From cd49ee08970f0fa44053fb12cdf29668e8131a51 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 13 Jun 2013 17:12:24 +0200 Subject: [PATCH] Fix a security bug in hash rewriting Before calling dumpPath(), we have to make sure the files are owned by the build user. Otherwise, the build could contain a hard link to (say) /etc/shadow, which would then be read by the daemon and rewritten as a world-readable file. This only affects systems that don't have hard link restrictions enabled. --- src/libstore/build.cc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/libstore/build.cc b/src/libstore/build.cc index 2d3371957..e49c66fc5 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -1489,6 +1489,12 @@ void DerivationGoal::buildDone() /* Apply hash rewriting if necessary. */ if (!rewritesFromTmp.empty()) { printMsg(lvlError, format("warning: rewriting hashes in `%1%'; cross fingers") % path); + + /* Canonicalise first. This ensures that the path + we're rewriting doesn't contain a hard link to + /etc/shadow or something like that. */ + canonicalisePathMetaData(path, buildUser.enabled() ? buildUser.getUID() : -1); + /* FIXME: this is in-memory. */ StringSink sink; dumpPath(path, sink);