From 9630d5c07fbdb264fec79f428b0c65366a356a72 Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Mon, 28 Sep 2020 19:43:54 +0200 Subject: [PATCH] nixos/security/wrapper: ensure the tmpfs is not world writeable The /run/wrapper directory is a tmpfs. Unfortunately, it's mounted with its root directory has the standard (for tmpfs) mode: 1777 (world writeable, sticky -- the standard mode of shared temporary directories). This means that every user can create new files and subdirectories there, but can't move/delete/rename files that belong to other users. --- nixos/modules/security/wrappers/default.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/nixos/modules/security/wrappers/default.nix b/nixos/modules/security/wrappers/default.nix index 38fba96b25e..f560f5c7628 100644 --- a/nixos/modules/security/wrappers/default.nix +++ b/nixos/modules/security/wrappers/default.nix @@ -169,7 +169,7 @@ in boot.specialFileSystems.${parentWrapperDir} = { fsType = "tmpfs"; - options = [ "nodev" ]; + options = [ "nodev" "mode=755" ]; }; # Make sure our wrapperDir exports to the PATH env variable when @@ -195,6 +195,8 @@ in # programs to be wrapped. WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin + chmod 755 "${parentWrapperDir}" + # We want to place the tmpdirs for the wrappers to the parent dir. wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX) chmod a+rx $wrapperDir @@ -205,6 +207,9 @@ in # Atomically replace the symlink # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ old=$(readlink -f ${wrapperDir}) + if [ -e ${wrapperDir}-tmp ]; then + rm --force --recursive ${wrapperDir}-tmp + fi ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir} rm --force --recursive $old