public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/security/wrapper: ensure the tmpfs is not world writeable

Browse Source 
The /run/wrapper directory is a tmpfs. Unfortunately, it's mounted with
its root directory has the standard (for tmpfs) mode: 1777 (world writeable,
sticky -- the standard mode of shared temporary directories). This means that
every user can create new files and subdirectories there, but can't
move/delete/rename files that belong to other users.
This commit is contained in:
Andreas Rammhold 2020-09-28 19:43:54 +02:00
parent cd7db06935
commit 9630d5c07f
No known key found for this signature in database
GPG Key ID: E432E410B5E48C86
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
nixos/modules/security/wrappers/default.nix
View File

@ -169,7 +169,7 @@ in
boot.specialFileSystems.${parentWrapperDir} = { boot.specialFileSystems.${parentWrapperDir} = {
fsType = "tmpfs"; fsType = "tmpfs";
options = [ "nodev" ]; options = [ "nodev" "mode=755" ];
}; };
# Make sure our wrapperDir exports to the PATH env variable when # Make sure our wrapperDir exports to the PATH env variable when
@ -195,6 +195,8 @@ in
# programs to be wrapped. # programs to be wrapped.
WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
chmod 755 "${parentWrapperDir}"
# We want to place the tmpdirs for the wrappers to the parent dir. # We want to place the tmpdirs for the wrappers to the parent dir.
wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX) wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX)
chmod a+rx $wrapperDir chmod a+rx $wrapperDir
@ -205,6 +207,9 @@ in
# Atomically replace the symlink # Atomically replace the symlink
# See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/ # See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
old=$(readlink -f ${wrapperDir}) old=$(readlink -f ${wrapperDir})
if [ -e ${wrapperDir}-tmp ]; then
rm --force --recursive ${wrapperDir}-tmp
fi
ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp
mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir} mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir}
rm --force --recursive $old rm --force --recursive $old