Loading pkgs/by-name/gu/guix/guix-build-user-takeover-fix.patchdeleted 100644 → 0 +0 −42 Original line number Diff line number Diff line diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index c5383bc..50d1abc 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -2312,15 +2312,6 @@ void DerivationGoal::registerOutputs() Path actualPath = path; if (useChroot) { actualPath = chrootRootDir + path; - if (pathExists(actualPath)) { - /* Move output paths from the chroot to the store. */ - if (buildMode == bmRepair) - replaceValidPath(path, actualPath); - else - if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1) - throw SysError(format("moving build output `%1%' from the chroot to the store") % path); - } - if (buildMode != bmCheck) actualPath = path; } else { Path redirected = redirectedOutputs[path]; if (buildMode == bmRepair @@ -2360,6 +2351,21 @@ void DerivationGoal::registerOutputs() something like that. */ canonicalisePathMetaData(actualPath, buildUser.enabled() ? buildUser.getUID() : -1, inodesSeen); + if (useChroot) { + if (pathExists(actualPath)) { + /* Now that output paths have been canonicalized (in particular + there are no setuid files left), move them outside of the + chroot and to the store. */ + if (buildMode == bmRepair) + replaceValidPath(path, actualPath); + else + if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1) + throw SysError(format("moving build output `%1%' from the chroot to the store") % path); + } + if (buildMode != bmCheck) actualPath = path; + } + + /* FIXME: this is in-memory. */ StringSink sink; dumpPath(actualPath, sink); pkgs/by-name/gu/guix/package.nix +13 −2 Original line number Diff line number Diff line Loading @@ -3,6 +3,7 @@ stdenv, fetchurl, fetchpatch, fetchDebianPatch, autoreconfHook, disarchive, git, Loading Loading @@ -57,9 +58,19 @@ stdenv.mkDerivation rec { url = "https://git.savannah.gnu.org/cgit/guix.git/patch/?id=ff1251de0bc327ec478fc66a562430fbf35aef42"; hash = "sha256-f4KWDVrvO/oI+4SCUHU5GandkGtHrlaM1BWygM/Qlao="; }) # manual port of build user takeover remediation commit # see https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability ./guix-build-user-takeover-fix.patch (fetchDebianPatch { inherit pname version; debianRevision = "8"; patch = "security/0101-daemon-Sanitize-failed-build-outputs-prior-to-exposi.patch"; hash = "sha256-cbra/+K8+xHUJrCKRgzJCuhMBpzCSjgjosKAkJx7QIo="; }) (fetchDebianPatch { inherit pname version; debianRevision = "8"; patch = "security/0102-daemon-Sanitize-successful-build-outputs-prior-to-ex.patch"; hash = "sha256-mOnlYtpIuYL+kDvSNuXuoDLJP03AA9aI2ALhap+0NOM="; }) ]; postPatch = '' Loading Loading
pkgs/by-name/gu/guix/guix-build-user-takeover-fix.patchdeleted 100644 → 0 +0 −42 Original line number Diff line number Diff line diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc index c5383bc..50d1abc 100644 --- a/nix/libstore/build.cc +++ b/nix/libstore/build.cc @@ -2312,15 +2312,6 @@ void DerivationGoal::registerOutputs() Path actualPath = path; if (useChroot) { actualPath = chrootRootDir + path; - if (pathExists(actualPath)) { - /* Move output paths from the chroot to the store. */ - if (buildMode == bmRepair) - replaceValidPath(path, actualPath); - else - if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1) - throw SysError(format("moving build output `%1%' from the chroot to the store") % path); - } - if (buildMode != bmCheck) actualPath = path; } else { Path redirected = redirectedOutputs[path]; if (buildMode == bmRepair @@ -2360,6 +2351,21 @@ void DerivationGoal::registerOutputs() something like that. */ canonicalisePathMetaData(actualPath, buildUser.enabled() ? buildUser.getUID() : -1, inodesSeen); + if (useChroot) { + if (pathExists(actualPath)) { + /* Now that output paths have been canonicalized (in particular + there are no setuid files left), move them outside of the + chroot and to the store. */ + if (buildMode == bmRepair) + replaceValidPath(path, actualPath); + else + if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1) + throw SysError(format("moving build output `%1%' from the chroot to the store") % path); + } + if (buildMode != bmCheck) actualPath = path; + } + + /* FIXME: this is in-memory. */ StringSink sink; dumpPath(actualPath, sink);
pkgs/by-name/gu/guix/package.nix +13 −2 Original line number Diff line number Diff line Loading @@ -3,6 +3,7 @@ stdenv, fetchurl, fetchpatch, fetchDebianPatch, autoreconfHook, disarchive, git, Loading Loading @@ -57,9 +58,19 @@ stdenv.mkDerivation rec { url = "https://git.savannah.gnu.org/cgit/guix.git/patch/?id=ff1251de0bc327ec478fc66a562430fbf35aef42"; hash = "sha256-f4KWDVrvO/oI+4SCUHU5GandkGtHrlaM1BWygM/Qlao="; }) # manual port of build user takeover remediation commit # see https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability ./guix-build-user-takeover-fix.patch (fetchDebianPatch { inherit pname version; debianRevision = "8"; patch = "security/0101-daemon-Sanitize-failed-build-outputs-prior-to-exposi.patch"; hash = "sha256-cbra/+K8+xHUJrCKRgzJCuhMBpzCSjgjosKAkJx7QIo="; }) (fetchDebianPatch { inherit pname version; debianRevision = "8"; patch = "security/0102-daemon-Sanitize-successful-build-outputs-prior-to-ex.patch"; hash = "sha256-mOnlYtpIuYL+kDvSNuXuoDLJP03AA9aI2ALhap+0NOM="; }) ]; postPatch = '' Loading
