daemon: Prevent privilege escalation with '--keep-failed' [security]. - ~cnx/guix

diff options

author	Ludovic Courtès <ludo@gnu.org>	2021-03-18 11:39:39 +0100
committer	Ludovic Courtès <ludo@gnu.org>	2021-03-18 12:18:56 +0100
commit	ec7fb669945bfb47c5e1fdf7de3a5d07f7002ccf (patch)
tree	b9330befde8c1dc8a07ad1a2571cbe4d008a0128 /doc
parent	898489f48e436e45e86e1ba0fcdb6df5cd5a051a (diff)
download	guix-ec7fb669945bfb47c5e1fdf7de3a5d07f7002ccf.tar.gz

daemon: Prevent privilege escalation with '--keep-failed' [security].

Fixes <https://bugs.gnu.org/47229>.
Reported by Nathan Nye of WhiteBeam Security.

* nix/libstore/build.cc (DerivationGoal::startBuilder): When 'useChroot'
is true, add "/top" to 'tmpDir'.
(DerivationGoal::deleteTmpDir): Adjust accordingly.  When
'settings.keepFailed' is true, chown in two steps: first the "/top"
sub-directory, and then rename "/top" to its parent.

Diffstat (limited to 'doc')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: