nixos/security/wrapper: ensure the tmpfs is not world writeable

The /run/wrapper directory is a tmpfs. Unfortunately, it's mounted with
its root directory has the standard (for tmpfs) mode: 1777 (world writeable,
sticky -- the standard mode of shared temporary directories). This means that
every user can create new files and subdirectories there, but can't
move/delete/rename files that belong to other users.
This commit is contained in:
Andreas Rammhold 2020-09-28 19:43:54 +02:00
parent cd7db06935
commit 9630d5c07f
No known key found for this signature in database
GPG key ID: E432E410B5E48C86

View file

@ -169,7 +169,7 @@ in
boot.specialFileSystems.${parentWrapperDir} = {
fsType = "tmpfs";
options = [ "nodev" ];
options = [ "nodev" "mode=755" ];
};
# Make sure our wrapperDir exports to the PATH env variable when
@ -195,6 +195,8 @@ in
# programs to be wrapped.
WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
chmod 755 "${parentWrapperDir}"
# We want to place the tmpdirs for the wrappers to the parent dir.
wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX)
chmod a+rx $wrapperDir
@ -205,6 +207,9 @@ in
# Atomically replace the symlink
# See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
old=$(readlink -f ${wrapperDir})
if [ -e ${wrapperDir}-tmp ]; then
rm --force --recursive ${wrapperDir}-tmp
fi
ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp
mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir}
rm --force --recursive $old