daemon: Restore post-canonicalization permissions after moving.

At this point the value of 'st.st_mode' is from before canonicalization, so restoring to that will undo the permissions aspect of the canonicalization for a top-level directory store item. Fixes #1104, introduced in ae18b3d9e6 (ae18b3d9e6). * nix/libstore/build.cc (DerivationGoal::registerOutputs): update 'st' with post-canonicalization permissions before making actualPath temporarily-writable. * tests/store.scm ("build outputs aren't writable"): new test. Change-Id: I5e5eaa79fa6b7f81e1d12fd285883c762a22ce5a Signed-off-by: Ludovic Courtès <ludo@gnu.org>
2025-10-01 18:05:17 +00:00 · 2025-09-05 01:59:12 -05:00 · 2025-09-05 01:59:12 -05:00 · c87a9b855e
commit c87a9b855e
parent d042111c9e
2 changed files with 17 additions and 2 deletions
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@ -3139,10 +3139,14 @@ void DerivationGoal::registerOutputs()
              replaceValidPath(path, actualPath);
            else
 		if (buildMode != bmCheck) {
-		    if (S_ISDIR(st.st_mode))
+		    if (S_ISDIR(st.st_mode)) {
+                        if (lstat(actualPath.c_str(), &st) == -1)
+                            throw SysError(format("getting canonicalized permissions of directory `%1%'") % actualPath);
 			/* Change mode on the directory to allow for
 			   rename(2).  */
-			chmod(actualPath.c_str(), st.st_mode | 0700);
+			if (chmod(actualPath.c_str(), st.st_mode | 0700) == -1)
+                            throw SysError(format("making `%1%' writable for move from chroot to store") % actualPath);
+                    }
 		    if (rename(actualPath.c_str(), path.c_str()) == -1)
 			throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
 		    if (S_ISDIR(st.st_mode) && chmod(path.c_str(), st.st_mode) == -1)
--- a/tests/store.scm
+++ b/tests/store.scm
@ -417,6 +417,17 @@
                     get-string-all)
                   a))))

+;; https://codeberg.org/guix/guix/issues/1104
+(test-equal "build outputs aren't writable"
+  #o555
+  (let ((drv (build-expression->derivation %store "writable-output"
+                                           `(begin
+                                              ,(random-text)
+                                              (mkdir %output)
+                                              (chmod %output #o755)))))
+    (build-derivations %store (list drv))
+    (stat:perms (stat (derivation->output-path drv "out")))))
+
 (unless (unprivileged-user-namespace-supported?)
  (test-skip 1))
 (test-equal "isolated environment"