guix-patches
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#77642] [PATCH] daemon: Do not make chroot root directory read-only.

From: Ludovic Courtès
Subject: [bug#77642] [PATCH] daemon: Do not make chroot root directory read-only.
Date: Thu, 10 Apr 2025 09:55:46 +0200
User-agent: Gnus/5.13 (Gnus v5.13) 
Hi,

Reepca Russelstein <reepca@russelstein.xyz> skribis:

>> +        /* Make the root read-only.
>> +
>> +           The build process could make it world-accessible, but that's
>
> Strictly speaking, in the case of --build-users-group, it couldn't even
> do that.

True.

>> +           OK: since 'chrootRootTop' is *not* world-accessible, a
>> +           world-accessible 'chrootRootDir' cannot be used to grant access
>> +           to the store to external processes.
>
> It may be more general to write "grant access to the build environment",
> unless you're using this as a shorthand for "grant access to the build
> environment, and thereby a setuid binary, and thereby (in some
> configurations) the store".

Yes, but I’ll change it as you suggest.

> Looks good to me, hopefully there aren't any major packages further down
> the line that rely on chmod("/", ...) failing.

Crossing fingers…

Ludo’.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]