diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-03-24 11:35:53 +0100 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2015-06-03 22:00:28 +0200 |
commit | 1f595ba474d8112e73df1ef7578014e59ebfccd0 (patch) | |
tree | e19ec11f7ba51a124b19924576278afbf43fc733 | |
parent | ba5888bccd2c5dfd0de73b91c3a5c18fa8c4866e (diff) | |
download | guix-1f595ba474d8112e73df1ef7578014e59ebfccd0.tar.gz |
Tighten permissions on chroot directories
-rw-r--r-- | nix/libstore/build.cc | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index 7153c85788..9a69a795e8 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -1768,6 +1768,12 @@ void DerivationGoal::startBuilder() printMsg(lvlChatty, format("setting up chroot environment in `%1%'") % chrootRootDir); + if (mkdir(chrootRootDir.c_str(), 0750) == -1) + throw SysError(format("cannot create ‘%1%’") % chrootRootDir); + + if (chown(chrootRootDir.c_str(), 0, buildUser.getGID()) == -1) + throw SysError(format("cannot change ownership of ‘%1%’") % chrootRootDir); + /* Create a writable /tmp in the chroot. Many builders need this. (Of course they should really respect $TMPDIR instead.) */ @@ -1818,8 +1824,12 @@ void DerivationGoal::startBuilder() can be bind-mounted). !!! As an extra security precaution, make the fake Nix store only writable by the build user. */ - createDirs(chrootRootDir + settings.nixStore); - chmod_(chrootRootDir + settings.nixStore, 01777); + Path chrootStoreDir = chrootRootDir + settings.nixStore; + createDirs(chrootStoreDir); + chmod_(chrootStoreDir, 0730); + + if (chown(chrootStoreDir.c_str(), 0, buildUser.getGID()) == -1) + throw SysError(format("cannot change ownership of ‘%1%’") % chrootStoreDir); foreach (PathSet::iterator, i, inputPaths) { struct stat st; |