From cd49ee08970f0fa44053fb12cdf29668e8131a51 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Thu, 13 Jun 2013 17:12:24 +0200
Subject: [PATCH] Fix a security bug in hash rewriting

Before calling dumpPath(), we have to make sure the files are owned by
the build user.  Otherwise, the build could contain a hard link to
(say) /etc/shadow, which would then be read by the daemon and
rewritten as a world-readable file.

This only affects systems that don't have hard link restrictions
enabled.
---
 src/libstore/build.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index 2d3371957..e49c66fc5 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -1489,6 +1489,12 @@ void DerivationGoal::buildDone()
             /* Apply hash rewriting if necessary. */
             if (!rewritesFromTmp.empty()) {
                 printMsg(lvlError, format("warning: rewriting hashes in `%1%'; cross fingers") % path);
+
+                /* Canonicalise first.  This ensures that the path
+                   we're rewriting doesn't contain a hard link to
+                   /etc/shadow or something like that. */
+                canonicalisePathMetaData(path, buildUser.enabled() ? buildUser.getUID() : -1);
+
                 /* FIXME: this is in-memory. */
                 StringSink sink;
                 dumpPath(path, sink);
-- 
GitLab