pyrox.dev / nixpkgs
lol
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

make-initrd-ng: Restore stripped file permissions

Previously, all initrd ELFs would be made *world-writable*.

This commit sets the write bit for the file owner exclusively, and
removes it when done. It also sets the umask so that files don't
implicitly become writable for other users by mistake.

Fixes: https://github.com/NixOS/nixpkgs/security/advisories/GHSA-m7pq-h9p4-8rr4
Reported-By: sudoBash418 <sudobash418@gmail.com>

authored by

sudoBash418 and committed by
Will Fancher 93b98639 afdd737c

+23 -4
+8 -1
pkgs/build-support/kernel/make-initrd-ng/Cargo.lock
··· 1 1 # This file is automatically @generated by Cargo. 2 2 # It is not intended for manual editing. 3 - version = 3 3 + version = 4 4 4 5 5 [[package]] 6 6 name = "eyre" ··· 36 36 checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b" 37 37 38 38 [[package]] 39 + name = "libc" 40 + version = "0.2.171" 41 + source = "registry+https://github.com/rust-lang/crates.io-index" 42 + checksum = "c19937216e9d3aa9956d9bb8dfc0b0c8beb6058fc4f7a4dc4d850edf86a237d6" 43 + 44 + [[package]] 39 45 name = "log" 40 46 version = "0.4.21" 41 47 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 47 53 dependencies = [ 48 54 "eyre", 49 55 "goblin", 56 + "libc", 50 57 "serde", 51 58 "serde_json", 52 59 ]
+1
pkgs/build-support/kernel/make-initrd-ng/Cargo.toml
··· 9 9 [dependencies] 10 10 eyre = "0.6.8" 11 11 goblin = "0.5.0" 12 + libc = "0.2.171" 12 13 serde = { version = "1.0", features = ["derive"] } 13 14 serde_json = "1.0"
+14 -3
pkgs/build-support/kernel/make-initrd-ng/src/main.rs
··· 5 5 use std::hash::Hash; 6 6 use std::iter::FromIterator; 7 7 use std::os::unix; 8 + use std::os::unix::fs::PermissionsExt; 8 9 use std::path::{Component, Path, PathBuf}; 9 10 use std::process::Command; 11 + 12 + use libc::umask; 10 13 11 14 use eyre::Context; 12 15 use goblin::{elf::Elf, Object}; ··· 191 194 let mut permissions = fs::metadata(&target) 192 195 .wrap_err_with(|| format!("failed to get metadata for {:?}", target))? 193 196 .permissions(); 194 - permissions.set_readonly(false); 195 - fs::set_permissions(&target, permissions) 196 - .wrap_err_with(|| format!("failed to set readonly flag to false for {:?}", target))?; 197 + permissions.set_mode(permissions.mode() | 0o200); 198 + fs::set_permissions(&target, permissions.clone()) 199 + .wrap_err_with(|| format!("failed to set read-write permissions for {:?}", target))?; 197 200 198 201 // Strip further than normal 199 202 if let Ok(strip) = env::var("STRIP") { ··· 207 210 println!("{:?} was not successfully stripped.", OsStr::new(&target)); 208 211 } 209 212 } 213 + 214 + // Remove writable permissions 215 + permissions.set_mode(permissions.mode() ^ 0o222); 216 + fs::set_permissions(&target, permissions) 217 + .wrap_err_with(|| format!("failed to remove writable permissions for {:?}", target))?; 210 218 }; 211 219 212 220 Ok(()) ··· 334 342 })?; 335 343 let output = &args[2]; 336 344 let out_path = Path::new(output); 345 + 346 + // The files we create should not be writable. 347 + unsafe { umask(0o022) }; 337 348 338 349 let mut queue = NonRepeatingQueue::<StorePath>::new(); 339 350