wroclaw-git-backups/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-07-06 09:11:47 +02:00
Code Activity

Disallow the build directory having world-writable parents

Browse source
This commit is contained in:
Eelco Dolstra 2025-06-12 11:04:07 +02:00 committed by Jörg Thalheim
parent 88b7db1ba4
commit 5acf50a327
2 changed files with 19 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

15
src/libstore/unix/build/derivation-builder.cc
View file

@ -698,6 +698,18 @@ static void handleChildException(bool sendException)
}
}
static bool checkNotWorldWritable(std::filesystem::path path)
{
while (true) {
auto st = lstat(path);
if (st.st_mode & S_IWOTH)
return false;
if (path == path.parent_path()) break;
path = path.parent_path();
}
return true;
}
void DerivationBuilderImpl::startBuilder()
{
/* Make sure that no other processes are executing under the
@ -729,6 +741,9 @@ void DerivationBuilderImpl::startBuilder()
createDirs(buildDir);
if (buildUser && !checkNotWorldWritable(buildDir))
throw Error("Path %s or a parent directory is world-writable or a symlink. That's not allowed for security.", buildDir);
/* Create a temporary directory where the build will take
place. */
topTmpDir = createTempDir(buildDir, "nix-build-" + std::string(drvPath.name()), 0700);