From 5e66574a128937e7f2fcf146d146225703ccfd5d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Sun, 8 Oct 2017 21:25:32 +0200 Subject: [PATCH] activation: Do not create setuid binaries in the store [security fix]. Fixes . * gnu/build/activation.scm (activate-setuid-programs)[link-or-copy]: Remove. Use 'copy-file' instead. --- gnu/build/activation.scm | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm index 9c58370ec3..6c0d603ddf 100644 --- a/gnu/build/activation.scm +++ b/gnu/build/activation.scm @@ -353,24 +353,13 @@ (define %setuid-directory ;; Place where setuid programs are stored. "/run/setuid-programs") -(define (link-or-copy source target) - "Attempt to make TARGET a hard link to SOURCE; if it fails, fall back to -copy SOURCE to TARGET." - (catch 'system-error - (lambda () - (link source target)) - (lambda args - ;; Perhaps SOURCE and TARGET live in a different file system, so copy - ;; SOURCE. - (copy-file source target)))) - (define (activate-setuid-programs programs) "Turn PROGRAMS, a list of file names, into setuid programs stored under %SETUID-DIRECTORY." (define (make-setuid-program prog) (let ((target (string-append %setuid-directory "/" (basename prog)))) - (link-or-copy prog target) + (copy-file prog target) (chown target 0 0) (chmod target #o6555)))