Fix a security bug in hash rewriting

Before calling dumpPath(), we have to make sure the files are owned by
the build user.  Otherwise, the build could contain a hard link to
(say) /etc/shadow, which would then be read by the daemon and
rewritten as a world-readable file.

This only affects systems that don't have hard link restrictions
enabled.
This commit is contained in:
Eelco Dolstra 2013-06-13 17:12:24 +02:00
parent 1e2c7c04b1
commit cd49ee0897

View file

@ -1489,6 +1489,12 @@ void DerivationGoal::buildDone()
/* Apply hash rewriting if necessary. */ /* Apply hash rewriting if necessary. */
if (!rewritesFromTmp.empty()) { if (!rewritesFromTmp.empty()) {
printMsg(lvlError, format("warning: rewriting hashes in `%1%'; cross fingers") % path); printMsg(lvlError, format("warning: rewriting hashes in `%1%'; cross fingers") % path);
/* Canonicalise first. This ensures that the path
we're rewriting doesn't contain a hard link to
/etc/shadow or something like that. */
canonicalisePathMetaData(path, buildUser.enabled() ? buildUser.getUID() : -1);
/* FIXME: this is in-memory. */ /* FIXME: this is in-memory. */
StringSink sink; StringSink sink;
dumpPath(path, sink); dumpPath(path, sink);