diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2013-02-26 02:30:19 +0100 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2013-02-26 02:30:19 +0100 |
commit | 5526a282b5b44e9296e61e07d7d2626a79141ac4 (patch) | |
tree | 47d50327dc39bc716fa9ef047ab2b6d2667340e0 /src/nix-env/user-env.cc | |
parent | dadf7a5b46f08b59c7e15a40937a9039ef273d63 (diff) |
Security: Don't allow builders to change permissions on files they don't own
It turns out that in multi-user Nix, a builder may be able to do
ln /etc/shadow $out/foo
Afterwards, canonicalisePathMetaData() will be applied to $out/foo,
causing /etc/shadow's mode to be set to 444 (readable by everybody but
writable by nobody). That's obviously Very Bad.
Fortunately, this fails in NixOS's default configuration because
/nix/store is a bind mount, so "ln" will fail with "Invalid
cross-device link". It also fails if hard-link restrictions are
enabled, so a workaround is:
echo 1 > /proc/sys/fs/protected_hardlinks
The solution is to check that all files in $out are owned by the build
user. This means that innocuous operations like "ln
${pkgs.foo}/some-file $out/" are now rejected, but that already failed
in chroot builds anyway.
Diffstat (limited to 'src/nix-env/user-env.cc')
0 files changed, 0 insertions, 0 deletions