Age | Commit message (Collapse) | Author | Files | Lines |
|
chroot only changes the process root directory, not the mount namespace root
directory, and it is well-known that any process with chroot capability can
break out of a chroot "jail". By using pivot_root as well, and unmounting the
original mount namespace root directory, breaking out becomes impossible.
Non-root processes typically have no ability to use chroot() anyway, but they
can gain that capability through the use of clone() or unshare(). For security
reasons, these syscalls are limited in functionality when used inside a normal
chroot environment. Using pivot_root() this way does allow those syscalls to be
put to their full use.
|
|
|
|
|
|
|
|
Fixes #453
|
|
Sodium's Ed25519 signatures are much shorter than OpenSSL's RSA
signatures. Public keys are also much shorter, so they're now
specified directly in the nix.conf option ‘binary-cache-public-keys’.
The new command ‘nix-store --generate-binary-cache-key’ generates and
prints a public and secret key.
|
|
|
|
|
|
baseNameOf: Don't copy paths to the store first
|
|
due to user permissions)
|
|
$ nix-env -f ~/Dev/nixops/ -iA foo
nix-env: src/libexpr/eval.hh:57: void nix::Bindings::push_back(const nix::Attr&): Assertion `size_ < capacity' failed.
Aborted
|
|
These directories are generally world-readable anyway, and give us the two
most common linux impurities (env and sh)
|
|
|
|
Since these come from untrusted users, we shouldn't do any I/O on them
before we've checked that they're in an allowed prefix.
|
|
|
|
The DT_UNKNOWN fallback code was getting the type of the wrong path,
causing readDir to report "directory" as the type of every file.
Reported by deepfire on IRC.
|
|
|
|
|
|
I.e., not readable to the nixbld group. This improves purity a bit for
non-chroot builds, because it prevents a builder from enumerating
store paths (i.e. it can only access paths it knows about).
|
|
|
|
|
|
Fixes #433.
|
|
|
|
Let's not just improve the error message itself, but also the behaviour
to actually work around the ntfs-3g symlink bug. If the readlink() call
returns a smaller size than the stat() call, this really isn't a problem
even if the symlink target really has changed between the calls.
So if stat() reports the size for the absolute path, it's most likely
that the relative path is smaller and thus it should also work for file
system bugs as mentioned in 93002d69fc58c2b71e2dfad202139230c630c53a.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Tested-by: John Ericson <Ericson2314@Yahoo.com>
|
|
A message like "error: reading symbolic link `...' : Success" really is
quite confusing, so let's not indicate "success" but rather point out
the real issue.
We could also limit the check of this to just check for non-negative
values, but this would introduce a race condition between stat() and
readlink() if the link target changes between those two calls, thus
leading to a buffer overflow vulnerability.
Reported by @Ericson2314 on IRC. Happened due to a possible ntfs-3g bug
where a relative symlink returned the absolute path (st_)size in stat()
while readlink() returned the relative size.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Tested-by: John Ericson <Ericson2314@Yahoo.com>
|
|
See NixOS/nixpkgs@9245516
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
http://hydra.nixos.org/build/17862041
|
|
|
|
|
|
This broke building with "-vv", because the builder is not allowed to
write to stderr at this point.
|
|
|
|
|
|
|
|
|
|
Borrowed from systemd.
|
|
|
|
|
|
|
|
The pid field can be -1 if forking the substituter process failed.
|
|
This reverts commit d34d2b2bbf784c0bb420a50905af25e02c6e4989.
|
|
|
|
|
|
http://hydra.nixos.org/build/17690555
|