tjh.dev / nixpkgs
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
fork atom
nixpkgs / pkgs / build-support / setup-hooks / audit-tmpdir.sh
at devShellTools-shell 68 lines 2.4 kB view raw
1# Check whether RPATHs or wrapper scripts contain references to 2# $TMPDIR. This is a serious security bug because it allows any user 3# to inject files into search paths of other users' processes. 4# 5# It might be better to have Nix scan build output for any occurrence 6# of $TMPDIR (which would also be good for reproducibility), but at 7# the moment that would produce too many spurious errors (e.g. debug 8# info or assertion messages that refer to $TMPDIR). 9 10fixupOutputHooks+=('if [[ -z "${noAuditTmpdir-}" && -e "$prefix" ]]; then auditTmpdir "$prefix"; fi') 11 12auditTmpdir() { 13 local dir="$1" 14 [ -e "$dir" ] || return 0 15 16 echo "checking for references to $TMPDIR/ in $dir..." 17 18 local tmpdir elf_fifo script_fifo 19 tmpdir="$(mktemp -d)" 20 elf_fifo="$tmpdir/elf" 21 script_fifo="$tmpdir/script" 22 mkfifo "$elf_fifo" "$script_fifo" 23 24 # Classifier: identify ELF and script files 25 ( 26 find "$dir" -type f -not -path '*/.build-id/*' -print0 \ 27 | while IFS= read -r -d $'\0' file; do 28 if isELF "$file"; then 29 printf '%s\0' "$file" >&3 30 elif isScript "$file"; then 31 filename=${file##*/} 32 dir=${file%/*} 33 if [ -e "$dir/.$filename-wrapped" ]; then 34 printf '%s\0' "$file" >&4 35 fi 36 fi 37 done 38 exec 3>&- 4>&- 39 ) 3> "$elf_fifo" 4> "$script_fifo" & 40 41 # Handler: check RPATHs concurrently 42 ( 43 xargs -0 -r -P "$NIX_BUILD_CORES" -n 1 sh -c ' 44 if { printf :; patchelf --print-rpath "$1"; } | grep -q -F ":$TMPDIR/"; then 45 echo "RPATH of binary $1 contains a forbidden reference to $TMPDIR/" 46 exit 1 47 fi 48 ' _ < "$elf_fifo" 49 ) & 50 local pid_elf=$! 51 52 # Handler: check wrapper scripts concurrently 53 local pid_script 54 ( 55 xargs -0 -r -P "$NIX_BUILD_CORES" -n 1 sh -c ' 56 if grep -q -F "$TMPDIR/" "$1"; then 57 echo "wrapper script $1 contains a forbidden reference to $TMPDIR/" 58 exit 1 59 fi 60 ' _ < "$script_fifo" 61 ) & 62 local pid_script=$! 63 64 wait "$pid_elf" || { echo "Some binaries contain forbidden references to $TMPDIR/. Check the error above!"; exit 1; } 65 wait "$pid_script" || { echo "Some scripts contain forbidden references to $TMPDIR/. Check the error above!"; exit 1; } 66 67 rm -r "$tmpdir" 68}