From 5526a282b5b44e9296e61e07d7d2626a79141ac4 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 26 Feb 2013 02:30:19 +0100 Subject: Security: Don't allow builders to change permissions on files they don't own It turns out that in multi-user Nix, a builder may be able to do ln /etc/shadow $out/foo Afterwards, canonicalisePathMetaData() will be applied to $out/foo, causing /etc/shadow's mode to be set to 444 (readable by everybody but writable by nobody). That's obviously Very Bad. Fortunately, this fails in NixOS's default configuration because /nix/store is a bind mount, so "ln" will fail with "Invalid cross-device link". It also fails if hard-link restrictions are enabled, so a workaround is: echo 1 > /proc/sys/fs/protected_hardlinks The solution is to check that all files in $out are owned by the build user. This means that innocuous operations like "ln ${pkgs.foo}/some-file $out/" are now rejected, but that already failed in chroot builds anyway. --- src/libstore/build.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/libstore/build.cc') diff --git a/src/libstore/build.cc b/src/libstore/build.cc index f583d6857e20..73223bc1ad84 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -2287,7 +2287,7 @@ void DerivationGoal::computeClosure() } /* Get rid of all weird permissions. */ - canonicalisePathMetaData(path); + canonicalisePathMetaData(path, buildUser.enabled() ? buildUser.getUID() : -1); /* For this output path, find the references to other paths contained in it. Compute the SHA-256 NAR hash at the same @@ -2839,7 +2839,7 @@ void SubstitutionGoal::finished() return; } - canonicalisePathMetaData(destPath); + canonicalisePathMetaData(destPath, -1); worker.store.optimisePath(destPath); // FIXME: combine with hashPath() -- cgit 1.4.1