Fix a security bug in hash rewriting

Before calling dumpPath(), we have to make sure the files are owned by the build user. Otherwise, the build could contain a hard link to (say) /etc/shadow, which would then be read by the daemon and rewritten as a world-readable file. This only affects systems that don't have hard link restrictions enabled.
2013-06-13 17:12:24 +02:00 · 2013-06-13 17:12:24 +02:00 · cd49ee0897
parent 1e2c7c04b1
commit cd49ee0897
1 changed files with 6 additions and 0 deletions
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@ -1489,6 +1489,12 @@ void DerivationGoal::buildDone()
            /* Apply hash rewriting if necessary. */
            if (!rewritesFromTmp.empty()) {
                printMsg(lvlError, format("warning: rewriting hashes in `%1%'; cross fingers") % path);
+
+                /* Canonicalise first.  This ensures that the path
+                   we're rewriting doesn't contain a hard link to
+                   /etc/shadow or something like that. */
+                canonicalisePathMetaData(path, buildUser.enabled() ? buildUser.getUID() : -1);
+
                /* FIXME: this is in-memory. */
                StringSink sink;
                dumpPath(path, sink);