GNU bug report logs - #77642
[PATCH] daemon: Do not make chroot root directory read-only.

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Tue, 8 Apr 2025 13:31:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludovic.courtes <at> inria.fr>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludovic.courtes <at> inria.fr>
To: Reepca Russelstein <reepca <at> russelstein.xyz>
Cc: keinflue <at> posteo.net, adanskana <at> gmail.com, 77642 <at> debbugs.gnu.org
Subject: [bug#77642] [PATCH] daemon: Do not make chroot root directory read-only.
Date: Thu, 10 Apr 2025 09:55:46 +0200

Hi,

Reepca Russelstein <reepca <at> russelstein.xyz> skribis:

>> +	    /* Make the root read-only.
>> +
>> +	       The build process could make it world-accessible, but that's
>
> Strictly speaking, in the case of --build-users-group, it couldn't even
> do that.

True.

>> +	       OK: since 'chrootRootTop' is *not* world-accessible, a
>> +	       world-accessible 'chrootRootDir' cannot be used to grant access
>> +	       to the store to external processes.
>
> It may be more general to write "grant access to the build environment",
> unless you're using this as a shorthand for "grant access to the build
> environment, and thereby a setuid binary, and thereby (in some
> configurations) the store".

Yes, but I’ll change it as you suggest.

> Looks good to me, hopefully there aren't any major packages further down
> the line that rely on chmod("/", ...) failing.

Crossing fingers…

Ludo’.

This bug report was last modified 92 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #77642 [PATCH] daemon: Do not make chroot root directory read-only.

GNU bug report logs - #77642
[PATCH] daemon: Do not make chroot root directory read-only.