me
/
guix
Archived
1
0
Fork 0
This repository has been archived on 2024-08-07. You can view files and clone it, but cannot push or open issues/pull-requests.
guix/nix/libstore
Ludovic Courtès ff1251de0b
daemon: Address shortcoming in previous security fix for CVE-2024-27297.
This is a followup to 8f4ffb3fae.

Commit 8f4ffb3fae fell short in two
ways: (1) it didn’t have any effet for fixed-output derivations
performed in a chroot, which is the case for all of them except those
using “builtin:download” and “builtin:git-download”, and (2) it did not
preserve ownership when copying, leading to “suspicious ownership or
permission […] rejecting this build output” errors.

* nix/libstore/build.cc (DerivationGoal::buildDone): Account for
‘chrootRootDir’ when copying ‘drv.outputs’.
* nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’
calls to preserve file ownership; this is necessary for chrooted
fixed-output derivation builds.
* nix/libutil/util.hh: Update comment.

Change-Id: Ib59f040e98fed59d1af81d724b874b592cbef156
2024-03-12 14:07:28 +01:00
..
.gitignore
build.cc
builtins.cc
builtins.hh
derivations.cc
derivations.hh
gc.cc
globals.cc
globals.hh
local-store.cc
local-store.hh
misc.cc
misc.hh
optimise-store.cc
pathlocks.cc
pathlocks.hh
references.cc
references.hh
sqlite.cc
sqlite.hh
store-api.cc
store-api.hh
worker-protocol.hh