diff options
| author | Reepca Russelstein <reepca@russelstein.xyz> | 2024-10-19 20:48:29 -0500 |
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2024-10-24 14:50:09 +0200 |
| commit | f125143d64c3fac8c9576a55b48331cbf6096460 (patch) | |
| tree | 165f631cef543ff7e479dbcce9315e734ddcd35d /build-aux | |
| parent | c78f8f64cef2395e10736b2f94eacbff3b3f7536 (diff) | |
| download | guix-f125143d64c3fac8c9576a55b48331cbf6096460.tar.gz guix-f125143d64c3fac8c9576a55b48331cbf6096460.zip | |
build: Restrict access to daemon socket in tests.
With the weak isolation available to the test daemon, it is essential to
disallow untrusted access to it, as otherwise another local user can gain our
user's credentials easily.
* build-aux/test-env.in: ensure the daemon-socket directory is freshly-created
with 0700 permissions.
Change-Id: I742f70fc6fc28e5b4dc88d590eef3daf1b964670
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
Diffstat (limited to 'build-aux')
| -rw-r--r-- | build-aux/test-env.in | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/build-aux/test-env.in b/build-aux/test-env.in index ca786437e9..9caa29da58 100644 --- a/build-aux/test-env.in +++ b/build-aux/test-env.in @@ -97,6 +97,11 @@ then GUIX_ALLOW_UNAUTHENTICATED_SUBSTITUTES \ GUIX_CONFIGURATION_DIRECTORY XDG_CACHE_HOME + # Create a fresh directory with restrictive permissions so that our test + # daemon's weak isolation can't be exploited by other users + rm -rf "$GUIX_STATE_DIRECTORY/daemon-socket" + mkdir -m 0700 "$GUIX_STATE_DIRECTORY/daemon-socket" + # Launch the daemon without chroot support because is may be # unavailable, for instance if we're not running as root. "@abs_top_builddir@/pre-inst-env" \ |