[Nix-dev] Re: Bind mounts are Evil(TM)
Ludovic Courtès
ludo at gnu.org
Wed Oct 8 15:39:24 CEST 2008
Hi,
Eelco Dolstra <e.dolstra at tudelft.nl>
writes:
> if (useChroot) {
> #if CHROOT_ENABLED
> /* Create a temporary directory in which we set up the chroot
> environment using bind-mounts.
>
> !!! Big danger here: since we're doing this in /tmp, there
> is a risk that the admin does something like "rm -rf
> /tmp/chroot-nix-*" to clean up aborted builds, and if some
> of the bind-mounts are still active, then "rm -rf" will
> happily recurse into those mount points (thereby deleting,
> say, /nix/store). Ideally, chrootRootDir should be created in
> some special location (maybe in /nix/var/nix) where Nix
> takes care of unmounting / deleting old chroots
> automatically. */
> chrootRootDir = createTempDir("", "chroot-nix");
>
> ...
>
> So we really should create the bind mount somewhere else...
That'd be an improvement, because most people expect to be able to
fiddle with /tmp.
> Not that that really fixes the problem - somebody might still "clean
> up" whatever directory we use. The only real solution would be
> per-process bind mounts, which would cause the bind mount to disappear
> automatically when the Nix process exits (and they wouldn't be visible
> for other processes, so you wouldn't be able to rm -rf them). (I
> think this is in the pipeline for the Linux kernel.)
Right.
Or, can't the process that mkdir'd the chroot unlink it right after so
that it's no longer visible in the file system? (Maybe that's what you
mean by "per-process".)
Michael Raskin <7c6f434c at mail.ru> writes:
> Are we ready to (optionally) do "chattr +i" on successful builds? That
> would also help.. Because doing _anything_ with +i file is really hard.
It's a bit ext[234]-specific, right?
Thanks,
Ludo'.
More information about the nix-dev
mailing list