Hi Reepca, Reepca Russelstein skribis: > Ludovic Courtès writes: > >>> While ensuring that what actually gets execve'd is in the store suffices >>> to eliminate the vulnerability, it may be "conceptually purer" to >>> require that the links pointing to it are all in the store as well. For >>> example, while a builder that is a symlink pointing to /proc/self/exe >>> wouldn't be able to modify the daemon binary, it's still a piece of >>> basically "undefined behavior" as far as the build environment is >>> concerned, which could be closed up. But that can come later just as >>> well. >> >> Yes. But in practice, “normal” symlinks (i.e., not /proc/self/exe) will >> lead ‘canonPath’ to throw if one component is outside the store, since >> ‘canonPath’ operates within the chroot. > > Unless the component actually exists and is outside of the store. If we > just rely on canonPath throwing an exception to be safe, then if there > ever arose a situation where a non-symlink executable existed outside of > the store, it would still be possible to convince the daemon to execute > it. [...] > I mention this because I see that patch 07/16 of v7 has left out the > isInStore check, and I think it should remain. Hmm right (I was very much assuming that /proc/self/exe was the only non-store executable, but better be safe than sorry). Re-adding this: