forked from lix-project/lix
* Security: make sure the lock files used by build-remote.pl are not
readable to other users. Otherwise, any user can open the lock file for reading and lock it, thus DoSing the remote build mechanism.
This commit is contained in:
parent
69d6f0936a
commit
4d728bc3e6
|
@ -1,6 +1,6 @@
|
|||
#! @perl@ -w @perlFlags@
|
||||
|
||||
use Fcntl ':flock';
|
||||
use Fcntl qw(:DEFAULT :flock);
|
||||
use English '-no_match_vars';
|
||||
use IO::Handle;
|
||||
use Nix::Config;
|
||||
|
@ -56,7 +56,7 @@ sub openSlotLock {
|
|||
my ($machine, $slot) = @_;
|
||||
my $slotLockFn = "$currentLoad/" . (join '+', @{$machine->{systemTypes}}) . "-" . $machine->{hostName} . "-$slot";
|
||||
my $slotLock = new IO::Handle;
|
||||
open $slotLock, ">>$slotLockFn" or die;
|
||||
sysopen $slotLock, "$slotLockFn", O_RDWR|O_CREAT, 0600 or die;
|
||||
return $slotLock;
|
||||
}
|
||||
|
||||
|
@ -104,7 +104,7 @@ REQ: while (1) {
|
|||
# Acquire the exclusive lock on $currentLoad/main-lock.
|
||||
mkdir $currentLoad, 0777 or die unless -d $currentLoad;
|
||||
my $mainLock = "$currentLoad/main-lock";
|
||||
open MAINLOCK, ">>$mainLock" or die;
|
||||
sysopen MAINLOCK, "$mainLock", O_RDWR|O_CREAT, 0600 or die;
|
||||
flock(MAINLOCK, LOCK_EX) or die;
|
||||
|
||||
|
||||
|
@ -232,7 +232,7 @@ sub removeRoots {
|
|||
# the same missing path simultaneously, causing the effective network
|
||||
# bandwidth and target disk speed to be divided by N.
|
||||
my $uploadLock = "$currentLoad/$hostName.upload-lock";
|
||||
open MAINLOCK, ">>$uploadLock" or die;
|
||||
sysopen MAINLOCK, "$uploadLock", O_RDWR|O_CREAT, 0600 or die;
|
||||
flock(MAINLOCK, LOCK_EX) or die;
|
||||
Nix::CopyClosure::copyTo($hostName, [ @sshOpts ], [ $drvPath, @inputs ], "", "", 0, 0, $maybeSign ne "");
|
||||
close MAINLOCK;
|
||||
|
|
Loading…
Reference in a new issue