Reepca Russelstein wrote 5 months ago
(address . guix-patches@gnu.org)
87y12che58.fsf@russelstein.xyz
mkdir-p/perms in (gnu build activation) currently first creates the
target directory with its permissions restricted solely by umask, then
changes the permissions afterward. This leaves a window during which it
is possible that read and/or execute bits for untrusted users may be set
on the target directory.
By changing it so that the directory, if it is created, is created with
no more permissions than the caller specified, we can be confident that
if the directory didn't already exist - for example because it was
deliberately deleted in advance - it at no point was more accessible
than intended.
- reepca
From 736515a6e2e0e403c076c74b3019b69518a6bc9e Mon Sep 17 00:00:00 2001
From: Reepca Russelstein <reepca@russelstein.xyz>
Date: Fri, 25 Oct 2024 01:04:48 -0500
Subject: [PATCH] gnu: build: create directory with specified perms in
mkdir-p/perms.
There is currently a window of time between when the desired directory is
created and when its permissions are changed. During this time, its
permissions are restricted only by the umask.
Of course, in the "directory already exists" case, this doesn't matter, but if
the directory has been specifically deleted ahead of time so that it is
created afresh, this is an unnecessary window.
We can avoid this by passing the caller-provided BITS to 'mkdirat' when
attempting to create the last directory.
* gnu/build/activation.scm (mkdir-p/perms): Create target directory with BITS
permissions.
Change-Id: I03d2c620872e86b6f591abe0f1c8317aa1245383
---
gnu/build/activation.scm | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
Toggle diff (17 lines)
diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm
index d1a2876..a450578 100644
--- a/gnu/build/activation.scm
+++ b/gnu/build/activation.scm
@@ -113,7 +113,9 @@ (define open-flags (logior O_CLOEXEC ; don't pass the port on to subprocesses
;; If not, create it.
(catch 'system-error
(lambda _
- (mkdirat root head))
+ (if (null? tail)
+ (mkdirat root head bits)
+ (mkdirat root head)))
(lambda args
;; Someone else created the directory. Unexpected but fine.
(unless (= EEXIST (system-error-errno args))
--
2.45.2
-----BEGIN PGP SIGNATURE-----
iQFLBAEBCAA1FiEEdNapMPRLm4SepVYGwWaqSV9/GJwFAmcbPyMXHHJlZXBjYUBy
dXNzZWxzdGVpbi54eXoACgkQwWaqSV9/GJxIvAgAi8PUz7die5MiJiYMaV23CJxc
OcYDnjY1Kk+alQO1M0zU4sLpUIvDM4eWC0WRFAMYDXXAJS2Sxa6OkUYlh6R1Oq9N
+lulUhBnnWAk7wzIadT4Gq3goN8m8GRPagpo3lpZto7cMXQn5P11gwrfJZht5hgE
WqYEkkA2VGKAaLbvPRzYvKUWlrooXUobpELxeHh0VWyEGjEKIUrNAZ9GNQzUY++p
8leKne5aBwndrgQmf15oCd8hpXgcrsH3Bl1EZM10N9UAjUUFrqe06MvDNQYsDErT
PkzgWfjM5LEp1LnQkamlBRhl0pRlP5x34JO9DXFsfab2c1qvu7QvqW8viEzVdg==
=4NHN
-----END PGP SIGNATURE-----