diff options
author | Eelco Dolstra <edolstra@gmail.com> | 2017-05-30 13:43:51 +0200 |
---|---|---|
committer | Eelco Dolstra <edolstra@gmail.com> | 2017-05-30 13:47:41 +0200 |
commit | d798349ede3d6eb6e92a2e4f95f6b2179407ceb9 (patch) | |
tree | d4a61e86e2d11031d65073612278ab518004d5a9 /src/libstore/local-store.cc | |
parent | ff6becafa8efc2f7e6f2b9b889ba4adf20b8d524 (diff) |
canonicalisePathMetaData(): Remove extended attributes / ACLs
EAs/ACLs are not part of the NAR canonicalisation. Worse, setting an
ACL allows a builder to create writable files in the Nix store. So get
rid of them.
Closes #185.
Diffstat (limited to 'src/libstore/local-store.cc')
-rw-r--r-- | src/libstore/local-store.cc | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index 3ac23ec26..5b03e86f3 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -27,6 +27,7 @@ #include <sys/statvfs.h> #include <sys/mount.h> #include <sys/ioctl.h> +#include <sys/xattr.h> #endif #include <sqlite3.h> @@ -407,6 +408,27 @@ static void canonicalisePathMetaData_(const Path & path, uid_t fromUid, InodesSe if (!(S_ISREG(st.st_mode) || S_ISDIR(st.st_mode) || S_ISLNK(st.st_mode))) throw Error(format("file ‘%1%’ has an unsupported type") % path); +#if __linux__ + /* Remove extended attributes / ACLs. */ + ssize_t eaSize = llistxattr(path.c_str(), nullptr, 0); + + if (eaSize < 0) { + if (errno != ENOTSUP) + throw SysError("querying extended attributes of ‘%s’", path); + } else if (eaSize > 0) { + std::vector<char> eaBuf(eaSize); + + if ((eaSize = llistxattr(path.c_str(), eaBuf.data(), eaBuf.size())) < 0) + throw SysError("querying extended attributes of ‘%s’", path); + + for (auto & eaName: tokenizeString<Strings>(std::string(eaBuf.data(), eaSize), std::string("\000", 1))) + if (lremovexattr(path.c_str(), eaName.c_str()) == -1) + throw SysError("removing extended attribute ‘%s’ from ‘%s’", eaName, path); + + assert(llistxattr(path.c_str(), nullptr, 0) == 0); + } +#endif + /* Fail if the file is not owned by the build user. This prevents us from messing up the ownership/permissions of files hard-linked into the output (e.g. "ln /etc/shadow $out/foo"). |