINUX_FS_H +#include <linux/fs.h> +#endif + #define CHROOT_ENABLED HAVE_CHROOT && HAVE_UNSHARE && HAVE_SYS_MOUNT_H && defined(MS_BIND) && defined(MS_PRIVATE) && defined(CLONE_NEWNS) #if CHROOT_ENABLED @@ -2281,7 +2287,7 @@ void DerivationGoal::computeClosure() } /* Get rid of all weird permissions. */ - canonicalisePathMetaData(path); + canonicalisePathMetaData(path, buildUser.enabled() ? buildUser.getUID() : -1); /* For this output path, find the references to other paths contained in it. Compute the SHA-256 NAR hash at the same @@ -2343,13 +2349,15 @@ Path DerivationGoal::openLogFile() { if (!settings.keepLog) return ""; + string baseName = baseNameOf(drvPath); + /* Create a log file. */ - Path dir = (format("%1%/%2%") % settings.nixLogDir % drvsLogDir).str(); + Path dir = (format("%1%/%2%/%3%/") % settings.nixLogDir % drvsLogDir % string(baseName, 0, 2)).str(); createDirs(dir); if (settings.compressLog) { - Path logFileName = (format("%1%/%2%.bz2") % dir % baseNameOf(drvPath)).str(); + Path logFileName = (format("%1%/%2%.bz2") % dir % string(baseName, 2)).str(); AutoCloseFD fd = open(logFileName.c_str(), O_CREAT | O_WRONLY | O_TRUNC, 0666); if (fd == -1) throw SysError(format("creating log file `%1%'") % logFileName); closeOnExec(fd); @@ -2364,7 +2372,7 @@ Path DerivationGoal::openLogFile() return logFileName; } else { - Path logFileName = (format("%1%/%2%") % dir % baseNameOf(drvPath)).str(); + Path logFileName = (format("%1%/%2%") % dir % string(baseName, 2)).str(); fdLogFile = open(logFileName.c_str(), O_CREAT | O_WRONLY | O_TRUNC, 0666); if (fdLogFile == -1) throw SysError(format("creating log file `%1%'") % logFileName); closeOnExec(fdLogFile); @@ -2831,7 +2839,7 @@ void SubstitutionGoal::finished() return; } - canonicalisePathMetaData(destPath); + canonicalisePathMetaData(destPath, -1); worker.store.optimisePath(destPath); // FIXME: combine with hashPath() diff --git a/src/libstore/gc.cc b/src/libstore/gc.cc index a6b1a35e77ef..113a7da15411 100644 --- a/src/libstore/gc.cc +++ b/src/libstore/gc.cc @@ -659,7 +659,10 @@ void LocalStore::collectGarbage(const GCOptions & options, GCResults & results) increase, since we hold locks on everything. So everything that is not reachable from `roots'. */ - if (state.shouldDelete) createDirs(state.trashDir); + if (state.shouldDelete) { + if (pathExists(state.trashDir)) deleteGarbage(state, state.trashDir); + createDirs(state.trashDir); + } /* Now either delete all garbage paths, or just the specified paths (for gcDeleteSpecific). */ diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc index 596d4774ca4d..b5a2a20bee44 100644 --- a/src/libstore/globals.cc +++ b/src/libstore/globals.cc @@ -10,6 +10,14 @@ namespace nix { +/* The default location of the daemon socket, relative to nixStateDir. + The socket is in a directory to allow you to control access to the + Nix daemon by setting the mode/ownership of the directory + appropriately. (This wouldn't work on the socket itself since it + must be deleted and recreated on startup.) */ +#define DEFAULT_SOCKET_PATH "/daemon-socket/socket" + + Settings settings; @@ -58,6 +66,7 @@ void Settings::processEnvironment() nixConfDir = canonPath(getEnv("NIX_CONF_DIR", NIX_CONF_DIR)); nixLibexecDir = canonPath(getEnv("NIX_LIBEXEC_DIR", NIX_LIBEXEC_DIR)); nixBinDir = canonPath(getEnv("NIX_BIN_DIR", NIX_BIN_DIR)); + nixDaemonSocketFile = canonPath(nixStateDir + DEFAULT_SOCKET_PATH); string subs = getEnv("NIX_SUBSTITUTERS", "default"); if (subs == "default") { diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index be287698c6c8..f129d9a11edc 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -50,6 +50,9 @@ struct Settings { /* The directory where the main programs are stored. */ Path nixBinDir; + /* File name of the socket the daemon listens to. */ + Path nixDaemonSocketFile; + /* Whether to keep temporary directories of failed builds. */ bool keepFailed; diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index 333feb2a5f30..4b8203efe374 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -47,7 +47,11 @@ static void