diff options
| -rw-r--r-- | src/libstore/build.cc | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/libstore/build.cc b/src/libstore/build.cc index f0b136d06..8da1e9946 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -676,6 +676,14 @@ void DerivationGoal::buildDone() /* So the child is gone now. */ worker.childTerminated(savedPid); + /* When running under a build user, make sure that all processes + running under that uid are gone. This is to prevent a + malicious user from leaving behind a process that keeps files + open and modifies them after they have been chown'ed to + root. */ + if (buildUser != 0) + killUser(buildUser); + /* Close the read side of the logger pipe. */ logPipe.readSide.close(); |