Remove world-writability from per-user directories
'nix-daemon' now creates subdirectories for users when they first connect. Fixes #509 (CVE-2019-17365). Should also fix #3127.
This commit is contained in:
parent
4331eeb13d
commit
5a303093dc
11 changed files with 41 additions and 43 deletions
|
@ -106,7 +106,7 @@ chmod 1775 $RPM_BUILD_ROOT/nix/store
|
|||
for d in profiles gcroots;
|
||||
do
|
||||
mkdir -p $RPM_BUILD_ROOT/nix/var/nix/$d/per-user
|
||||
chmod 1777 $RPM_BUILD_ROOT/nix/var/nix/$d/per-user
|
||||
chmod 755 $RPM_BUILD_ROOT/nix/var/nix/$d/per-user
|
||||
done
|
||||
|
||||
# fix permission of nix profile
|
||||
|
|
|
@ -437,16 +437,15 @@ create_build_users() {
|
|||
}
|
||||
|
||||
create_directories() {
|
||||
# FIXME: remove all of this because it duplicates LocalStore::LocalStore().
|
||||
|
||||
_sudo "to make the basic directory structure of Nix (part 1)" \
|
||||
mkdir -pv -m 0755 /nix /nix/var /nix/var/log /nix/var/log/nix /nix/var/log/nix/drvs /nix/var/nix{,/db,/gcroots,/profiles,/temproots,/userpool}
|
||||
mkdir -pv -m 0755 /nix /nix/var /nix/var/log /nix/var/log/nix /nix/var/log/nix/drvs /nix/var/nix{,/db,/gcroots,/profiles,/temproots,/userpool} /nix/var/nix/{gcroots,profiles}/per-user
|
||||
|
||||
_sudo "to make the basic directory structure of Nix (part 2)" \
|
||||
mkdir -pv -m 1777 /nix/var/nix/{gcroots,profiles}/per-user
|
||||
|
||||
_sudo "to make the basic directory structure of Nix (part 3)" \
|
||||
mkdir -pv -m 1775 /nix/store
|
||||
|
||||
_sudo "to make the basic directory structure of Nix (part 4)" \
|
||||
_sudo "to make the basic directory structure of Nix (part 3)" \
|
||||
chgrp "$NIX_BUILD_GROUP_NAME" /nix/store
|
||||
|
||||
_sudo "to set up the root user's profile (part 1)" \
|
||||
|
|
|
@ -5,12 +5,6 @@ __ETC_PROFILE_NIX_SOURCED=1
|
|||
export NIX_USER_PROFILE_DIR="@localstatedir@/nix/profiles/per-user/$USER"
|
||||
export NIX_PROFILES="@localstatedir@/nix/profiles/default $HOME/.nix-profile"
|
||||
|
||||
# Set up the per-user profile.
|
||||
mkdir -m 0755 -p $NIX_USER_PROFILE_DIR
|
||||
if ! test -O "$NIX_USER_PROFILE_DIR"; then
|
||||
echo "WARNING: bad ownership on $NIX_USER_PROFILE_DIR" >&2
|
||||
fi
|
||||
|
||||
if test -w $HOME; then
|
||||
if ! test -L $HOME/.nix-profile; then
|
||||
if test "$USER" != root; then
|
||||
|
@ -26,13 +20,6 @@ if test -w $HOME; then
|
|||
echo "https://nixos.org/channels/nixpkgs-unstable nixpkgs" > $HOME/.nix-channels
|
||||
fi
|
||||
|
||||
# Create the per-user garbage collector roots directory.
|
||||
NIX_USER_GCROOTS_DIR=@localstatedir@/nix/gcroots/per-user/$USER
|
||||
mkdir -m 0755 -p $NIX_USER_GCROOTS_DIR
|
||||
if ! test -O "$NIX_USER_GCROOTS_DIR"; then
|
||||
echo "WARNING: bad ownership on $NIX_USER_GCROOTS_DIR" >&2
|
||||
fi
|
||||
|
||||
# Set up a default Nix expression from which to install stuff.
|
||||
if [ ! -e $HOME/.nix-defexpr -o -L $HOME/.nix-defexpr ]; then
|
||||
rm -f $HOME/.nix-defexpr
|
||||
|
|
|
@ -9,12 +9,6 @@ if [ -n "$HOME" ] && [ -n "$USER" ]; then
|
|||
|
||||
NIX_USER_PROFILE_DIR=@localstatedir@/nix/profiles/per-user/$USER
|
||||
|
||||
mkdir -m 0755 -p "$NIX_USER_PROFILE_DIR"
|
||||
|
||||
if [ "$(stat --printf '%u' "$NIX_USER_PROFILE_DIR")" != "$(id -u)" ]; then
|
||||
echo "Nix: WARNING: bad ownership on "$NIX_USER_PROFILE_DIR", should be $(id -u)" >&2
|
||||
fi
|
||||
|
||||
if [ -w "$HOME" ]; then
|
||||
if ! [ -L "$NIX_LINK" ]; then
|
||||
echo "Nix: creating $NIX_LINK" >&2
|
||||
|
@ -33,14 +27,6 @@ if [ -n "$HOME" ] && [ -n "$USER" ]; then
|
|||
echo "https://nixos.org/channels/nixpkgs-unstable nixpkgs" > "$HOME/.nix-channels"
|
||||
fi
|
||||
|
||||
# Create the per-user garbage collector roots directory.
|
||||
__user_gcroots=@localstatedir@/nix/gcroots/per-user/"$USER"
|
||||
mkdir -m 0755 -p "$__user_gcroots"
