libstore: Make our sandbox pivot_root directory accessible to ourself

If you have the Nix store mounted from a nonlocal filesystem whose exporter is not running as root, making the directory mode 000 makes it inaccessible to that remote unprivileged user and therefore breaks the build. (Specifically, I am running into this with a virtiofs mount using Apple Virtualization.framework as a non-root user, but I expect the same thing would happen with virtiofs in qemu on Linux as a non-root user or with various userspace network file servers.) Make the directory mode 500 (dr-x------) to make the sandbox work in this use case, which explicitly conveys our intention to read and search the directory. The code only works because root can already bypass directory checks, so this does not actually grant more permissions to the directory owner / does not make the sandbox less secure.
2024-11-15 02:36:16 +02:00 · 2024-10-12 19:55:58 -04:00 · 2024-10-12 19:55:58 -04:00 · 5a794d9366
commit 5a794d9366
parent 30c4f5eb51
1 changed files with 1 additions and 1 deletions
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@ -2008,7 +2008,7 @@ void LocalDerivationGoal::runChild()
            if (chdir(chrootRootDir.c_str()) == -1)
                throw SysError("cannot change directory to '%1%'", chrootRootDir);

-            if (mkdir("real-root", 0) == -1)
+            if (mkdir("real-root", 0500) == -1)
                throw SysError("cannot create real-root directory");

            if (pivot_root(".", "real-root") == -1)