From bd013b6f987c23c3b99b639ba7cdbc7b694a13f5 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 15 Feb 2012 01:31:56 +0100 Subject: On Linux, make the Nix store really read-only by using the immutable bit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I was bitten one time too many by Python modifying the Nix store by creating *.pyc files when run as root. On Linux, we can prevent this by setting the immutable bit on files and directories (as in ‘chattr +i’). This isn't supported by all filesystems, so it's not an error if setting the bit fails. The immutable bit is cleared by the garbage collector before deleting a path. The only tricky aspect is in optimiseStore(), since it's forbidden to create hard links to an immutable file. Thus optimiseStore() temporarily clears the immutable bit before creating the link. --- src/libutil/immutable.cc | 67 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 src/libutil/immutable.cc (limited to 'src/libutil/immutable.cc') diff --git a/src/libutil/immutable.cc b/src/libutil/immutable.cc new file mode 100644 index 000000000000..f72f85625486 --- /dev/null +++ b/src/libutil/immutable.cc @@ -0,0 +1,67 @@ +#include "config.h" + +#include "immutable.hh" +#include "util.hh" + +#include +#include +#include + +#if HAVE_LINUX_FS_H +#include +#include +#include +#endif + +namespace nix { + + +void changeMutable(const Path & path, bool mut) +{ +#if defined(FS_IOC_SETFLAGS) && defined(FS_IOC_GETFLAGS) && defined(FS_IMMUTABLE_FL) + + /* Don't even try if we're not root. One day we should support + the CAP_LINUX_IMMUTABLE capability. */ + if (getuid() != 0) return; + + /* The O_NOFOLLOW is important to prevent us from changing the + mutable bit on the target of a symlink (which would be a + security hole). */ + AutoCloseFD fd = open(path.c_str(), O_RDONLY | O_NOFOLLOW); + if (fd == -1) { + if (errno == ELOOP) return; // it's a symlink + throw SysError(format("opening file `%1%'") % path); + } + + unsigned int flags = 0, old; + + /* Silently ignore errors getting/setting the immutable flag so + that we work correctly on filesystems that don't support it. */ + if (ioctl(fd, FS_IOC_GETFLAGS, &flags)) return; + + old = flags; + + if (mut) flags &= ~FS_IMMUTABLE_FL; + else flags |= FS_IMMUTABLE_FL; + + if (old == flags) return; + + if (ioctl(fd, FS_IOC_SETFLAGS, &flags)) return; + +#endif +} + + +void makeImmutable(const Path & path) +{ + changeMutable(path, false); +} + + +void makeMutable(const Path & path) +{ + changeMutable(path, true); +} + + +} -- cgit 1.4.1