activation: Do not create setuid binaries in the store [security fix].

Fixes <https://bugs.gnu.org/28751>. * gnu/build/activation.scm (activate-setuid-programs)[link-or-copy]: Remove. Use 'copy-file' instead.
2017-10-08 21:25:32 +02:00 · 2017-10-08 21:25:32 +02:00 · 5e66574a12
parent d265169b36
commit 5e66574a12
1 changed files with 1 additions and 12 deletions
--- a/gnu/build/activation.scm
+++ b/gnu/build/activation.scm
@ -353,24 +353,13 @@ they already exist."
  ;; Place where setuid programs are stored.
  "/run/setuid-programs")

-(define (link-or-copy source target)
-  "Attempt to make TARGET a hard link to SOURCE; if it fails, fall back to
-copy SOURCE to TARGET."
-  (catch 'system-error
-    (lambda ()
-      (link source target))
-    (lambda args
-      ;; Perhaps SOURCE and TARGET live in a different file system, so copy
-      ;; SOURCE.
-      (copy-file source target))))
-
 (define (activate-setuid-programs programs)
  "Turn PROGRAMS, a list of file names, into setuid programs stored under
 %SETUID-DIRECTORY."
  (define (make-setuid-program prog)
    (let ((target (string-append %setuid-directory
                                 "/" (basename prog))))
-      (link-or-copy prog target)
+      (copy-file prog target)
      (chown target 0 0)
      (chmod target #o6555)))