1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
diff --git a/src/go/plugin/go.d/pkg/pathvalidate/validate_unix.go b/src/go/plugin/go.d/pkg/pathvalidate/validate_unix.go
index fae97e7be..153999fa3 100644
--- a/src/go/plugin/go.d/pkg/pathvalidate/validate_unix.go
+++ b/src/go/plugin/go.d/pkg/pathvalidate/validate_unix.go
@@ -8,6 +8,7 @@ import (
"fmt"
"os"
"path/filepath"
+ "strings"
"syscall"
)
@@ -42,13 +43,15 @@ func ValidateBinaryPath(path string) (string, error) {
if !ok {
return "", fmt.Errorf("unable to get file stat information for %s", absPath)
}
- if fileStat.Uid != 0 {
- return "", fmt.Errorf("binary at %s must be owned by root (current uid: %d)", absPath, fileStat.Uid)
- }
+ if !strings.HasPrefix(absPath, "/nix/store/") {
+ if fileStat.Uid != 0 {
+ return "", fmt.Errorf("binary at %s must be owned by root (current uid: %d)", absPath, fileStat.Uid)
+ }
- if perm := fileInfo.Mode().Perm(); perm&0022 != 0 {
- return "", fmt.Errorf("binary at %s must not be writable by group/others (current permissions: %s / %04o)",
- absPath, fileInfo.Mode().String(), perm)
+ if perm := fileInfo.Mode().Perm(); perm&0022 != 0 {
+ return "", fmt.Errorf("binary at %s must not be writable by group/others (current permissions: %s / %04o)",
+ absPath, fileInfo.Mode().String(), perm)
+ }
}
// Step 6: Check executable bit
@@ -67,13 +70,15 @@ func ValidateBinaryPath(path string) (string, error) {
if !ok {
return "", fmt.Errorf("unable to get directory stat information for %s", dir)
}
- if dirStat.Uid != 0 {
- return "", fmt.Errorf("directory %s must be owned by root (current uid: %d)", dir, dirStat.Uid)
- }
+ if !strings.HasPrefix(dir, "/nix/store") {
+ if dirStat.Uid != 0 {
+ return "", fmt.Errorf("directory %s must be owned by root (current uid: %d)", dir, dirStat.Uid)
+ }
- if perm := dirInfo.Mode().Perm(); perm&0022 != 0 {
- return "", fmt.Errorf("directory %s must not be writable by group/others (current permissions: %s / %04o)",
- dir, dirInfo.Mode().String(), perm)
+ if perm := dirInfo.Mode().Perm(); perm&0022 != 0 {
+ return "", fmt.Errorf("directory %s must not be writable by group/others (current permissions: %s / %04o)",
+ dir, dirInfo.Mode().String(), perm)
+ }
}
if dir == filepath.Dir(dir) {
|
