nixos/nix
1
1
Fork 0
mirror of https://github.com/NixOS/nix.git synced 2025-12-22 17:01:08 +01:00
Code Activity

Merge pull request #14848 from NixOS/backport-14785-to-2.31-maintenance

Browse source 
[Backport 2.31-maintenance] libstore: include path in the world-writable error
This commit is contained in:
internal-nix-ci[bot] 2025-12-21 19:05:54 +00:00 committed by GitHub
commit 9b597aa64f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 5 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/libstore/unix/build/derivation-builder.cc
View file

@ -652,17 +652,17 @@ static void handleChildException(bool sendException)
} }
} }
static bool checkNotWorldWritable(std::filesystem::path path) static void checkNotWorldWritable(std::filesystem::path path)
{ {
while (true) { while (true) {
auto st = lstat(path); auto st = lstat(path);
if (st.st_mode & S_IWOTH) if (st.st_mode & S_IWOTH)
return false; throw Error("Path %s is world-writable or a symlink. That's not allowed for security.", path);
if (path == path.parent_path()) if (path == path.parent_path())
break; break;
path = path.parent_path(); path = path.parent_path();
} }
return true; return;
} }
void DerivationBuilderImpl::startBuilder() void DerivationBuilderImpl::startBuilder()
@ -700,9 +700,8 @@ void DerivationBuilderImpl::startBuilder()
createDirs(buildDir); createDirs(buildDir);
if (buildUser && !checkNotWorldWritable(buildDir)) if (buildUser)
throw Error( checkNotWorldWritable(buildDir);
"Path %s or a parent directory is world-writable or a symlink. That's not allowed for security.", buildDir);
/* Create a temporary directory where the build will take /* Create a temporary directory where the build will take
place. */ place. */