[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
27/27: Don't let unprivileged users repair paths
From: |
Ludovic Courtès |
Subject: |
27/27: Don't let unprivileged users repair paths |
Date: |
Wed, 03 Jun 2015 22:00:47 +0000 |
civodul pushed a commit to branch nix
in repository guix.
commit e531520ddcd54903bbea0f3ce08dfbed830f40aa
Author: Eelco Dolstra <address@hidden>
Date: Tue Jun 2 02:21:54 2015 +0200
Don't let unprivileged users repair paths
---
nix/nix-daemon/nix-daemon.cc | 16 +++++++++-------
1 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/nix/nix-daemon/nix-daemon.cc b/nix/nix-daemon/nix-daemon.cc
index 96a4e4b..2b89190 100644
--- a/nix/nix-daemon/nix-daemon.cc
+++ b/nix/nix-daemon/nix-daemon.cc
@@ -648,13 +648,15 @@ static void performOp(bool trusted, unsigned int
clientVersion,
break;
case wopVerifyStore: {
- bool checkContents = readInt(from) != 0;
- bool repair = readInt(from) != 0;
- startWork();
- bool errors = store->verifyStore(checkContents, repair);
- stopWork();
- writeInt(errors, to);
- break;
+ bool checkContents = readInt(from) != 0;
+ bool repair = readInt(from) != 0;
+ startWork();
+ if (repair && !trusted)
+ throw Error("you are not privileged to repair paths");
+ bool errors = store->verifyStore(checkContents, repair);
+ stopWork();
+ writeInt(errors, to);
+ break;
}
default:
- 17/27: Simplify printHash32, (continued)
- 17/27: Simplify printHash32, Ludovic Courtès, 2015/06/03
- 18/27: Simplify parseHash32, Ludovic Courtès, 2015/06/03
- 19/27: Use pivot_root in addition to chroot when possible, Ludovic Courtès, 2015/06/03
- 15/27: Doh, Ludovic Courtès, 2015/06/03
- 22/27: Tighten permissions on chroot directories, Ludovic Courtès, 2015/06/03
- 20/27: Use chroots for all derivations, Ludovic Courtès, 2015/06/03
- 25/27: Revert /nix/store permission back to 01775, Ludovic Courtès, 2015/06/03
- 21/27: Fix typos: s/the the/the/, Ludovic Courtès, 2015/06/03
- 24/27: Chroot builds: Provide world-readable /nix/store, Ludovic Courtès, 2015/06/03
- 23/27: addToStore(): Take explicit name argument, Ludovic Courtès, 2015/06/03
- 27/27: Don't let unprivileged users repair paths,
Ludovic Courtès <=
- 26/27: Add a ‘verifyStore’ RPC, Ludovic Courtès, 2015/06/03