nixo
/
guix-devel
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

activation: Do not create setuid binaries in the store [security fix]. 

Fixes <https://bugs.gnu.org/28751>.

* gnu/build/activation.scm (activate-setuid-programs)[link-or-copy]: Remove.
Use 'copy-file' instead.
This commit is contained in:
Ludovic Courtès 2017-10-08 21:25:32 +02:00
parent d265169b36
commit 5e66574a12
No known key found for this signature in database
GPG Key ID: 090B11993D9AEBB5
1 changed files with 1 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
gnu/build/activation.scm
View File

@ -353,24 +353,13 @@ they already exist."
;; Place where setuid programs are stored. ;; Place where setuid programs are stored.
"/run/setuid-programs") "/run/setuid-programs")
(define (link-or-copy source target)
"Attempt to make TARGET a hard link to SOURCE; if it fails, fall back to
copy SOURCE to TARGET."
(catch 'system-error
(lambda ()
(link source target))
(lambda args
;; Perhaps SOURCE and TARGET live in a different file system, so copy
;; SOURCE.
(copy-file source target))))
(define (activate-setuid-programs programs) (define (activate-setuid-programs programs)
"Turn PROGRAMS, a list of file names, into setuid programs stored under "Turn PROGRAMS, a list of file names, into setuid programs stored under
%SETUID-DIRECTORY." %SETUID-DIRECTORY."
(define (make-setuid-program prog) (define (make-setuid-program prog)
(let ((target (string-append %setuid-directory (let ((target (string-append %setuid-directory
"/" (basename prog)))) "/" (basename prog))))
(link-or-copy prog target) (copy-file prog target)
(chown target 0 0) (chown target 0 0)
(chmod target #o6555))) (chmod target #o6555)))