diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2013-06-12 12:10:26 +0200 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2013-06-12 12:10:26 +0200 |
commit | 6b05f688ee6849b89e7fb0d3fb7b678f316039e7 (patch) | |
tree | 840aa27fbd5700900eac2463a5268f370f7627a5 | |
parent | 5c06e5297d3e8660abfa238b7244d958237e54e8 (diff) | |
download | guix-6b05f688ee6849b89e7fb0d3fb7b678f316039e7.tar.gz |
nix-daemon: Trust options like binary-caches when the client is root
Fixes #127.
-rw-r--r-- | src/nix-daemon/nix-daemon.cc | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/src/nix-daemon/nix-daemon.cc b/src/nix-daemon/nix-daemon.cc index a3ab1d068b..6b5dd7e5aa 100644 --- a/src/nix-daemon/nix-daemon.cc +++ b/src/nix-daemon/nix-daemon.cc @@ -273,7 +273,7 @@ struct SavingSourceAdapter : Source }; -static void performOp(unsigned int clientVersion, +static void performOp(bool trusted, unsigned int clientVersion, Source & from, Sink & to, unsigned int op) { switch (op) { @@ -554,7 +554,7 @@ static void performOp(unsigned int clientVersion, if (name == "build-timeout") string2Int(value, settings.buildTimeout); else - settings.set("untrusted-" + name, value); + settings.set(trusted ? name : "untrusted-" + name, value); } } startWork(); @@ -643,7 +643,7 @@ static void performOp(unsigned int clientVersion, } -static void processConnection() +static void processConnection(bool trusted) { canSendStderr = false; myPid = getpid(); @@ -711,7 +711,7 @@ static void processConnection() opCount++; try { - performOp(clientVersion, from, to, op); + performOp(trusted, clientVersion, from, to, op); } catch (Error & e) { /* If we're not in a state were we can send replies, then something went wrong processing the input of the @@ -839,6 +839,7 @@ static void daemonLoop() /* Get the identity of the caller, if possible. */ uid_t clientUid = -1; pid_t clientPid = -1; + bool trusted = false; #if defined(SO_PEERCRED) ucred cred; @@ -846,6 +847,7 @@ static void daemonLoop() if (getsockopt(remote, SOL_SOCKET, SO_PEERCRED, &cred, &credLen) != -1) { clientPid = cred.pid; clientUid = cred.uid; + if (clientUid == 0) trusted = true; } #endif @@ -879,7 +881,7 @@ static void daemonLoop() /* Handle the connection. */ from.fd = remote; to.fd = remote; - processConnection(); + processConnection(trusted); } catch (std::exception & e) { writeToStderr("child error: " + string(e.what()) + "\n"); |