Run the builds in a daemon-controled directory

Instead of running the builds under `$TMPDIR/{unique-build-directory-owned-by-the-build-user}`, run them under `$TMPDIR/{unique-build-directory-owned-by-the-daemon}/{subdir-owned-by-the-build-user}` where the build directory is only readable and traversable by the daemon user. This achieves two things: 1. It prevents builders from making their build directory world-readable (or even writeable), which would allow the outside world to interact with them. 2. It prevents external processes running as the build user (either because that somehow leaked, maybe as a consequence of 1., or because `build-users` isn't in use) from gaining access to the build directory. fix: do not use unknown setting tests: remove build-dir test
2025-06-29 10:31:15 +02:00 · 2024-04-02 17:06:48 +02:00 · 2024-04-02 17:06:48 +02:00 · 3481a9c41d
commit 3481a9c41d
parent d24431dea2
4 changed files with 28 additions and 13 deletions
--- a/src/libutil/util.cc
+++ b/src/libutil/util.cc
@ -679,6 +679,11 @@ std::optional<Path> getSelfExe()
    return cached;
 }

+void createDir(const Path &path, mode_t mode)
+{
+    if (mkdir(path.c_str(), mode) == -1)
+        throw SysError("creating directory '%1%'", path);
+}

 Paths createDirs(const Path & path)
 {