|
||||
if [ "$(stat --printf '%u' "$__user_gcroots")" != "$(id -u)" ]; then
|
||||
echo "Nix: WARNING: bad ownership on $__user_gcroots, should be $(id -u)" >&2
|
||||
fi
|
||||
unset __user_gcroots
|
||||
|
||||
# Set up a default Nix expression from which to install stuff.
|
||||
__nix_defexpr="$HOME"/.nix-defexpr
|
||||
[ -L "$__nix_defexpr" ] && rm -f "$__nix_defexpr"
|
||||
|
|
|
@ -74,10 +74,11 @@ LocalStore::LocalStore(const Params & params)
|
|||
multi-user install. */
|
||||
if (getuid() == 0 && settings.buildUsersGroup != "") {
|
||||
|
||||
Path perUserDir = profilesDir + "/per-user";
|
||||
for (auto & perUserDir : {profilesDir + "/per-user", gcRootsDir + "/per-user"}) {
|
||||
createDirs(perUserDir);
|
||||
if (chmod(perUserDir.c_str(), 01777) == -1)
|
||||
throw SysError(format("could not set permissions on '%1%' to 1777") % perUserDir);
|
||||
if (chmod(perUserDir.c_str(), 0755) == -1)
|
||||
throw SysError("could not set permissions on '%s' to 755", perUserDir);
|
||||
}
|
||||
|
||||
mode_t perm = 01775;
|
||||
|
||||
|
@ -1432,4 +1433,19 @@ void LocalStore::signPathInfo(ValidPathInfo & info)
|
|||
}
|
||||
|
||||
|
||||
void LocalStore::createUser(const std::string & userName, uid_t userId)
|
||||
{
|
||||
for (auto & dir : {
|
||||
fmt("%s/profiles/per-user/%s", stateDir, userName),
|
||||
fmt("%s/gcroots/per-user/%s", stateDir, userName)
|
||||
}) {
|
||||
createDirs(dir);
|
||||
if (chmod(dir.c_str(), 0700) == -1)
|
||||
throw SysError("changing permissions of directory '%s'", dir);
|
||||
if (chown(dir.c_str(), userId, -1) == -1)
|
||||
throw SysError("changing owner of directory '%s'", dir);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
|
|
@ -293,6 +293,8 @@ private:
|
|||
|
||||
Path getRealStoreDir() override { return realStoreDir; }
|
||||
|
||||
void createUser(const std::string & userName, uid_t userId) override;
|
||||
|
||||
friend class DerivationGoal;
|
||||
friend class SubstitutionGoal;
|
||||
};
|
||||
|
|
|
@ -628,6 +628,9 @@ public:
|
|||
return storePath;
|
||||
}
|
||||
|
||||
virtual void createUser(const std::string & userName, uid_t userId)
|
||||
{ }
|
||||
|
||||
protected:
|
||||
|
||||
Stats stats;
|
||||
|
|
|
@ -742,7 +742,8 @@ static void performOp(TunnelLogger * logger, ref<Store> store,
|
|||
}
|
||||
|
||||
|
||||
static void processConnection(bool trusted)
|
||||
static void processConnection(bool trusted,
|
||||
const std::string & userName, uid_t userId)
|
||||
{
|
||||
MonitorFdHup monitor(from.fd);
|
||||
|
||||
|
@ -793,6 +794,8 @@ static void processConnection(bool trusted)
|
|||
params["path-info-cache-size"] = "0";
|
||||
auto store = openStore(settings.storeUri, params);
|
||||
|
||||
store->createUser(userName, userId);
|
||||
|
||||
tunnelLogger->stopWork();
|
||||
to.flush();
|
||||
|
||||
|
@ -1053,7 +1056,7 @@ static void daemonLoop(char * * argv)
|
|||
/* Handle the connection. */
|
||||
from.fd = remote.get();
|
||||
to.fd = remote.get();
|
||||
processConnection(trusted);
|
||||
processConnection(trusted, user, peer.uid);
|
||||
|
||||
exit(0);
|
||||
}, options);
|
||||
|
@ -1133,7 +1136,7 @@ static int _main(int argc, char * * argv)
|
|||
}
|
||||
}
|
||||
} else {
|
||||
processConnection(true);
|
||||
processConnection(true, "root", 0);
|
||||
}
|
||||
} else {
|
||||
daemonLoop(argv);
|
||||
|
|
|
@ -10,5 +10,3 @@ USER=$user $SHELL -e -c ". $TEST_ROOT/nix-profile.sh" # test idempotency
|
|||
|
||||
[ -L $TEST_HOME/.nix-profile ]
|
||||
[ -e $TEST_HOME/.nix-channels ]
|
||||
[ -e $TEST_ROOT/profile-var/nix/gcroots/per-user/$user ]
|
||||
[ -e $TEST_ROOT/profile-var/nix/profiles/per-user/$user ]
|
||||
|
|
|
@ -13,3 +13,7 @@ cmp $TEST_ROOT/d1 $TEST_ROOT/d2
|
|||
nix-store --gc --max-freed 1K
|
||||
|
||||
killDaemon
|
||||
|
||||
user=$(whoami)
|
||||
[ -e $NIX_STATE_DIR/gcroots/per-user/$user ]
|
||||
[ -e $NIX_STATE_DIR/profiles/per-user/$user ]
|
||||
|
|
|
@ -20,7 +20,7 @@ drvPath10=$(nix-env -f ./user-envs.nix -qa --drv-path --no-name '*' | grep foo-1
|
|||
|
||||
# Query descriptions.
|
||||
nix-env -f ./user-envs.nix -qa '*' --description | grep -q silly
|
||||
rm -f $HOME/.nix-defexpr
|
||||
rm -rf $HOME/.nix-defexpr
|
||||
ln -s $(pwd)/user-envs.nix $HOME/.nix-defexpr
|
||||
nix-env -qa '*' --description | grep -q silly
|
||||
|
||||
|
|
Loading…
Reference in a new issue