forked from lix-project/lix
5526a282b5
It turns out that in multi-user Nix, a builder may be able to do
ln /etc/shadow $out/foo
Afterwards, canonicalisePathMetaData() will be applied to $out/foo,
causing /etc/shadow's mode to be set to 444 (readable by everybody but
writable by nobody). That's obviously Very Bad.
Fortunately, this fails in NixOS's default configuration because
/nix/store is a bind mount, so "ln" will fail with "Invalid
cross-device link". It also fails if hard-link restrictions are
enabled, so a workaround is:
echo 1 > /proc/sys/fs/protected_hardlinks
The solution is to check that all files in $out are owned by the build
user. This means that innocuous operations like "ln
${pkgs.foo}/some-file $out/" are now rejected, but that already failed
in chroot builds anyway.
|
||
|---|---|---|
| .. | ||
| build.cc | ||
| derivations.cc | ||
| derivations.hh | ||
| gc.cc | ||
| globals.cc | ||
| globals.hh | ||
| local-store.cc | ||
| local-store.hh | ||
| Makefile.am | ||
| misc.cc | ||
| misc.hh | ||
| optimise-store.cc | ||
| pathlocks.cc | ||
| pathlocks.hh | ||
| references.cc | ||
| references.hh | ||
| remote-store.cc | ||
| remote-store.hh | ||
| schema.sql | ||
| store-api.cc | ||
| store-api.hh | ||
| worker-protocol.hh | ||