Fix a security bug in hash rewriting
Before calling dumpPath(), we have to make sure the files are owned by the build user. Otherwise, the build could contain a hard link to (say) /etc/shadow, which would then be read by the daemon and rewritten as a world-readable file. This only affects systems that don't have hard link restrictions enabled.
This commit is contained in:
parent
1e2c7c04b1
commit
cd49ee0897
1 changed files with 6 additions and 0 deletions
|
@ -1489,6 +1489,12 @@ void DerivationGoal::buildDone()
|
||||||
/* Apply hash rewriting if necessary. */
|
/* Apply hash rewriting if necessary. */
|
||||||
if (!rewritesFromTmp.empty()) {
|
if (!rewritesFromTmp.empty()) {
|
||||||
printMsg(lvlError, format("warning: rewriting hashes in `%1%'; cross fingers") % path);
|
printMsg(lvlError, format("warning: rewriting hashes in `%1%'; cross fingers") % path);
|
||||||
|
|
||||||
|
/* Canonicalise first. This ensures that the path
|
||||||
|
we're rewriting doesn't contain a hard link to
|
||||||
|
/etc/shadow or something like that. */
|
||||||
|
canonicalisePathMetaData(path, buildUser.enabled() ? buildUser.getUID() : -1);
|
||||||
|
|
||||||
/* FIXME: this is in-memory. */
|
/* FIXME: this is in-memory. */
|
||||||
StringSink sink;
|
StringSink sink;
|
||||||
dumpPath(path, sink);
|
dumpPath(path, sink);
|
||||||
|
|
Loading…
Reference in a new issue