daemon: Address shortcoming in previous security fix for CVE-2024-27297.
This is a followup tomaster8f4ffb3fae
. Commit8f4ffb3fae
fell short in two ways: (1) it didn’t have any effet for fixed-output derivations performed in a chroot, which is the case for all of them except those using “builtin:download” and “builtin:git-download”, and (2) it did not preserve ownership when copying, leading to “suspicious ownership or permission […] rejecting this build output” errors. * nix/libstore/build.cc (DerivationGoal::buildDone): Account for ‘chrootRootDir’ when copying ‘drv.outputs’. * nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’ calls to preserve file ownership; this is necessary for chrooted fixed-output derivation builds. * nix/libutil/util.hh: Update comment. Change-Id: Ib59f040e98fed59d1af81d724b874b592cbef156
parent
fc1762fe38
commit
ff1251de0b
|
@ -1387,13 +1387,14 @@ void DerivationGoal::buildDone()
|
||||||
make sure that there's no stale file descriptor pointing to it
|
make sure that there's no stale file descriptor pointing to it
|
||||||
(CVE-2024-27297). */
|
(CVE-2024-27297). */
|
||||||
foreach (DerivationOutputs::iterator, i, drv.outputs) {
|
foreach (DerivationOutputs::iterator, i, drv.outputs) {
|
||||||
if (pathExists(i->second.path)) {
|
Path output = chrootRootDir + i->second.path;
|
||||||
Path pivot = i->second.path + ".tmp";
|
if (pathExists(output)) {
|
||||||
copyFileRecursively(i->second.path, pivot, true);
|
Path pivot = output + ".tmp";
|
||||||
int err = rename(pivot.c_str(), i->second.path.c_str());
|
copyFileRecursively(output, pivot, true);
|
||||||
|
int err = rename(pivot.c_str(), output.c_str());
|
||||||
if (err != 0)
|
if (err != 0)
|
||||||
throw SysError(format("renaming `%1%' to `%2%'")
|
throw SysError(format("renaming `%1%' to `%2%'")
|
||||||
% pivot % i->second.path);
|
% pivot % output);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -422,6 +422,7 @@ static void copyFileRecursively(int sourceroot, const Path &source,
|
||||||
if (destinationFd == -1) throw SysError(format("opening `%1%'") % source);
|
if (destinationFd == -1) throw SysError(format("opening `%1%'") % source);
|
||||||
|
|
||||||
copyFile(sourceFd, destinationFd);
|
copyFile(sourceFd, destinationFd);
|
||||||
|
fchown(destinationFd, st.st_uid, st.st_gid);
|
||||||
} else if (S_ISLNK(st.st_mode)) {
|
} else if (S_ISLNK(st.st_mode)) {
|
||||||
char target[st.st_size + 1];
|
char target[st.st_size + 1];
|
||||||
ssize_t result = readlinkat(sourceroot, source.c_str(), target, st.st_size);
|
ssize_t result = readlinkat(sourceroot, source.c_str(), target, st.st_size);
|
||||||
|
@ -430,6 +431,8 @@ static void copyFileRecursively(int sourceroot, const Path &source,
|
||||||
int err = symlinkat(target, destinationroot, destination.c_str());
|
int err = symlinkat(target, destinationroot, destination.c_str());
|
||||||
if (err != 0)
|
if (err != 0)
|
||||||
throw SysError(format("creating symlink `%1%'") % destination);
|
throw SysError(format("creating symlink `%1%'") % destination);
|
||||||
|
fchownat(destinationroot, destination.c_str(),
|
||||||
|
st.st_uid, st.st_gid, AT_SYMLINK_NOFOLLOW);
|
||||||
} else if (S_ISDIR(st.st_mode)) {
|
} else if (S_ISDIR(st.st_mode)) {
|
||||||
int err = mkdirat(destinationroot, destination.c_str(), 0755);
|
int err = mkdirat(destinationroot, destination.c_str(), 0755);
|
||||||
if (err != 0)
|
if (err != 0)
|
||||||
|
@ -455,6 +458,7 @@ static void copyFileRecursively(int sourceroot, const Path &source,
|
||||||
for (auto & i : readDirectory(sourceFd))
|
for (auto & i : readDirectory(sourceFd))
|
||||||
copyFileRecursively((int)sourceFd, i.name, (int)destinationFd, i.name,
|
copyFileRecursively((int)sourceFd, i.name, (int)destinationFd, i.name,
|
||||||
deleteSource);
|
deleteSource);
|
||||||
|
fchown(destinationFd, st.st_uid, st.st_gid);
|
||||||
} else throw Error(format("refusing to copy irregular file `%1%'") % source);
|
} else throw Error(format("refusing to copy irregular file `%1%'") % source);
|
||||||
|
|
||||||
if (deleteSource)
|
if (deleteSource)
|
||||||
|
|
|
@ -102,9 +102,10 @@ void deletePath(const Path & path);
|
||||||
void deletePath(const Path & path, unsigned long long & bytesFreed,
|
void deletePath(const Path & path, unsigned long long & bytesFreed,
|
||||||
size_t linkThreshold = 1);
|
size_t linkThreshold = 1);
|
||||||
|
|
||||||
/* Copy SOURCE to DESTINATION, recursively. Throw if SOURCE contains a file
|
/* Copy SOURCE to DESTINATION, recursively, preserving ownership. Throw if
|
||||||
that is not a regular file, symlink, or directory. When DELETESOURCE is
|
SOURCE contains a file that is not a regular file, symlink, or directory.
|
||||||
true, delete source files once they have been copied. */
|
When DELETESOURCE is true, delete source files once they have been
|
||||||
|
copied. */
|
||||||
void copyFileRecursively(const Path &source, const Path &destination,
|
void copyFileRecursively(const Path &source, const Path &destination,
|
||||||
bool deleteSource = false);
|
bool deleteSource = false);
|
||||||
|
|
||||||
|
|
Reference in New Issue