mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nix-daemon: Trust options like binary-caches when the client is root

Browse source 
Fixes #127.
This commit is contained in:
Eelco Dolstra 2013-06-12 12:10:26 +02:00
parent 5c06e5297d
commit 6b05f688ee
1 changed files with 7 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
src/nix-daemon/nix-daemon.cc
View file

@ -273,7 +273,7 @@ struct SavingSourceAdapter : Source
}; };
static void performOp(unsigned int clientVersion, static void performOp(bool trusted, unsigned int clientVersion,
Source & from, Sink & to, unsigned int op) Source & from, Sink & to, unsigned int op)
{ {
switch (op) { switch (op) {
@ -554,7 +554,7 @@ static void performOp(unsigned int clientVersion,
if (name == "build-timeout") if (name == "build-timeout")
string2Int(value, settings.buildTimeout); string2Int(value, settings.buildTimeout);
else else
settings.set("untrusted-" + name, value); settings.set(trusted ? name : "untrusted-" + name, value);
} }
} }
startWork(); startWork();
@ -643,7 +643,7 @@ static void performOp(unsigned int clientVersion,
} }
static void processConnection() static void processConnection(bool trusted)
{ {
canSendStderr = false; canSendStderr = false;
myPid = getpid(); myPid = getpid();
@ -711,7 +711,7 @@ static void processConnection()
opCount++; opCount++;
try { try {
performOp(clientVersion, from, to, op); performOp(trusted, clientVersion, from, to, op);
} catch (Error & e) { } catch (Error & e) {
/* If we're not in a state were we can send replies, then /* If we're not in a state were we can send replies, then
something went wrong processing the input of the something went wrong processing the input of the
@ -839,6 +839,7 @@ static void daemonLoop()
/* Get the identity of the caller, if possible. */ /* Get the identity of the caller, if possible. */
uid_t clientUid = -1; uid_t clientUid = -1;
pid_t clientPid = -1; pid_t clientPid = -1;
bool trusted = false;
#if defined(SO_PEERCRED) #if defined(SO_PEERCRED)
ucred cred; ucred cred;
@ -846,6 +847,7 @@ static void daemonLoop()
if (getsockopt(remote, SOL_SOCKET, SO_PEERCRED, &cred, &credLen) != -1) { if (getsockopt(remote, SOL_SOCKET, SO_PEERCRED, &cred, &credLen) != -1) {
clientPid = cred.pid; clientPid = cred.pid;
clientUid = cred.uid; clientUid = cred.uid;
if (clientUid == 0) trusted = true;
} }
#endif #endif
@ -879,7 +881,7 @@ static void daemonLoop()
/* Handle the connection. */ /* Handle the connection. */
from.fd = remote; from.fd = remote;
to.fd = remote; to.fd = remote;
processConnection(); processConnection(trusted);
} catch (std::exception & e) { } catch (std::exception & e) {
writeToStderr("child error: " + string(e.what()) + "\n"); writeToStderr("child error: " + string(e.what()) + "\n");