Fixup various setuid/setgid permission problems, part 2 #26939
Conversation
Looks like NixOS creates a security wrapper for this already, FWIW.
| @@ -27,7 +27,7 @@ stdenv.mkDerivation { | |||
| ''; | |||
|
|
|||
| preBuild = '' | |||
| sed -e "s@/etc/@$out/etc/@g" -i Makefile | |||
| sed -e "s@/etc/@$out/etc/@g" -e "/chmod u+s/d" -i Makefile | |||
There was a problem hiding this comment.
I don't like differential rights management, so perhaps you could replace that.
There was a problem hiding this comment.
This change deletes the entire chmod u+s invocation entirely, which seems even better! (yes?)
There was a problem hiding this comment.
Oh, I am sorry for wasting your time here.
|
@0xABAB thanks for the review and comments. See #26600 for a bit of background, but basically for security reasons Nix no longer allows builders to set various permissions at any point during the build. Previously builders could "pretend" to set things like These changes should not change permissions on the completed outputs. The goal is to prevent security holes on builders that allow this behavior and un-break the build on hosts using newer Nix that disallows setting these permissions even temporarily. Separately from working towards ensuring we're on the same page (above), is there something to be done to improve on these changes? |
|
Built locally. Thank you |
|
Thanks for merging! 👍 |
Motivation for this change
Fixes all but the Darwin-specific failure in qtsvg from the list of packages in #26600.
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandboxinnix.confon non-NixOS)
nix-shell -p nox --run "nox-review wip"./result/bin/)