mirror of
https://github.com/NixOS/nix
synced 2025-07-06 21:41:48 +02:00
Set /nix/store permission to 1737
I.e., not readable to the nixbld group. This improves purity a bit for non-chroot builds, because it prevents a builder from enumerating store paths (i.e. it can only access paths it knows about).
This commit is contained in:
parent
128538ef06
commit
27b7b94923
2 changed files with 6 additions and 19 deletions
|
@ -1736,21 +1736,6 @@ void DerivationGoal::startBuilder()
|
|||
/* Change ownership of the temporary build directory. */
|
||||
if (chown(tmpDir.c_str(), buildUser.getUID(), buildUser.getGID()) == -1)
|
||||
throw SysError(format("cannot change ownership of ‘%1%’") % tmpDir);
|
||||
|
||||
/* Check that the Nix store has the appropriate permissions,
|
||||
i.e., owned by root and mode 1775 (sticky bit on so that
|
||||
the builder can create its output but not mess with the
|
||||
outputs of other processes). */
|
||||
struct stat st;
|
||||
if (stat(settings.nixStore.c_str(), &st) == -1)
|
||||
throw SysError(format("cannot stat ‘%1%’") % settings.nixStore);
|
||||
if (!(st.st_mode & S_ISVTX) ||
|
||||
((st.st_mode & S_IRWXG) != S_IRWXG) ||
|
||||
(st.st_gid != buildUser.getGID()))
|
||||
throw Error(format(
|
||||
"builder does not have write permission to ‘%2%’; "
|
||||
"try ‘chgrp %1% %2%; chmod 1775 %2%’")
|
||||
% buildUser.getGID() % settings.nixStore);
|
||||
}
|
||||
|
||||
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue