tjh.dev
Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
1# Check whether RPATHs or wrapper scripts contain references to
2# $TMPDIR. This is a serious security bug because it allows any user
3# to inject files into search paths of other users' processes.
4#
5# It might be better to have Nix scan build output for any occurrence
6# of $TMPDIR (which would also be good for reproducibility), but at
7# the moment that would produce too many spurious errors (e.g. debug
8# info or assertion messages that refer to $TMPDIR).
9
10fixupOutputHooks+=('if [[ -z "${noAuditTmpdir-}" && -e "$prefix" ]]; then auditTmpdir "$prefix"; fi')
11
12auditTmpdir() {
13 local dir="$1"
14 [ -e "$dir" ] || return 0
15
16 echo "checking for references to $TMPDIR/ in $dir..."
17
18 local i
19 find "$dir" -type f -print0 | while IFS= read -r -d $'\0' i; do
20 if [[ "$i" =~ .build-id ]]; then continue; fi
21
22 if isELF "$i"; then
23 if { printf :; patchelf --print-rpath "$i"; } | grep -q -F ":$TMPDIR/"; then
24 echo "RPATH of binary $i contains a forbidden reference to $TMPDIR/"
25 exit 1
26 fi
27 fi
28
29 if isScript "$i"; then
30 if [ -e "$(dirname "$i")/.$(basename "$i")-wrapped" ]; then
31 if grep -q -F "$TMPDIR/" "$i"; then
32 echo "wrapper script $i contains a forbidden reference to $TMPDIR/"
33 exit 1
34 fi
35 fi
36 fi
37
38 done
39}