Remove world-writability from per-user directories

'nix-daemon' now creates subdirectories for users when they first connect. Fixes #509 (CVE-2019-17365). Should also fix #3127.
2025-07-07 18:31:49 +02:00 · 2019-10-09 18:01:21 +02:00 · 2019-10-09 18:01:21 +02:00 · 5a303093dc
commit 5a303093dc
parent 4331eeb13d
11 changed files with 41 additions and 43 deletions
--- a/src/libstore/local-store.cc
+++ b/src/libstore/local-store.cc
@ -74,10 +74,11 @@ LocalStore::LocalStore(const Params & params)
       multi-user install. */
    if (getuid() == 0 && settings.buildUsersGroup != "") {

-        Path perUserDir = profilesDir + "/per-user";
-        createDirs(perUserDir);
-        if (chmod(perUserDir.c_str(), 01777) == -1)
-            throw SysError(format("could not set permissions on '%1%' to 1777") % perUserDir);
+        for (auto & perUserDir : {profilesDir + "/per-user", gcRootsDir + "/per-user"}) {
+            createDirs(perUserDir);
+            if (chmod(perUserDir.c_str(), 0755) == -1)
+                throw SysError("could not set permissions on '%s' to 755", perUserDir);
+        }

        mode_t perm = 01775;

@ -1432,4 +1433,19 @@ void LocalStore::signPathInfo(ValidPathInfo & info)
 }


+void LocalStore::createUser(const std::string & userName, uid_t userId)
+{
+    for (auto & dir : {
+        fmt("%s/profiles/per-user/%s", stateDir, userName),
+        fmt("%s/gcroots/per-user/%s", stateDir, userName)
+    }) {
+        createDirs(dir);
+        if (chmod(dir.c_str(), 0700) == -1)
+            throw SysError("changing permissions of directory '%s'", dir);
+        if (chown(dir.c_str(), userId, -1) == -1)
+            throw SysError("changing owner of directory '%s'", dir);
+    }
+}
+
+
 }
--- a/src/libstore/local-store.hh
+++ b/src/libstore/local-store.hh
@ -293,6 +293,8 @@ private:

    Path getRealStoreDir() override { return realStoreDir; }

+    void createUser(const std::string & userName, uid_t userId) override;
+
    friend class DerivationGoal;
    friend class SubstitutionGoal;
 };
--- a/src/libstore/store-api.hh
+++ b/src/libstore/store-api.hh
@ -628,6 +628,9 @@ public:
        return storePath;
    }

+    virtual void createUser(const std::string & userName, uid_t userId)
+    { }
+
 protected:

    Stats stats;
--- a/src/nix-daemon/nix-daemon.cc
+++ b/src/nix-daemon/nix-daemon.cc
@ -742,7 +742,8 @@ static void performOp(TunnelLogger * logger, ref<Store> store,
 }


-static void processConnection(bool trusted)
+static void processConnection(bool trusted,
+    const std::string & userName, uid_t userId)
 {
    MonitorFdHup monitor(from.fd);

@ -793,6 +794,8 @@ static void processConnection(bool trusted)
        params["path-info-cache-size"] = "0";
        auto store = openStore(settings.storeUri, params);

+        store->createUser(userName, userId);
+
        tunnelLogger->stopWork();
        to.flush();

@ -1053,7 +1056,7 @@ static void daemonLoop(char * * argv)
                /* Handle the connection. */
                from.fd = remote.get();
                to.fd = remote.get();
-                processConnection(trusted);
+                processConnection(trusted, user, peer.uid);

                exit(0);
            }, options);
@ -1133,7 +1136,7 @@ static int _main(int argc, char * * argv)
                    }
                }
            } else {
-                processConnection(true);
+                processConnection(true, "root", 0);
            }
        } else {
            daemonLoop(argv);