22/27: Tighten permissions on chroot directories

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

22/27: Tighten permissions on chroot directories

From:	Ludovic Court�s
Subject:	22/27: Tighten permissions on chroot directories
Date:	Wed, 03 Jun 2015 22:00:45 +0000

civodul pushed a commit to branch nix
in repository guix.

commit 1f595ba474d8112e73df1ef7578014e59ebfccd0
Author: Eelco Dolstra <address@hidden>
Date:   Tue Mar 24 11:35:53 2015 +0100

    Tighten permissions on chroot directories
---
 nix/libstore/build.cc |   14 ++++++++++++--
 1 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
index 7153c85..9a69a79 100644
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@@ -1768,6 +1768,12 @@ void DerivationGoal::startBuilder()
 
         printMsg(lvlChatty, format("setting up chroot environment in `%1%'") % 
chrootRootDir);
 
+        if (mkdir(chrootRootDir.c_str(), 0750) == -1)
+            throw SysError(format("cannot create ‘%1%’") % chrootRootDir);
+
+        if (chown(chrootRootDir.c_str(), 0, buildUser.getGID()) == -1)
+            throw SysError(format("cannot change ownership of ‘%1%’") % 
chrootRootDir);
+
         /* Create a writable /tmp in the chroot.  Many builders need
            this.  (Of course they should really respect $TMPDIR
            instead.) */
@@ -1818,8 +1824,12 @@ void DerivationGoal::startBuilder()
            can be bind-mounted).  !!! As an extra security
            precaution, make the fake Nix store only writable by the
            build user. */
-        createDirs(chrootRootDir + settings.nixStore);
-        chmod_(chrootRootDir + settings.nixStore, 01777);
+        Path chrootStoreDir = chrootRootDir + settings.nixStore;
+        createDirs(chrootStoreDir);
+        chmod_(chrootStoreDir, 0730);
+
+        if (chown(chrootStoreDir.c_str(), 0, buildUser.getGID()) == -1)
+            throw SysError(format("cannot change ownership of ‘%1%’") % 
chrootStoreDir);
 
         foreach (PathSet::iterator, i, inputPaths) {
             struct stat st;

[Prev in Thread]

Current Thread

[Next in Thread]

05/27: Ensure we're writing to stderr in the builder, (continued)
- 05/27: Ensure we're writing to stderr in the builder, Ludovic Court�s, 2015/06/03
- 12/27: libutil: Improve errmsg on readLink size mismatch., Ludovic Court�s, 2015/06/03
- 13/27: libutil: Limit readLink() error to only overflows., Ludovic Court�s, 2015/06/03
- 11/27: Pedantry, Ludovic Court�s, 2015/06/03
- 14/27: Set /nix/store permission to 1737, Ludovic Court�s, 2015/06/03
- 16/27: Doh^2, Ludovic Court�s, 2015/06/03
- 17/27: Simplify printHash32, Ludovic Court�s, 2015/06/03
- 18/27: Simplify parseHash32, Ludovic Court�s, 2015/06/03
- 19/27: Use pivot_root in addition to chroot when possible, Ludovic Court�s, 2015/06/03
- 15/27: Doh, Ludovic Court�s, 2015/06/03
- 22/27: Tighten permissions on chroot directories, Ludovic Court�s <=
- 20/27: Use chroots for all derivations, Ludovic Court�s, 2015/06/03
- 25/27: Revert /nix/store permission back to 01775, Ludovic Court�s, 2015/06/03
- 21/27: Fix typos: s/the the/the/, Ludovic Court�s, 2015/06/03
- 24/27: Chroot builds: Provide world-readable /nix/store, Ludovic Court�s, 2015/06/03
- 23/27: addToStore(): Take explicit name argument, Ludovic Court�s, 2015/06/03
- 27/27: Don't let unprivileged users repair paths, Ludovic Court�s, 2015/06/03
- 26/27: Add a ‘verifyStore’ RPC, Ludovic Court�s, 2015/06/03

Prev by Date: 15/27: Doh
Next by Date: 20/27: Use chroots for all derivations
Previous by thread: 15/27: Doh
Next by thread: 20/27: Use chroots for all derivations
Index(es):
- Date
- Thread