Disallow the build directory having world-writable parents

2025-06-24 22:11:15 +02:00 · 2025-06-12 11:04:07 +02:00 · 2025-06-12 11:04:07 +02:00 · 5acf50a327
commit 5acf50a327
parent 88b7db1ba4
2 changed files with 19 additions and 0 deletions
--- a/src/libstore/unix/build/derivation-builder.cc
+++ b/src/libstore/unix/build/derivation-builder.cc
@ -698,6 +698,18 @@ static void handleChildException(bool sendException)
    }
 }

+static bool checkNotWorldWritable(std::filesystem::path path)
+{
+    while (true) {
+        auto st = lstat(path);
+        if (st.st_mode & S_IWOTH)
+            return false;
+        if (path == path.parent_path()) break;
+        path = path.parent_path();
+    }
+    return true;
+}
+
 void DerivationBuilderImpl::startBuilder()
 {
    /* Make sure that no other processes are executing under the
@ -729,6 +741,9 @@ void DerivationBuilderImpl::startBuilder()

    createDirs(buildDir);

+    if (buildUser && !checkNotWorldWritable(buildDir))
+        throw Error("Path %s or a parent directory is world-writable or a symlink. That's not allowed for security.", buildDir);
+
    /* Create a temporary directory where the build will take
       place. */
    topTmpDir = createTempDir(buildDir, "nix-build-" + std::string(drvPath.name()), 0700);
--- a/tests/nixos/chroot-store.nix
+++ b/tests/nixos/chroot-store.nix
@ -41,5 +41,9 @@ in

      # Test that /nix/store is available via an overlayfs mount.
      machine.succeed("nix shell --store /tmp/nix ${pkgA} --command cowsay foo >&2")
+
+      # Building in /tmp should fail for security reasons.
+      err = machine.fail("nix build --offline --store /tmp/nix --expr 'builtins.derivation { name = \"foo\"; system = \"x86_64-linux\"; builder = \"/foo\"; }' 2>&1")
+      assert "is world-writable" in err
    '';
 }