diff --git a/doc/manual/src/release-notes/rl-next.md b/doc/manual/src/release-notes/rl-next.md index bde9057c6..e46652f48 100644 --- a/doc/manual/src/release-notes/rl-next.md +++ b/doc/manual/src/release-notes/rl-next.md @@ -1,3 +1,5 @@ # Release X.Y (202?-??-??) -- [`nix-channel`](../command-ref/nix-channel.md) now supports a `--list-generations` subcommand +* When searching upwards for the root of the flake, Nix doesn’t consider + anything that’s not owned by the current user anymore as it’s a + security hazard. diff --git a/src/libexpr/flake/flakeref.cc b/src/libexpr/flake/flakeref.cc index 08adbe0c9..82307f8c7 100644 --- a/src/libexpr/flake/flakeref.cc +++ b/src/libexpr/flake/flakeref.cc @@ -127,6 +127,8 @@ std::pair parseFlakeRefWithFragment( // Save device to detect filesystem boundary dev_t device = lstat(path).st_dev; + // Fix for the Nix equivalent of CVE-2022-24765 + uid_t currentUser = geteuid(); bool found = false; while (path != "/") { if (pathExists(path + "/flake.nix")) { @@ -134,11 +136,13 @@ std::pair parseFlakeRefWithFragment( break; } else if (pathExists(path + "/.git")) throw Error("path '%s' is not part of a flake (neither it nor its parent directories contain a 'flake.nix' file)", path); - else { - if (lstat(path).st_dev != device) - throw Error("unable to find a flake before encountering filesystem boundary at '%s'", path); - } path = dirOf(path); + auto pathStat = lstat(path); + if (pathStat.st_dev != device) + throw Error("unable to find a flake before encountering filesystem boundary at '%s'", path); + if (pathStat.st_uid != currentUser) { + throw Error("unable to find a flake before encountering a directory not owned by us at '%s'", path); + } } if (!found) throw BadURL("could not find a flake.nix file");