diff options
author | Shea Levy <shea@shealevy.com> | 2016-08-31 08:00:57 -0400 |
---|---|---|
committer | Shea Levy <shea@shealevy.com> | 2016-08-31 08:00:57 -0400 |
commit | ee535056ce01514854cdd1c2d56faad84ae347af (patch) | |
tree | 38a338d46f43887f4c3581b2a887d72a68722f05 | |
parent | 4309d99b706b752358f0ba531ab5ff317ed857c9 (diff) | |
download | nixlib-ee535056ce01514854cdd1c2d56faad84ae347af.tar nixlib-ee535056ce01514854cdd1c2d56faad84ae347af.tar.gz nixlib-ee535056ce01514854cdd1c2d56faad84ae347af.tar.bz2 nixlib-ee535056ce01514854cdd1c2d56faad84ae347af.tar.lz nixlib-ee535056ce01514854cdd1c2d56faad84ae347af.tar.xz nixlib-ee535056ce01514854cdd1c2d56faad84ae347af.tar.zst nixlib-ee535056ce01514854cdd1c2d56faad84ae347af.zip |
setuid-wrappers: Update wrapper dir atomically.
Fixes #18124.
-rw-r--r-- | nixos/modules/security/setuid-wrappers.nix | 26 |
1 files changed, 20 insertions, 6 deletions
diff --git a/nixos/modules/security/setuid-wrappers.nix b/nixos/modules/security/setuid-wrappers.nix index 99dd514feea3..162b3a2cec7d 100644 --- a/nixos/modules/security/setuid-wrappers.nix +++ b/nixos/modules/security/setuid-wrappers.nix @@ -102,11 +102,11 @@ in source=/nix/var/nix/profiles/default/bin/${program} fi - cp ${setuidWrapper}/bin/setuid-wrapper ${wrapperDir}/${program} - echo -n "$source" > ${wrapperDir}/${program}.real - chmod 0000 ${wrapperDir}/${program} # to prevent races - chown ${owner}.${group} ${wrapperDir}/${program} - chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" ${wrapperDir}/${program} + cp ${setuidWrapper}/bin/setuid-wrapper $wrapperDir/${program} + echo -n "$source" > $wrapperDir/${program}.real + chmod 0000 $wrapperDir/${program} # to prevent races + chown ${owner}.${group} $wrapperDir/${program} + chmod "u${if setuid then "+" else "-"}s,g${if setgid then "+" else "-"}s,${permissions}" $wrapperDir/${program} ''; in stringAfter [ "users" ] @@ -115,9 +115,23 @@ in # programs to be wrapped. SETUID_PATH=${config.system.path}/bin:${config.system.path}/sbin - rm -f ${wrapperDir}/* # */ + mkdir -p /run/setuid-wrapper-dirs + wrapperDir=$(mktemp --directory --tmpdir=/run/setuid-wrapper-dirs setuid-wrappers.XXXXXXXXXX) ${concatMapStrings makeSetuidWrapper setuidPrograms} + + if [ -d ${wrapperDir} ]; then + mv --no-target-directory ${wrapperDir} ${wrapperDir}-old + ln --symbolic $wrapperDir ${wrapperDir} + rm --force --recursive ${wrapperDir}-old + elif [ -L ${wrapperDir} ]; then + ln --symbolic --force --no-dereference $wrapperDir ${wrapperDir}-tmp + old=$(readlink ${wrapperDir}) + mv --no-target-directory ${wrapperDir}-tmp ${wrapperDir} + rm --force --recursive $old + else + ln --symbolic $wrapperDir ${wrapperDir} + fi ''; }; |