nixos/security/wrapper: ensure the tmpfs is not world writeable
The /run/wrapper directory is a tmpfs. Unfortunately, it's mounted with its root directory has the standard (for tmpfs) mode: 1777 (world writeable, sticky -- the standard mode of shared temporary directories). This means that every user can create new files and subdirectories there, but can't move/delete/rename files that belong to other users.
This commit is contained in:
parent
cd7db06935
commit
9630d5c07f
|
@ -169,7 +169,7 @@ in
|
|||
|
||||
boot.specialFileSystems.${parentWrapperDir} = {
|
||||
fsType = "tmpfs";
|
||||
options = [ "nodev" ];
|
||||
options = [ "nodev" "mode=755" ];
|
||||
};
|
||||
|
||||
# Make sure our wrapperDir exports to the PATH env variable when
|
||||
|
@ -195,6 +195,8 @@ in
|
|||
# programs to be wrapped.
|
||||
WRAPPER_PATH=${config.system.path}/bin:${config.system.path}/sbin
|
||||
|
||||
chmod 755 "${parentWrapperDir}"
|
||||
|
||||
# We want to place the tmpdirs for the wrappers to the parent dir.
|
||||
wrapperDir=$(mktemp --directory --tmpdir="${parentWrapperDir}" wrappers.XXXXXXXXXX)
|
||||
chmod a+rx $wrapperDir
|
||||
|
@ -205,6 +207,9 @@ in
|
|||
# Atomically replace the symlink
|
||||
# See https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/
|
||||
old=$(readlink -f ${wrapperDir})
|
||||
if [ -e ${wrapperDir}-tmp ]; then
|
||||
rm --force --recursive ${wrapperDir}-tmp
|
||||
fi
|
||||
ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp
|
||||
mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir}
|
||||
rm --force --recursive $old
|
||||
|
|
Loading…
Reference in New Issue