aboutsummaryrefslogtreecommitdiff
path: root/nix/libstore/references.hh
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2024-03-12 11:53:35 +0100
committerLudovic Courtès <ludo@gnu.org>2024-03-12 14:07:28 +0100
commitff1251de0bc327ec478fc66a562430fbf35aef42 (patch)
tree6a34140e77ef17712671b3a49298e8242d614471 /nix/libstore/references.hh
parentfc1762fe38b4e0bf63c9efe4bed1435f0ef522bd (diff)
downloadguix-ff1251de0bc327ec478fc66a562430fbf35aef42.tar.gz
guix-ff1251de0bc327ec478fc66a562430fbf35aef42.zip
daemon: Address shortcoming in previous security fix for CVE-2024-27297.
This is a followup to 8f4ffb3fae133bb21d7991e97c2f19a7108b1143. Commit 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 fell short in two ways: (1) it didn’t have any effet for fixed-output derivations performed in a chroot, which is the case for all of them except those using “builtin:download” and “builtin:git-download”, and (2) it did not preserve ownership when copying, leading to “suspicious ownership or permission […] rejecting this build output” errors. * nix/libstore/build.cc (DerivationGoal::buildDone): Account for ‘chrootRootDir’ when copying ‘drv.outputs’. * nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’ calls to preserve file ownership; this is necessary for chrooted fixed-output derivation builds. * nix/libutil/util.hh: Update comment. Change-Id: Ib59f040e98fed59d1af81d724b874b592cbef156
Diffstat (limited to 'nix/libstore/references.hh')
0 files changed, 0 insertions, 0 deletions