diff options
author | Ludovic Courtès <ludo@gnu.org> | 2024-03-12 11:53:35 +0100 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2024-03-12 14:07:28 +0100 |
commit | ff1251de0bc327ec478fc66a562430fbf35aef42 (patch) | |
tree | 6a34140e77ef17712671b3a49298e8242d614471 /etc/guix-gc.service.in | |
parent | fc1762fe38b4e0bf63c9efe4bed1435f0ef522bd (diff) | |
download | guix-ff1251de0bc327ec478fc66a562430fbf35aef42.tar.gz guix-ff1251de0bc327ec478fc66a562430fbf35aef42.zip |
daemon: Address shortcoming in previous security fix for CVE-2024-27297.
This is a followup to 8f4ffb3fae133bb21d7991e97c2f19a7108b1143.
Commit 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 fell short in two
ways: (1) it didn’t have any effet for fixed-output derivations
performed in a chroot, which is the case for all of them except those
using “builtin:download” and “builtin:git-download”, and (2) it did not
preserve ownership when copying, leading to “suspicious ownership or
permission […] rejecting this build output” errors.
* nix/libstore/build.cc (DerivationGoal::buildDone): Account for
‘chrootRootDir’ when copying ‘drv.outputs’.
* nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’
calls to preserve file ownership; this is necessary for chrooted
fixed-output derivation builds.
* nix/libutil/util.hh: Update comment.
Change-Id: Ib59f040e98fed59d1af81d724b874b592cbef156
Diffstat (limited to 'etc/guix-gc.service.in')
0 files changed, 0 insertions, 0 deletions