[Backport release-24.05] guix: backport build user takeover commits (#…

…351910)

pkgs/by-name/gu/guix/guix-build-user-takeover-fix.patch

@@ -0,0 +1,42 @@
+diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
+index c5383bc..50d1abc 100644
+--- a/nix/libstore/build.cc
++++ b/nix/libstore/build.cc
+@@ -2312,15 +2312,6 @@ void DerivationGoal::registerOutputs()
+         Path actualPath = path;
+         if (useChroot) {
+             actualPath = chrootRootDir + path;
+-            if (pathExists(actualPath)) {
+-                /* Move output paths from the chroot to the store. */
+-                if (buildMode == bmRepair)
+-                    replaceValidPath(path, actualPath);
+-                else
+-                    if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)
+-                        throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
+-            }
+-            if (buildMode != bmCheck) actualPath = path;
+         } else {
+             Path redirected = redirectedOutputs[path];
+             if (buildMode == bmRepair
+@@ -2360,6 +2351,21 @@ void DerivationGoal::registerOutputs()
+                something like that. */
+             canonicalisePathMetaData(actualPath, buildUser.enabled() ? buildUser.getUID() : -1, inodesSeen);
+
++            if (useChroot) {
++                if (pathExists(actualPath)) {
++                    /* Now that output paths have been canonicalized (in particular
++                    there are no setuid files left), move them outside of the
++                    chroot and to the store. */
++                    if (buildMode == bmRepair)
++                        replaceValidPath(path, actualPath);
++                    else
++                        if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)
++                            throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
++                }
++                if (buildMode != bmCheck) actualPath = path;
++            }
++
++
+             /* FIXME: this is in-memory. */
+             StringSink sink;
+             dumpPath(actualPath, sink);

pkgs/by-name/gu/guix/package.nix

@@ -1,38 +1,39 @@
-{ lib
-, stdenv
-, fetchurl
-, fetchpatch
-, autoreconfHook
-, disarchive
-, git
-, glibcLocales
-, guile
-, guile-avahi
-, guile-gcrypt
-, guile-git
-, guile-gnutls
-, guile-json
-, guile-lib
-, guile-lzlib
-, guile-lzma
-, guile-semver
-, guile-ssh
-, guile-sqlite3
-, guile-zlib
-, guile-zstd
-, help2man
-, makeWrapper
-, pkg-config
-, po4a
-, scheme-bytestructures
-, texinfo
-, bzip2
-, libgcrypt
-, sqlite
+{
+  lib,
+  stdenv,
+  fetchurl,
+  fetchpatch,
+  autoreconfHook,
+  disarchive,
+  git,
+  glibcLocales,
+  guile,
+  guile-avahi,
+  guile-gcrypt,
+  guile-git,
+  guile-gnutls,
+  guile-json,
+  guile-lib,
+  guile-lzlib,
+  guile-lzma,
+  guile-semver,
+  guile-ssh,
+  guile-sqlite3,
+  guile-zlib,
+  guile-zstd,
+  help2man,
+  makeWrapper,
+  pkg-config,
+  po4a,
+  scheme-bytestructures,
+  texinfo,
+  bzip2,
+  libgcrypt,
+  sqlite,
 
-, stateDir ? "/var"
-, storeDir ? "/gnu/store"
-, confDir ? "/etc"
+  stateDir ? "/var",
+  storeDir ? "/gnu/store",
+  confDir ? "/etc",
 }:
 
 stdenv.mkDerivation rec {
@@ -55,6 +56,9 @@ stdenv.mkDerivation rec {
       url = "https://git.savannah.gnu.org/cgit/guix.git/patch/?id=ff1251de0bc327ec478fc66a562430fbf35aef42";
       hash = "sha256-f4KWDVrvO/oI+4SCUHU5GandkGtHrlaM1BWygM/Qlao=";
     })
+    # manual port of build user takeover remediation commit
+    # see https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability
+    ./guix-build-user-takeover-fix.patch
   ];
 
   postPatch = ''
@@ -151,7 +155,10 @@ stdenv.mkDerivation rec {
     homepage = "http://www.gnu.org/software/guix";
     license = licenses.gpl3Plus;
     mainProgram = "guix";
-    maintainers = with maintainers; [ cafkafk foo-dogsquared ];
+    maintainers = with maintainers; [
+      cafkafk
+      foo-dogsquared
+    ];
     platforms = platforms.linux;
   };
 }