throwSQLiteError(sqlite3 * db, const format & f) { int err = sqlite3_errcode(db); if (err == SQLITE_BUSY) { - printMsg(lvlError, "warning: SQLite database is busy"); + static bool warned = false; + if (!warned) { + printMsg(lvlError, "warning: SQLite database is busy"); + warned = true; + } /* Sleep for a while since retrying the transaction right away is likely to fail again. */ #if HAVE_NANOSLEEP @@ -461,36 +465,8 @@ void LocalStore::makeStoreWritable() const time_t mtimeStore = 1; /* 1 second into the epoch */ -void canonicalisePathMetaData(const Path & path, bool recurse) +static void canonicaliseTimestampAndPermissions(const Path & path, const struct stat & st) { - checkInterrupt(); - - struct stat st; - if (lstat(path.c_str(), &st)) - throw SysError(format("getting attributes of path `%1%'") % path); - - /* Really make sure that the path is of a supported type. This - has already been checked in dumpPath(). */ - assert(S_ISREG(st.st_mode) || S_ISDIR(st.st_mode) || S_ISLNK(st.st_mode)); - - /* Change ownership to the current uid. If it's a symlink, use - lchown if available, otherwise don't bother. Wrong ownership - of a symlink doesn't matter, since the owning user can't change - the symlink and can't delete it because the directory is not - writable. The only exception is top-level paths in the Nix - store (since that directory is group-writable for the Nix build - users group); we check for this case below. */ - if (st.st_uid != geteuid()) { -#if HAVE_LCHOWN - if (lchown(path.c_str(), geteuid(), (gid_t) -1) == -1) -#else - if (!S_ISLNK(st.st_mode) && - chown(path.c_str(), geteuid(), (gid_t) -1) == -1) -#endif - throw SysError(format("changing owner of `%1%' to %2%") - % path % geteuid()); - } - if (!S_ISLNK(st.st_mode)) { /* Mask out all type related bits. */ @@ -521,18 +497,84 @@ void canonicalisePathMetaData(const Path & path, bool recurse) #endif throw SysError(format("changing modification time of `%1%'") % path); } +} + + +void canonicaliseTimestampAndPermissions(const Path & path) +{ + struct stat st; + if (lstat(path.c_str(), &st)) + throw SysError(format("getting attributes of path `%1%'") % path); + canonicaliseTimestampAndPermissions(path, st); +} + + +typedef std::pair<dev_t, ino_t> Inode; +typedef set<Inode> InodesSeen; - if (recurse && S_ISDIR(st.st_mode)) { + +static void canonicalisePathMetaData_(const Path & path, uid_t fromUid, InodesSeen & inodesSeen) +{ + checkInterrupt(); + + struct stat st; + if (lstat(path.c_str(), &st)) + throw SysError(format("getting attributes of path `%1%'") % path); + + /* Really make sure that the path is of a supported type. This + has already been checked in dumpPath(). */ + assert(S_ISREG(st.st_mode) || S_ISDIR(st.st_mode) || S_ISLNK(st.st_mode)); + + /* Fail if the file is not owned by the build user. This prevents + us from messing up the ownership/permissions of files + hard-linked into the output (e.g. "ln /etc/shadow $out/foo"). + However, ignore files that we chown'ed ourselves previously to + ensure that we don't fail on hard links within the same build + (i.e. "touch $out/foo; ln $out/foo $out/bar"). */ + if (fromUid != (uid_t) -1 && st.st_uid != fromUid) { + assert(!S_ISDIR(st.st_mode)); + if (inodesSeen.find(Inode(st.st_dev, st.st_ino)) == inodesSeen.end()) + throw BuildError(format("invalid ownership on file `%1%'") % path); + mode_t mode = st.st_mode & ~S_IFMT; + assert(S_ISLNK(st.st_mode) || (st.st_uid == geteuid() && (mode == 0444 || mode == 0555) && st.st_mtime == mtimeStore)); + return; + } + + inodesSeen.insert(Inode(st.st_dev, st.st_ino)); + + canonicaliseTimestampAndPermissions(path, st); + + /* Change ownership to the current uid. If it's a symlink, use + lchown if available, otherwise don't bother. Wrong ownership + of a symlink doesn't matter, since the owning user can't change + the symlink and can't delete it because the directory is not + writable. The only exception is top-level paths in the Nix + store (since that directory is group-writable for the Nix build + users group); we check for this case below. */ + if (st.st_uid != geteuid()) { +#if HAVE_LCHOWN + if (lchown(path.c_str(), geteuid(), (gid_t) -1) == -1) +#else + if (!S_ISLNK(st.st_mode) && + chown(path.c_str(), geteuid(), (gid_t) -1) == -1) +#endif + throw SysError(format("changing owner of `%1%' to %2%") + % path % geteuid()); + } + + if (S_ISDIR(st.st_mode)) { Strings names = readDirectory(path); foreach (Strings::iterator, i, names) - canonicalisePathMetaData(path + "/" + *i, true); + canonicalisePathMetaData_(path + "/" + *i, fromUid, inodesSeen); } } -void canonicalisePathMetaData(const Path & path) +void canonicalisePathMetaData(const Path & path, uid_t fromUid) { - canonicalisePathMetaData(path, true); + InodesSeen inodesSeen; + + canonicalisePathMetaData_(path, fromUid, inodesSeen); /* On platforms that don't have lchown(), the top-level path can't be a symlink, since we can't change its ownership. */ @@ -1194,7 +1236,7 @@ Path LocalStore::addToStoreFromDump(const string & dump, const string & name, } else writeFile(dstPath, dump); - canonicalisePathMetaData(dstPath); + canonicalisePathMetaData(dstPath, -1); /* Register the SHA-256 hash of the NAR serialisation of the path in the database. We may just have computed it @@ -1259,7 +1301,7 @@ Path LocalStore::addTextToStore(const string & name, const string & s, writeFile(dstPath, s); - canonicalisePathMetaData(dstPath); + canonicalisePathMetaData(dstPath, -1); HashResult hash = hashPath(htSHA256, dstPath); @@ -1494,7 +1536,7 @@ Path LocalStore::importPath(bool requireSignature, Source & source) throw SysError(format("cannot move `%1%' to `%2%'") % unpacked % dstPath); - canonicalisePathMetaData(dstPath); + canonicalisePathMetaData(dstPath, -1); /* !!! if we were clever, we could prevent the hashPath() here. */ diff --git a/src/libstore/local-store.hh b/src/libstore/local-store.hh index 2b0d71380915..14a826b3a58d 100644 --- a/src/libstore/local-store.hh +++ b/src/libstore/local-store.hh @@ -307,9 +307,9 @@ private: without execute permission; setuid bits etc. are cleared) - the owner and group are set to the Nix user and group, if we're in a setuid Nix installation. */ -void canonicalisePathMetaData(const Path & path); +void canonicalisePathMetaData(const Path & path, uid_t fromUid); -void canonicalisePathMetaData(const Path & path, bool recurse); +void canonicaliseTimestampAndPermissions(const Path & path); MakeError(PathInUse, Error); diff --git a/src/libstore/optimise-store.cc b/src/libstore/optimise-store.cc index e91c2b1ce52c..d833f3aa05b5 100644 --- a/src/libstore/optimise-store.cc +++ b/src/libstore/optimise-store.cc @@ -32,7 +32,7 @@ struct MakeReadOnly { try { /* This will make the path read-only. */ - if (path != "") canonicalisePathMetaData(path, false); + if (path != "") canonicaliseTimestampAndPermissions(path); } catch (...) { ignoreException(); } diff --git a/src/libstore/remote-store.cc b/src/libstore/remote-store.cc index 0e62914c022f..2b5a932131c3 100644 --- a/src/libstore/remote-store.cc +++ b/src/libstore/remote-store.cc @@ -91,7 +91,7 @@ void RemoteStore::connectToDaemon() throw SysError("cannot create Unix domain socket"); closeOnExec(fdSocket); - string socketPath = settings.nixStateDir + DEFAULT_SOCKET_PATH; + string socketPath = settings.nixDaemonSocketFile; /* Urgh, sockaddr_un allows path names of only 108 characters. So chdir to the socket directory so that we can pass a relative diff --git a/src/libstore/worker-protocol.hh b/src/libstore/worker-protocol.hh index 46035f4577e3..07f825b9273f 100644 --- a/src/libstore/worker-protocol.hh +++ b/src/libstore/worker-protocol.hh @@ -53,14 +53,6 @@ typedef enum { #define STDERR_ERROR 0x63787470 -/* The default location of the daemon socket, relative to nixStateDir. - The socket is in a directory to allow you to control access to the - Nix daemon by setting the mode/ownership of the directory - appropriately. (This wouldn't work on the socket itself since it - must be deleted and recreated on startup.) */ -#define DEFAULT_SOCKET_PATH "/daemon-socket/socket" - - Path readStorePath(Source & from); template<class T> T readStorePaths(Source & from); |