Set /nix/store permission to 1737

I.e., not readable to the nixbld group. This improves purity a bit for non-chroot builds, because it prevents a builder from enumerating store paths (i.e. it can only access paths it knows about).
nckx · Jan 8, 2015 · 27b7b94 · 27b7b94
1 parent 128538e
commit 27b7b94
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 19 deletions.
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
@@ -1736,21 +1736,6 @@ void DerivationGoal::startBuilder()
         /* Change ownership of the temporary build directory. */
         if (chown(tmpDir.c_str(), buildUser.getUID(), buildUser.getGID()) == -1)
             throw SysError(format("cannot change ownership of ‘%1%’") % tmpDir);
-
-        /* Check that the Nix store has the appropriate permissions,
-           i.e., owned by root and mode 1775 (sticky bit on so that
-           the builder can create its output but not mess with the
-           outputs of other processes). */
-        struct stat st;
-        if (stat(settings.nixStore.c_str(), &st) == -1)
-            throw SysError(format("cannot stat ‘%1%’") % settings.nixStore);
-        if (!(st.st_mode & S_ISVTX) ||
-            ((st.st_mode & S_IRWXG) != S_IRWXG) ||
-            (st.st_gid != buildUser.getGID()))
-            throw Error(format(
-                "builder does not have write permission to ‘%2%’; "
-                "try ‘chgrp %1% %2%; chmod 1775 %2%’")
-                % buildUser.getGID() % settings.nixStore);
     }
 
 

diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc
@@ -251,10 +251,12 @@ LocalStore::LocalStore(bool reserveSpace)
        multi-user install. */
     if (getuid() == 0 && settings.buildUsersGroup != "") {
 
+        mode_t perm = 01737;
+
         Path perUserDir = profilesDir + "/per-user";
         createDirs(perUserDir);
-        if (chmod(perUserDir.c_str(), 01777) == -1)
-            throw SysError(format("could not set permissions on ‘%1%’ to 1777") % perUserDir);
+        if (chmod(perUserDir.c_str(), perm) == -1)
+            throw SysError(format("could not set permissions on ‘%1%’ to 1737") % perUserDir);
 
         struct group * gr = getgrnam(settings.buildUsersGroup.c_str());
         if (!gr)
@@ -265,10 +267,10 @@ LocalStore::LocalStore(bool reserveSpace)
             if (stat(settings.nixStore.c_str(), &st))
                 throw SysError(format("getting attributes of path ‘%1%’") % settings.nixStore);
 
-            if (st.st_uid != 0 || st.st_gid != gr->gr_gid || (st.st_mode & ~S_IFMT) != 01775) {
+            if (st.st_uid != 0 || st.st_gid != gr->gr_gid || (st.st_mode & ~S_IFMT) != perm) {
                 if (chown(settings.nixStore.c_str(), 0, gr->gr_gid) == -1)
                     throw SysError(format("changing ownership of path ‘%1%’") % settings.nixStore);
-                if (chmod(settings.nixStore.c_str(), 01775) == -1)
+                if (chmod(settings.nixStore.c_str(), perm) == -1)
                     throw SysError(format("changing permissions on path ‘%1%’") % settings.nixStore);
             }
         }