JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add a setup hook for detecting $TMPDIR references in RPATHs and wrapper scripts

Browse Source
This commit is contained in:
Eelco Dolstra 2017-05-04 20:06:40 +02:00
parent 3b8f8951db
commit 94d164dd7f
No known key found for this signature in database
GPG Key ID: 8170B4726D7198DE
3 changed files with 54 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
pkgs/build-support/setup-hooks/audit-tmpdir.sh Normal file
View File

@ -0,0 +1,41 @@
# Check whether RPATHs or wrapper scripts contain references to
# $TMPDIR. This is a serious security bug because it allows any user
# to inject files into search paths of other users' processes.
#
# It might be better to have Nix scan build output for any occurrence
# of $TMPDIR (which would also be good for reproducibility), but at
# the moment that would produce too many spurious errors (e.g. debug
# info or assertion messages that refer to $TMPDIR).
fixupOutputHooks+=('if [ -z "$noAuditTmpdir" -a -e "$prefix" ]; then auditTmpdir "$prefix"; fi')
auditTmpdir() {
local dir="$1"
[ -e "$dir" ] || return 0
header "checking for references to $TMPDIR in $dir..."
local i
while IFS= read -r -d $'\0' i; do
if [[ "$i" =~ .build-id ]]; then continue; fi
if isELF "$i"; then
if patchelf --print-rpath "$i" | grep -q -F "$TMPDIR"; then
echo "RPATH of binary $i contains a forbidden reference to $TMPDIR"
exit 1
fi
fi
if isScript "$i"; then
if [ -e "$(dirname $i)/.$(basename $i)-wrapped" ]; then
if grep -q -F "$TMPDIR" "$i"; then
echo "wrapper script $i contains a forbidden reference to $TMPDIR"
exit 1
fi
fi
fi
done < <(find "$dir" -type f -print0)
stopNest
}

1
pkgs/stdenv/generic/default.nix
View File

@ -94,6 +94,7 @@ let
../../build-support/setup-hooks/compress-man-pages.sh ../../build-support/setup-hooks/compress-man-pages.sh
../../build-support/setup-hooks/strip.sh ../../build-support/setup-hooks/strip.sh
../../build-support/setup-hooks/patch-shebangs.sh ../../build-support/setup-hooks/patch-shebangs.sh
../../build-support/setup-hooks/audit-tmpdir.sh
../../build-support/setup-hooks/multiple-outputs.sh ../../build-support/setup-hooks/multiple-outputs.sh
../../build-support/setup-hooks/move-sbin.sh ../../build-support/setup-hooks/move-sbin.sh
../../build-support/setup-hooks/move-lib64.sh ../../build-support/setup-hooks/move-lib64.sh

12
pkgs/stdenv/generic/setup.sh
View File

@ -199,6 +199,18 @@ isELF() {
if [[ "$magic" =~ ELF ]]; then return 0; else return 1; fi if [[ "$magic" =~ ELF ]]; then return 0; else return 1; fi
} }
# Return success if the specified file is a script (i.e. starts with
# "#!").
isScript() {
local fn="$1"
local magic
if ! [ -x /bin/sh ]; then return 0; fi
exec {fd}< "$fn"
read -n 2 -u $fd magic
exec {fd}<&-
if [[ "$magic" =~ \#! ]]; then return 0; else return 1; fi
}
###################################################################### ######################################################################
# Initialisation. # Initialisation.