From d0bb6f73bfeaf5b74b4146a86e1470976b9a4d80 Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Wed, 15 Jun 2016 12:47:16 +0200 Subject: [PATCH] buildserver: /vagrant/cache writeable only by root Prevent build processes from modifying the cache, it is only needed during provisioning anyway. A malicious build could still use sudo to change the cache, but this is more to prevent mistaken modifications. --- makebuildserver | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/makebuildserver b/makebuildserver index d44e559d..0f5cb86e 100755 --- a/makebuildserver +++ b/makebuildserver @@ -363,7 +363,8 @@ if 'aptproxy' in config and config['aptproxy']: # does not need a custom mount if cachedir != 'buildserver/cache': vagrantfile += """ - config.vm.synced_folder '{0}', '/vagrant/cache' + config.vm.synced_folder '{0}', '/vagrant/cache', + owner: 'root', group: 'root', create: true """.format(cachedir) # cache .deb packages on the host via a mount trick