diff --git a/src/libstore/build.cc b/src/libstore/build.cc index cef0c2c96d..2d33719573 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -789,6 +789,9 @@ private: /* Outputs that are corrupt or not valid. */ PathSet missingPaths; + /* Paths that have been subject to hash rewriting. */ + PathSet rewrittenPaths; + /* User selected for running the builder. */ UserLock buildUser; @@ -1493,6 +1496,8 @@ void DerivationGoal::buildDone() sink.s = rewriteHashes(sink.s, rewritesFromTmp); StringSource source(sink.s); restorePath(path, source); + + rewrittenPaths.insert(path); } /* Gain ownership of the build result using the setuid @@ -2293,8 +2298,10 @@ void DerivationGoal::computeClosure() % path % i->second.hashAlgo % printHash16or32(h) % printHash16or32(h2)); } - /* Get rid of all weird permissions. */ - canonicalisePathMetaData(path, buildUser.enabled() ? buildUser.getUID() : -1); + /* Get rid of all weird permissions. This also checks that + all files are owned by the build user, if applicable. */ + canonicalisePathMetaData(path, + buildUser.enabled() && rewrittenPaths.find(path) == rewrittenPaths.end() ? buildUser.getUID() : -1); /* For this output path, find the references to other paths contained in it. Compute the SHA-256 NAR hash at the same