libstore: ensure that temporary directory is always 0o000 before deletion

In the case the deletion fails, we should ensure that the temporary directory cannot be used for nefarious purposes. Change-Id: I498a2dd0999a74195d13642f44a5de1e69d46120 Signed-off-by: Raito Bezarius <raito@lix.systems>
2025-06-25 06:31:14 +02:00 · 2025-03-27 12:22:26 +01:00 · 2025-03-27 12:22:26 +01:00 · 4ea4813753
commit 4ea4813753
parent 5ec047f348
1 changed files with 9 additions and 0 deletions
--- a/src/libstore/unix/build/derivation-builder.cc
+++ b/src/libstore/unix/build/derivation-builder.cc
@ -2093,6 +2093,15 @@ void DerivationBuilderImpl::checkOutputs(const std::map<std::string, ValidPathIn
 void DerivationBuilderImpl::deleteTmpDir(bool force)
 {
    if (topTmpDir != "") {
+        /* As an extra caution, even in the event of `deletePath` failing to
+         * cleaning up behind. The `tmpDir` will be chown as if we were to move
+         * it inside the Nix store.
+         *
+         * This hardens against an attack which smuggles a file descriptor
+         * to make use of the temporary directory.
+         */
+        chmod(topTmpDir.c_str(), 0000);
+
        /* Don't keep temporary directories for builtins because they
           might have privileged stuff (like a copy of netrc). */
        if (settings.keepFailed && !force && !drv.isBuiltin()) {