From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 21 Mar 2024 11:13:05 +0000 (+0100)
Subject: Explicitly set mode of workspace to 700
X-Git-Tag: v23~68^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=76875f5b300a9d1dc48a730369fd7e7170e8a808;p=thirdparty%2Fmkosi.git

Explicitly set mode of workspace to 700

If the sticky bit is set on the parent directory of the workspace,
it's inherited by the workspace directory and then inherited by the
image root directory and infects the entire image. Let's make sure
it is not set on the workspace directory to avoid leaking host specific
details into the image.
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index bd9017600..faefef5eb 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -3346,6 +3346,7 @@ def normalize_mtime(root: Path, mtime: Optional[int], directory: Optional[Path]
 def setup_workspace(args: Args, config: Config) -> Iterator[Path]:
     with contextlib.ExitStack() as stack:
         workspace = Path(tempfile.mkdtemp(dir=config.workspace_dir_or_default(), prefix="mkosi-workspace"))
+        os.chmod(workspace, 0o700)
         stack.callback(lambda: rmtree(workspace, tools=config.tools(), sandbox=config.sandbox))
         (workspace / "tmp").mkdir(mode=0o1777)