From db39278d614645055cb90a0286b518bb2f23bed5 Mon Sep 17 00:00:00 2001 From: yawkar Date: Sat, 13 Dec 2025 19:45:19 +0300 Subject: [PATCH] libstore: include path in the world-writable error The previous error message was ambiguous about which specific directory failed the check. This commit updates checkNotWorldWritable to return the failing path so it can be included in the error message, making debugging easier. (cherry picked from commit a1e24fa6cecf9cef8824e24e7425cd86a0700301) --- src/libstore/unix/build/derivation-builder.cc | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/src/libstore/unix/build/derivation-builder.cc b/src/libstore/unix/build/derivation-builder.cc index 5d26ab8fd..73bb026a2 100644 --- a/src/libstore/unix/build/derivation-builder.cc +++ b/src/libstore/unix/build/derivation-builder.cc @@ -652,17 +652,17 @@ static void handleChildException(bool sendException) } } -static bool checkNotWorldWritable(std::filesystem::path path) +static void checkNotWorldWritable(std::filesystem::path path) { while (true) { auto st = lstat(path); if (st.st_mode & S_IWOTH) - return false; + throw Error("Path %s is world-writable or a symlink. That's not allowed for security.", path); if (path == path.parent_path()) break; path = path.parent_path(); } - return true; + return; } void DerivationBuilderImpl::startBuilder() @@ -700,9 +700,8 @@ void DerivationBuilderImpl::startBuilder() createDirs(buildDir); - if (buildUser && !checkNotWorldWritable(buildDir)) - throw Error( - "Path %s or a parent directory is world-writable or a symlink. That's not allowed for security.", buildDir); + if (buildUser) + checkNotWorldWritable(buildDir); /* Create a temporary directory where the build will take place. */