daemon: Prevent privilege escalation with '--keep-failed' [security]. - guix-patches

diff options

author	Ludovic Courtès <ludo@gnu.org>	2021-03-18 11:39:39 +0100
committer	Ludovic Courtès <ludo@gnu.org>	2021-03-18 12:18:56 +0100
commit	ec7fb669945bfb47c5e1fdf7de3a5d07f7002ccf (patch)
tree	b9330befde8c1dc8a07ad1a2571cbe4d008a0128 /build-aux
parent	898489f48e436e45e86e1ba0fcdb6df5cd5a051a (diff)
download	guix-patches-ec7fb669945bfb47c5e1fdf7de3a5d07f7002ccf.tar guix-patches-ec7fb669945bfb47c5e1fdf7de3a5d07f7002ccf.tar.gz

daemon: Prevent privilege escalation with '--keep-failed' [security].

Fixes <https://bugs.gnu.org/47229>. Reported by Nathan Nye of WhiteBeam Security. * nix/libstore/build.cc (DerivationGoal::startBuilder): When 'useChroot' is true, add "/top" to 'tmpDir'. (DerivationGoal::deleteTmpDir): Adjust accordingly. When 'settings.keepFailed' is true, chown in two steps: first the "/top" sub-directory, and then rename "/top" to its parent.

Diffstat (limited to 'build-aux')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: