Received: (at 77642) by debbugs.gnu.org; 10 Apr 2025 08:26:37 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 10 04:26:37 2025
Received: from localhost ([127.0.0.1]:43706 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1u2nF7-0001PM-1n
for submit <at> debbugs.gnu.org; Thu, 10 Apr 2025 04:26:37 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:46282)
by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.84_2) (envelope-from <ludovic.courtes@HIDDEN>)
id 1u2nF4-0001OS-JX
for 77642 <at> debbugs.gnu.org; Thu, 10 Apr 2025 04:26:35 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <ludovic.courtes@HIDDEN>)
id 1u2nEt-0001um-KS; Thu, 10 Apr 2025 04:26:24 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludovic.courtes@HIDDEN>
To: Reepca Russelstein <reepca@HIDDEN>
Subject: Re: [bug#77642] [PATCH] daemon: Do not make chroot root directory
read-only.
In-Reply-To: <87cydmwuc0.fsf@HIDDEN> (Reepca Russelstein's message of
"Tue, 08 Apr 2025 10:23:27 -0500")
References: <b826ad7d859f71fefacedf55ef95dfa081707318.1744118941.git.ludo@HIDDEN>
<87cydmwuc0.fsf@HIDDEN>
Date: Thu, 10 Apr 2025 09:55:46 +0200
Message-ID: <87mscov4al.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 77642
Cc: keinflue@HIDDEN, adanskana@HIDDEN, 77642 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)
Hi,
Reepca Russelstein <reepca@HIDDEN> skribis:
>> + /* Make the root read-only.
>> +
>> + The build process could make it world-accessible, but that's
>
> Strictly speaking, in the case of --build-users-group, it couldn't even
> do that.
True.
>> + OK: since 'chrootRootTop' is *not* world-accessible, a
>> + world-accessible 'chrootRootDir' cannot be used to grant access
>> + to the store to external processes.
>
> It may be more general to write "grant access to the build environment",
> unless you're using this as a shorthand for "grant access to the build
> environment, and thereby a setuid binary, and thereby (in some
> configurations) the store".
Yes, but I=E2=80=99ll change it as you suggest.
> Looks good to me, hopefully there aren't any major packages further down
> the line that rely on chmod("/", ...) failing.
Crossing fingers=E2=80=A6
Ludo=E2=80=99.
guix-patches@HIDDEN:bug#77642; Package guix-patches.
Full text available.
Received: (at submit) by debbugs.gnu.org; 8 Apr 2025 15:24:37 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 08 11:24:37 2025
Received: from localhost ([127.0.0.1]:34712 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1u2AoW-0007gG-Ey
for submit <at> debbugs.gnu.org; Tue, 08 Apr 2025 11:24:37 -0400
Received: from lists.gnu.org ([2001:470:142::17]:56100)
by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.84_2) (envelope-from <reepca@HIDDEN>)
id 1u2AoS-0007fG-IV
for submit <at> debbugs.gnu.org; Tue, 08 Apr 2025 11:24:34 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <reepca@HIDDEN>)
id 1u2AoK-0004JY-0s
for guix-patches@HIDDEN; Tue, 08 Apr 2025 11:24:25 -0400
Received: from mailout.russelstein.xyz ([2605:6400:20:11e::1])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <reepca@HIDDEN>)
id 1u2AoE-0000vo-VW; Tue, 08 Apr 2025 11:24:23 -0400
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed;
d=russelstein.xyz; s=ed25519; h=Content-Type:MIME-Version:Message-ID:Date:
References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To:
Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
bh=Hr5fm7C0B/Y1dY2uE4vbwuItxQJ7IBdl9ZAmhAlBtPE=; b=k/nq2/ypp3kTnssvTTQ/LkRK8I
q03/8mxYgPx6j5zRj3F2ZhcxatYgpBpa+JRJDyzm1OG+WM4gXZYe0j2H7BCg==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=russelstein.xyz; s=rsa; h=Content-Type:MIME-Version:Message-ID:Date:
References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To:
Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
bh=Hr5fm7C0B/Y1dY2uE4vbwuItxQJ7IBdl9ZAmhAlBtPE=; b=EGiNqvbdwPhi6yb1uDngv1U/uM
T5Y6SfSVS1+AIUbflRttcbzRCkPX3+Z5pvN6AAws2WZYSBfApv/i95dg+IsouxwB3shHodk8IAgFL
jW15BQEOnynnYg0qnRydS9t2wwRHaXAEfoiEgVztPlnreBDoR7vYlquvt5CBFtnBwqIyTGDdIf+T3
KPQpvlU33M0yNpXpypcrEaWC8awroJQEYwNGgExZ26bulxCJEZq+uGxYQzuG5dKL/iHkyaGx8JQSN
2D92wJ5UY62peJwbMEYC1f2XyUk2sWNfRsC7J8eFyLoET8UtCGk91OXKveCCcYQnyvpW2Fqp+/vaU
8Qf887xPQ/EoNF7EBRrFoexY2N9HeHOlJGj5k5TRgU44fiV1AjvvQG/3ta0CZNkD2mcvXcXPBO1Ee
RzkcCell7NRR/0o44S2oqXHPWUTZHfloufy+Vvqfb15LYJ8G9JRYkAn/4ZPLmBrBIYu9BuNt0kP84
ZRdL1wezLzgYeuq2N6GCgBJHvXgXwY3Lubx4pj2nUPpv0EZz8P8UaUH9ywcANjMh4tg4Fj3UjB7kR
WZO/POBzi6f3L+XgKqDa22TIzpAwXGZU2zepK/8YUOW7MWlbs2cIRT43niGgUtzB86B8d6usCTZ7A
MJoIIFOOYb2oZ56IgATj9+B6JCrMXqPglogQf9YWU=;
Received: by russelstein.xyz with esmtpsa
(TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
(Exim 4.98) (envelope-from <reepca@HIDDEN>)
id 1u2Anp-000000005V5-1Lem; Tue, 08 Apr 2025 10:23:54 -0500
From: Reepca Russelstein <reepca@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: [PATCH] daemon: Do not make chroot root directory read-only.
In-Reply-To: <b826ad7d859f71fefacedf55ef95dfa081707318.1744118941.git.ludo@HIDDEN>
("Ludovic =?utf-8?Q?Court=C3=A8s=22's?= message of "Tue, 8 Apr 2025
15:29:44 +0200")
References: <b826ad7d859f71fefacedf55ef95dfa081707318.1744118941.git.ludo@HIDDEN>
Date: Tue, 08 Apr 2025 10:23:27 -0500
Message-ID: <87cydmwuc0.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha256; protocol="application/pgp-signature"
X-Spam-Score: 0.5
X-Spam-Bar: /
X-Spam-Score-Int: 5
X-Spam-Report: Spam detection software, running on the system "Sanctum",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Ludovic Courtès <ludo@HIDDEN> writes: > @@ -2245,9 +2249,18
@@ void DerivationGoal::runChild() > if (rmdir("real-root") == -1) > throw
SysError("cannot remove real-root directory"); > > - /* Remount root as read-only.
*/ > - if (mount("/" [...]
Content analysis details: (0.5 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 NO_RELAYS Informational: message was not relayed via SMTP
0.5 FROM_SUSPICIOUS_NTLD From abused NTLD
Received-SPF: pass client-ip=2605:6400:20:11e::1;
envelope-from=reepca@HIDDEN; helo=mailout.russelstein.xyz
X-Spam_score_int: -15
X-Spam_score: -1.6
X-Spam_bar: -
X-Spam_report: (-1.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
FROM_SUSPICIOUS_NTLD=0.498, PDS_OTHER_BAD_TLD=0.001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.4 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Ludovic Courtès <ludo@HIDDEN> writes: > @@ -2245,9 +2249,18
@@ void DerivationGoal::runChild() > if (rmdir("real-root") == -1) > throw
SysError("cannot remove real-root directory"); > > - /* Remount root as read-only.
*/ > - if (mount("/" [...]
Content analysis details: (1.4 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
no trust
[2001:470:142:0:0:0:0:17 listed in]
[list.dnswl.org]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
0.9 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=reepca%40russelstein.xyz;ip=2001%3A470%3A142%3A%3A17;r=debbugs.gnu.org]
0.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
[URI: russelstein.xyz (xyz)]
0.5 FROM_SUSPICIOUS_NTLD From abused NTLD
X-Debbugs-Envelope-To: submit
Cc: keinflue <keinflue@HIDDEN>, Ada Stevenson <adanskana@HIDDEN>,
guix-patches@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 1.4 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Ludovic Courtès <ludo@HIDDEN> writes: > @@ -2245,9 +2249,18
@@ void DerivationGoal::runChild() > if (rmdir("real-root") == -1) > throw
SysError("cannot remove real-root directory"); > > - /* Remount root as read-only.
*/ > - if (mount("/" [...]
Content analysis details: (1.4 points, 10.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
no trust
[2001:470:142:0:0:0:0:17 listed in]
[list.dnswl.org]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
0.9 SPF_FAIL SPF: sender does not match SPF record (fail)
[SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=reepca%40russelstein.xyz;ip=2001%3A470%3A142%3A%3A17;r=debbugs.gnu.org]
0.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
[URI: russelstein.xyz (xyz)]
1.0 BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD
0.5 FROM_SUSPICIOUS_NTLD From abused NTLD
-1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
manager
--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Ludovic Court=C3=A8s <ludo@HIDDEN> writes:
> @@ -2245,9 +2249,18 @@ void DerivationGoal::runChild()
> if (rmdir("real-root") =3D=3D -1)
> throw SysError("cannot remove real-root directory");
>=20=20
> - /* Remount root as read-only. */
> - if (mount("/", "/", 0, MS_BIND | MS_REMOUNT | MS_RDONLY, 0) =
=3D=3D -1)
> - throw SysError(format("read-only remount of build root '=
%1%' failed") % chrootRootDir);
> + /* Make the root read-only.
> +
> + The build process could make it world-accessible, but that's
Strictly speaking, in the case of --build-users-group, it couldn't even
do that.
> + OK: since 'chrootRootTop' is *not* world-accessible, a
> + world-accessible 'chrootRootDir' cannot be used to grant access
> + to the store to external processes.
It may be more general to write "grant access to the build environment",
unless you're using this as a shorthand for "grant access to the build
environment, and thereby a setuid binary, and thereby (in some
configurations) the store".
Looks good to me, hopefully there aren't any major packages further down
the line that rely on chmod("/", ...) failing.
=2D reepca
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQFLBAEBCAA1FiEEdNapMPRLm4SepVYGwWaqSV9/GJwFAmf1P28XHHJlZXBjYUBy
dXNzZWxzdGVpbi54eXoACgkQwWaqSV9/GJybpQf/XgPFQo3tzpWsV0R/brFMPY21
HOHladCqUKOys8pmed1JsCNcw1MAFU/FUMtk099VFZEo9VK+6hLSWut43jrvCnRB
JIcZvtqHa6jUL279MvOp9+CSvOA+yyNVYjbrJ/TIhOhdDHBIG4s1EIFKqTc3bTLQ
uXfiHcLdM1ygBBMQSXo4fhSz8/3HpstT+uaqzZz33+jNn0pQuqrL3F1i64LncpuR
JvOO0rOJmoBy7Tknl8S3z8aEwX2mCSEToB2bI8WM0Ejl24VRmXjln1UxJXaw8y5c
CKis3+sDvnjiM0SyU8CG/nQjgu+c0MdQ0gAYHUe6gNUrtkce/A2b1UZzKNg3ag==
=QgyP
-----END PGP SIGNATURE-----
--=-=-=--
guix-patches@HIDDEN:bug#77642; Package guix-patches.
Full text available.
Received: (at submit) by debbugs.gnu.org; 8 Apr 2025 13:30:25 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 08 09:30:25 2025
Received: from localhost ([127.0.0.1]:59989 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1u291y-0008In-0z
for submit <at> debbugs.gnu.org; Tue, 08 Apr 2025 09:30:25 -0400
Received: from lists.gnu.org ([2001:470:142::17]:56186)
by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1u291p-0008Cu-3O
for submit <at> debbugs.gnu.org; Tue, 08 Apr 2025 09:30:16 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <ludo@HIDDEN>) id 1u291g-0002qi-RK
for guix-patches@HIDDEN; Tue, 08 Apr 2025 09:30:05 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
(Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
id 1u291b-0000v3-0Z; Tue, 08 Apr 2025 09:29:59 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to:
references; bh=Fsbk82DEQ9dIk2tXlY378vpo1TWoaRffDTT/TcwWeB8=; b=nkAakaYUBNTYkW
UQ8ym9OxlM7WeerEzFsEagTBDqpHUC8k8TzPx62QtuKeq5ocvFXkOFU4J1Bj8LtMr/8O9cHsdgtV4
7A7Ibo9J5gkwu/KUaatQ6gZhRkKmgeGjK6K5Inh8/GGFOs7NV9Z0yw6gniB06DMPkdFR2k5HFwUAD
lxxVD7PP2ikF6ZoSH91RYrn3jOUCdGVhZvy9tVEdqm74Np9E5Q6aAH4QCq2VpsVk4tCIkFK6HmDtp
wqOCBl2mZ1xAezHtNz444tmqMPt/55mc0hA9Tm+kyB9WusMTamkMAKF4q6lC5WRsobuUU+iXT6yZW
dCloAbIaAGC35J4crfgQ==;
From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@HIDDEN>
To: guix-patches@HIDDEN
Subject: [PATCH] daemon: Do not make chroot root directory read-only.
Date: Tue, 8 Apr 2025 15:29:44 +0200
Message-ID: <b826ad7d859f71fefacedf55ef95dfa081707318.1744118941.git.ludo@HIDDEN>
X-Mailer: git-send-email 2.49.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: submit
Cc: keinflue <keinflue@HIDDEN>,
=?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@HIDDEN>,
Reepca Russelstein <reepca@HIDDEN>,
Ada Stevenson <adanskana@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)
Fixes <https://issues.guix.gnu.org/77570>.
Commit 40f69b586a440d0397fa3dfe03b95a0f44e4d242 made chroot root
directory read-only; as a consequence, build processes attempting to
write to the root directory would now get EROFS instead of EACCES.
It turns out that a number of test suites (Go, Ruby, SCons, Shepherd)
would fail because of this observable difference.
To restore previous behavior in build environments while still
preventing build processes from exposing their root directory to outside
processes, this patch (1) keeps the root writable but #o555 by default,
thereby restoring the EACCES behavior, and (2) ensures that the parent
of the chroot root directory is itself user-accessible only.
* nix/libstore/build.cc (class DerivationGoal)[chrootRootTop]: New
field.
(DerivationGoal::startBuilder): Initialize ‘chrootRootTop’ and make it
‘AutoDelete’. Replace ‘mount’ call that made the root directory
read-only by a mere ‘chmod_’ call.
* tests/store.scm ("build root cannot be made world-readable"): Remove.
("writing to build root leads to EACCES"): New test.
Reported-by: Ada Stevenson <adanskana@HIDDEN>
Reported-by: keinflue <keinflue@HIDDEN>
Suggested-by: Reepca Russelstein <reepca@HIDDEN>
Change-Id: I5912e8b3b293f8242a010cfc79255fc981314445
---
nix/libstore/build.cc | 35 ++++++++++++++++++++++++-----------
tests/store.scm | 35 +++++++++++++----------------------
2 files changed, 37 insertions(+), 33 deletions(-)
diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
index d0fcc99854..1a38e85816 100644
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@@ -657,7 +657,9 @@ private:
/* Whether we're currently doing a chroot build. */
bool useChroot;
- Path chrootRootDir;
+ /* The directory containing the chroot root directory, and the chroot root
+ directory itself--the latter is a sub-directory of the former. */
+ Path chrootRootTop, chrootRootDir;
/* RAII object to delete the chroot directory. */
std::shared_ptr<AutoDelete> autoDelChroot;
@@ -1810,19 +1812,21 @@ void DerivationGoal::startBuilder()
if (useChroot) {
#if CHROOT_ENABLED
/* Create a temporary directory in which we set up the chroot
- environment using bind-mounts. We put it in the store
- to ensure that we can create hard-links to non-directory
- inputs in the fake store in the chroot (see below). */
- chrootRootDir = drvPath + ".chroot";
- if (pathExists(chrootRootDir)) deletePath(chrootRootDir);
+ environment using bind-mounts. Put it in the store to ensure it
+ can be atomically moved to the store. */
+ chrootRootTop = drvPath + ".chroot";
+ chrootRootDir = chrootRootTop + "/top";
+ if (pathExists(chrootRootTop)) deletePath(chrootRootTop);
/* Clean up the chroot directory automatically. */
- autoDelChroot = std::shared_ptr<AutoDelete>(new AutoDelete(chrootRootDir));
+ autoDelChroot = std::shared_ptr<AutoDelete>(new AutoDelete(chrootRootTop));
printMsg(lvlChatty, format("setting up chroot environment in `%1%'") % chrootRootDir);
+ if (mkdir(chrootRootTop.c_str(), 0750) == -1)
+ throw SysError(format("cannot create build root container '%1%'") % chrootRootTop);
if (mkdir(chrootRootDir.c_str(), 0750) == -1)
- throw SysError(format("cannot create ‘%1%’") % chrootRootDir);
+ throw SysError(format("cannot create build root '%1%'") % chrootRootDir);
if (buildUser.enabled() && chown(chrootRootDir.c_str(), 0, buildUser.getGID()) == -1)
throw SysError(format("cannot change ownership of ‘%1%’") % chrootRootDir);
@@ -2245,9 +2249,18 @@ void DerivationGoal::runChild()
if (rmdir("real-root") == -1)
throw SysError("cannot remove real-root directory");
- /* Remount root as read-only. */
- if (mount("/", "/", 0, MS_BIND | MS_REMOUNT | MS_RDONLY, 0) == -1)
- throw SysError(format("read-only remount of build root '%1%' failed") % chrootRootDir);
+ /* Make the root read-only.
+
+ The build process could make it world-accessible, but that's
+ OK: since 'chrootRootTop' is *not* world-accessible, a
+ world-accessible 'chrootRootDir' cannot be used to grant access
+ to the store to external processes.
+
+ Remounting the root as read-only was rejected because it makes
+ write access fail with EROFS instead of EACCES, which goes
+ against what some test suites expect (Go, Ruby, SCons,
+ Shepherd, to name a few). */
+ chmod_("/", 0555);
if (getuid() != 0) {
/* Create a new mount namespace to "lock" previous mounts.
diff --git a/tests/store.scm b/tests/store.scm
index b1ddff2082..b467314bdc 100644
--- a/tests/store.scm
+++ b/tests/store.scm
@@ -498,32 +498,23 @@ (define %shell
(unless (unprivileged-user-namespace-supported?)
(test-skip 1))
-(test-assert "build root cannot be made world-readable"
+(test-assert "writing to build root leads to EACCES"
(let ((drv
(run-with-store %store
(gexp->derivation
- "attempt-to-make-root-world-readable"
- (with-imported-modules (source-module-closure
- '((guix build syscalls)))
- #~(begin
- (use-modules (guix build syscalls))
+ "write-to-root"
+ #~(begin
+ (catch 'system-error
+ (lambda ()
+ (mkdir "/whatever"))
+ (lambda args
+ (format #t "mkdir failed, which is good: ~a~%"
+ (strerror (system-error-errno args)))
+ (when (= EACCES (system-error-errno args))
+ (exit 1))))
- (catch 'system-error
- (lambda ()
- (chmod "/" #o777))
- (lambda args
- (format #t "failed to make root writable: ~a~%"
- (strerror (system-error-errno args)))
- (format #t "attempting read-write remount~%")
- (mount "none" "/" "/" (logior MS_BIND MS_REMOUNT))
- (chmod "/" #o777)))
-
- ;; At this point, the build process could create a
- ;; world-readable setuid binary under its root (so in the
- ;; store) that would remain visible until the build
- ;; completes.
- (mkdir #$output)))))))
- (guard (c ((store-protocol-error? c) #t))
+ (mkdir #$output))))))
+ (guard (c ((store-protocol-error? c) c))
(build-derivations %store (list drv))
#f)))
base-commit: 1dab24555a494beb3db5a335c675f07043e77f1c
--
2.49.0
Ludovic Courtès <ludo@HIDDEN>:guix-patches@HIDDEN.
Full text available.guix-patches@HIDDEN:bug#77642; Package guix-patches.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.